Day 1: DevSecOps - Gitleaks in a CI pipeline

What is Gitleaks?

Gitleaks is an open-source tool that can developers can use to scan repositories for any sensitive information that can potentially be used to gain unauthorized information about This information can be secret passwords, API keys, tokens, private keys, file extensions like id_rsa, .pem, htpasswd in your repository.

The aim is to integrate gitleaks in our developer workflow. This tutorial shows how to integrate git leaks in a gitlab CI pipeline for security scanning.

Install git leaks

First, you can install it locally to get a taste of the tool before using in in the pipeline. I used the docker image of gitleaks but you can also build it from source. Check repository

To install gitleaks docker image, do the following:

docker pull zricethezav/gitleaks:latest
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS]

Next, we will integrate this tool into our CI pipeline. In devsecops, the process works efficiently when the processes are automated. We want to ensure that code is scanned in the secure software development lifecycle.

Gitleaks is available as docker image. We can directly download and use it in the Gitlab CI config.

GItleaks comes with two commands that you can use to detect secrets; detect and prevent. We will use the detect command in the CI environment to scan the repository.

gitleaks_scan:
    stage: scanning
    image: 
        name: zricethezav/gitleaks
        entrypoint: [""]
    script:
        - gitleaks detect --verbose --source . -f json -r gitleaks.json

    allow_failure: true
    artifacts:
        when: always
        paths:
            - gitleaks.json

Configure pre-commit hook

In Git, a pre-commit hook is fired when you are about to commit changes. You can use a pre-commit hook to automate the process of running security checks, reducing the risk of human error. Gitleaks can be configured as pre-commit hook to scan code changes before they are committed, allowing you to catch sensitive information before it enters your repository.

First, edit the .git/hooks folder. Go to your project repository and find the directory. Then create a new pre-commit file in the directory

Next, make the pre-commit file executable so that Git can run is. Run the following commands:

chmod +x .git/hooks/pre-commit

Then, open the pre-commit file in a text editor and write your script. This script will run every time you commit changes.

docker pull zricethezav/gitleaks:latest
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS]

I hope this helps! Let me know if you have any comments.