How to protect and discover secrets with Gitleaks?

calendar Jun 18, 2023 · 3 min read · gitleaks git secrets  ·
Share on: linkedin copy

Overview

Detecting and discovering secrets or (hardcoded) passwords in a code repository should be an ongoing process for everyone involved in code development. But this process should not take all the time so that we have more time to contribute to good code quality. Fortunately, nowadays there are various tools that help us to automatically check that no sensitive data is present. Secrets, such as API keys and passwords are a well-known example of this. Continue reading on how you can easily do this in your local dev environment with Gitleaks.

Installing

  1. Install gitleaks on your local system. I recommend using a package manager as the installation of packages will be easier and faster.
 1# Mac OS
 2brew install gitleaks
 3
 4# Windows
 5choco install gitleaks
 6
 7# Linux
 8curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep 'linux_x64' | wget -i -
 9tar xf gitleaks_<replace with version>_linux_x64.tar.gz
10mv gitleaks /usr/local/bin
11rm gitleaks_<replace with version>_linux_x64.tar.gz
  1. Open the Git repo you want to detect secrets from, e.g. cd <path-to-your-git-repository>
  2. Perform an initial check to see if there are any leaks in your Git repository with gitleaks detect .
  3. Check the details with gitleaks detect -v

Pre-Commit

Instead of manually execute gitleaks when you want to commit something to the Git repo we can automate this by using a pre-commit hook. As the name suggests this hook will execute whenever a git commit command is detected. Follow the steps below to activate this.

  1. Install pre-commit from https://pre-commit.com/#install
  2. Create a .pre-commit-config.yaml file at the root of your repository with the following content:
 1repos:
 2  - repo: https://github.com/pre-commit/pre-commit-hooks
 3    rev: v4.4.0
 4    hooks:
 5      - id: check-yaml
 6      - id: check-json
 7
 8  - repo: https://github.com/gitleaks/gitleaks
 9    rev: v8.17.0
10    hooks:
11      - id: gitleaks
  1. Update the version of gitleaks in the file by executing pre-commit autoupdate
  2. Install the pre-commit hook with pre-commit install

That's it! Every time you commit changes to your repository the pre-commit hook will scan the code with gitleaks and also validate yaml and json files. Read the next section on how to do that.

Usage

For testing purposes I will create a config.py file in the root of my Git repository. Now that gitleaks is active in my local dev environment, I expect that the pre-commit hook will detect hardcoded secrets.

1id = '12345'
2
3base64_secret = 'lc3Z2Ugc2d1ZXN15IHBhc3N3bsIGZ2Ugc2d1ZXNz3Jk'
4hex_secret = '313ed420e51118b376cd5133b8b'
5basic_auth = 'http://username:[email protected]'
6
7aws_access_key = 'EXAMPLEPASSWORDAWS'
8aws_secret_access_key = 'MI/K7MDENG/bPxRfiCYEXAMPLEKEYwJalrXUtnFE'

gitleaks_config_py

git add . # Stage all the changed files git commit -m "created config file" # Commit the staged files

When I try to commit the changes the pre-commit hook with gitleaks will prevent the commit because some leaks were found.

gitleaks_redacted

Note: Gitleaks ships with some default rules, but you can customize these rules to have more fine tuned rules in your project. To temporarily disable the gitleaks pre-commit hook you can prepend SKIP=gitleaks: e.g. SKIP=gitleaks git commit -m "skip gitleaks check" to the commit command and it will skip running gitleaks.