How to avoid credentials push to bitbucket via the developers?

Question

We have an application which uses JSON file to define the the connection strings and credentials of the databases and other APIs. Ideally those credentials are added as variable into the bitbucket repo and replaced during build time in Jenkins.

The developers replace them when working with them in their local.

We need to find a way so that they do not commit those credentials mistakenly to bitbucket. They must replace the connections with their respective variables before committing. Eg:

Connection_string:DATABASE_CONN_STRING,

Also those files cannot be added to .gitignore as there are multiple changes to key values in the file during development which is needed to commit to bitbucket. We are using Jenkins as our CI/CD tool.

Any help will be appriciated. Or if anyone could guide my what is the better process to do this.

Answer 1

As commented, any sensitive data needs to be in a vault (an external secret storage service). That way, they won't be added/committed by mistake.

Any configuration file using said sensitive data needs to be:

• generated automatically on checkout
• not versioned (meaning added to .gitignore, and deleted from the repo if they were versioned before)
• versioned as template file (file with placeholder values, which will be replaced by the secret values on checkout).

This process is done through a smudge content filter process:
You would register (in a .gitattributes declaration) a content filter driver.

^{(image from "Customizing Git - Git Attributes", from "Pro Git book")}

The smudge script, associated to the configuration file, would generate (automatically, on git checkout or git switch) the actual configuration file by replacing the placeholder values from the template by the ones from the vault.
The generated actual configuration file remains ignored (by the .gitignore).

See a complete example at "git smudge/clean filter between branches".