No Secrets in Production: Enforce Code Hygiene with Gitleaks

What is GitLeaks? Gitleaks is an open-source secrets detection tool that scans git repositories, commits, and branches for sensitive information such as:

• API keys

• Passwords

• Private keys

• Tokens

• etc

Prerequsite

• git

• Docker

Objective

• Install Gitleaks

• Configure Gitleaks

• Scan folder for sensitive information

In this tutorial, you'll learn how to install and use Gitleaks on Ubuntu 20.04, with support for Docker and Git. Let’s get started by walking through the installation process. While we’re using Ubuntu 20.04 for demonstration. Let’s begin with installing Gitleaks on Ubuntu.

• Clone the right repo

 wget https://github.com/gitleaks/gitleaks/releases/download/v8.25.1/gitleaks_8.25.1_linux_x64.tar.gz

• Untar the zipped file

 tar -xvf gitleaks_8.25.1_linux_x64.tar.gz

• Move the gitleaks file to bin folder

sudo mv gitleaks /usr/local/bin/

• Clone this repository

git clone https://github.com/setu1421/test-leaky-repo
cd test-leaky-repo

Note: This repo is to test gitleaks to make sure it captures sensitive information

• To can the a folder for sensitive information

gitleaks detect --source .

• To get more details you can use —verbose flag

gitleaks detect --source . --verbose

Installing Gitleaks directly on your operating system creates a dependency on that specific environment. Instead, I'll show you a more portable and OS-independent method using Docker. This way, you can run Gitleaks consistently across different systems without worrying about installation issues. Let's start by using Docker.

• Pull the image

docker pull zricethezav/gitleaks:latest

• Configure the path and scan the folder

export path_to_host_folder_to_scan=/mnt/shared/test-leaky-repo
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest detect --source="/path" --verbose

One last thing: let's integrate Gitleaks with Git so that every time a developer commits changes, it automatically scans the codebase before the commit is finalized. To do that, we need to set up a Git pre-commit hook.

• Change the directory to the hooks folder

cd .git/hooks

• Create file inside hooks folder

sudo vi pre-commit

• Copy and past the following code

docker pull zricethezav/gitleaks:latest
export path_to_host_folder_to_scan=/mnt/shared/test-leaky-repo
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest detect --source="/path" --verbose

• To Save the changes and exit

Press Esc and Type :wq!

This means that every time a developer runs the git commit command, Gitleaks will automatically scan the files and directories for any sensitive information. Thanks for reading. If you love what I do follow me.