enhance git-add to avoid password being staged or committed?

enhance git-add to avoid password being staged or committed?

[ryenus]

This can be an optional feature, once enabled, git-add would check the
hunk(s) to stage for sensitive information, such as passwords, secret
tokens, then ask the user for confirmation.

The implementation for secret detection could be regexp pattern(s),
and/or (trusted?) commands

Alternative solutions might be hooks during commit, push or recieve,
but it should be the best to do this in the first place during git-add.

The context of this is the following HN discussion about passwords on
GitHub: https://news.ycombinator.com/item?id=13650818

Re: enhance git-add to avoid password being staged or committed?

[Jeff King]

On Wed, Feb 15, 2017 at 10:36:32PM +0800, ryenus wrote:

> This can be an optional feature, once enabled, git-add would check the
> hunk(s) to stage for sensitive information, such as passwords, secret
> tokens, then ask the user for confirmation.
> 
> The implementation for secret detection could be regexp pattern(s),
> and/or (trusted?) commands
> 
> Alternative solutions might be hooks during commit, push or recieve,
> but it should be the best to do this in the first place during git-add.

There are already hooks for commit and receive to catch things locally
and at publishing time, respectively. It's possible that an "add" hook
could be more useful, but I'd be a lot more convinced if people were
actively doing secret-detection in their commit hooks and had some
specific complaint that could be addressed by having an "add" hook.

-Peff