Luan Phung
Published on

Commit-AI: Preventing Costly Git Security Mistakes

Authors
  • avatar
    Name
    Luan Phung
    Twitter

The Story

Two months ago, my friend made a mistake that many developers could easily make — he accidentally pushed AWS credentials to GitHub in a public repository. Within hours, his AWS account was compromised, leading to unauthorized usage and a significant bill. This incident made me realize we needed better safeguards against such common but costly mistakes.

Introducing commit-ai

To prevent such incidents, I created commit-ai, a simple CLI tool designed to be your last line of defense against accidental credential exposure. It acts as a pre-commit guardian, scanning your changes for sensitive information before they ever reach your repository.

How It Works

commit-ai leverages GPT-4 to perform three critical functions:

1. Security Scanning

Before each commit, the tool:

  • Analyzes your git diff for changes
  • Checks for sensitive data patterns including:
    • API keys
    • Access tokens
    • Database credentials
    • Private keys
    • Environment variables
  • Blocks commits if suspicious data is detected

2. Smart Commit Messages

The tool automatically:

  • Analyzes your changes
  • Generates conventional commit messages
  • Provides clear, meaningful descriptions
  • Maintains consistent formatting

3. Quick Code Reviews

As an added benefit, commit-ai can:

  • Identify potential code issues
  • Suggest improvements
  • Flag security concerns
  • Highlight best practices

Installation

Getting started with commit-ai is straightforward:

# Install via npm
npm install -g commit-ai

# Configure with your OpenAI API key
commit-ai config set OPENAI_API_KEY=your_api_key

Usage Example

Here's how commit-ai works in practice:

# Stage your changes
git add .

# Instead of git commit, use
commit-ai

# The tool will:
# 1. Scan for sensitive data
# 2. Generate a commit message
# 3. Provide a quick code review

Why Open Source?

I built commit-ai to make development safer for everyone. It's open source because I believe:

  • Security tools should be transparent
  • Community feedback improves detection
  • Collective experience makes tools better

Contributing

If you find commit-ai useful, here's how you can help:

  1. Try it out in your workflow
  2. Share feedback and suggestions
  3. Star the repository
  4. Report issues or edge cases
  5. Contribute to the source code

Visit the GitHub repository to get started: commit-ai on GitHub

What's Next

I'm actively working on several improvements:

  • Supporting more commit message formats
  • Expanding security check patterns
  • Enhancing code review capabilities
  • Adding team collaboration features
  • Improving performance for large diffs

Conclusion

One small mistake in version control can lead to significant consequences. commit-ai aims to prevent these issues before they happen, making development safer for everyone. I'd love to hear your thoughts and experiences - how could this tool better serve your security needs?

Remember: The best security incident is the one that never happens. Let's make accidental credential exposure a thing of the past.