Gitleaks – How to Audit git repository for secrets

Cpanel/Whm License $3/mo Plesk License $10/mo Cloudlinux License $5/mo

(: February 13, 2019)

Do you store unencrypted passwords, secrets and any other unwanted data types in your git source code repositories?. Gitleaks gives you a way to scan your git repositories for these unwanted data which should be private. The scans can be automated to fit perfectly into CI/CD workflow for secrets identification before they make it deeper into the codebase.

Gitleaks Features

Some of the cool features of Gitleaks include:

  • Support for private repository scans as well as repositories that require key-based authentication
  • Support for Gitlab bulk organization and repository owner (user) repository scans, and pull request scanning for use in common CI workflows.
  • You can output the scan results in JSON and CSV and formats for consumption in other reporting tools and frameworks.
  • Externalised configuration for environment specific customisation including regex rules
  • Customisable repository name, file type, commit ID, branchname and regex whitelisting to reduce false positives
  • High performance through the use of src-d’s go-git framework

How to Install Gitleaks

Gitleaks is written in Go and the binary file is available for many popular platforms and OS types from the releases page.

.td_uid_2_5d9083a14c6de_rand.td-a-rec-img{text-align:left}.td_uid_2_5d9083a14c6de_rand.td-a-rec-img img{margin:0 auto 0 0}

Step 1: Download Gitleaks

Check the latest release and save it to a variable like below.

export VER="1.24.0"

Then download the binary file to your OS.

For Linux Users

wget https://github.com/zricethezav/gitleaks/releases/download/v$VER/gitleaks-linux-amd64

For macOS user:

wget https://github.com/zricethezav/gitleaks/releases/download/v$VER/gitleaks-darwin-amd64

If you’re a Windows user, download and install the gitleaks-windows-amd64.exe package.

Step 2: Install Gitleaks

Once the file is downloaded, give it executable bot and put it inside the /usr/local/bin directory.

mv gitleaks-linux-amd64 gitleaks
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/

For macOS:

mv gitleaks-darwin-amd64 /usr/local/bin/gitleaks

Confirm that you can call the gitleaks command.

$ gitleaks --version
1.24.0

How to Use Gitleaks to Audit Git repositories

Gitleaks has lots of tunables that you don’t actually need for basic usage. The default mode should work against a single repo without any tweaks.

$ gitleaks --repo=https://github.com/jmutai/dotfiles
INFO[2019-02-13T15:55:43+03:00] cloning https://github.com/jmutai/dotfiles
Enumerating objects: 42, done.
Counting objects: 100% (42/42), done.
Compressing objects: 100% (34/34), done.
Total 2255 (delta 10), reused 26 (delta 8), pack-reused 2213
INFO[2019-02-13T15:55:57+03:00] 0 leaks detected. 159 commits inspected in 13 seconds 389 milliseconds

To view the output of the audit as gitleaks processes the repository, use the -v or --verbose flags which turns on verbose mode.

$ gitleaks --repo=https://github.com/gitleakstest/gronit -v
INFO[2019-02-13T16:06:08+03:00] cloning https://github.com/gitleakstest/gronit
Enumerating objects: 135, done.
Total 135 (delta 0), reused 0 (delta 0), pack-reused 135
{
"line": "const AWS_KEY = "AKIALALEMEL33243OLIAE"",
"commit": "eaeffdc65b4c73ccb67e75d96bd8743be2c85973",
"offender": "AKIALALEMEL33243OLIA",
"reason": "AWS",
"commitMsg": "remove fake key",
"author": "Zachary Rice [email protected]u003e",
"file": "main.go",
"repo": "gronit",
"date": "2018-02-04T19:43:28-06:00"
}
{
"line": "const AWS_KEY = "AKIALALEMEL33243OLIAE"",
"commit": "cb5599aeed261b2c038aa4729e2d53ca050a4988",
"offender": "AKIALALEMEL33243OLIA",
"reason": "AWS",
"commitMsg": "fake key",
"author": "Zachary Rice [email protected]u003e",
"file": "main.go",
"repo": "gronit",
"date": "2018-02-04T19:10:58-06:00"
}
WARN[2019-02-13T16:06:11+03:00] 2 leaks detected. 33 commits inspected in 2 seconds 598 milliseconds

To enable Threading, use the --threads option.

CPU=$(cat /proc/cpuinfo | grep -ic ^processor)
gitleaks --repo=https://github.com/jmutai/dotfiles --threads=$CPU

This option specifies the max number of threads spawned.

Running Gitleaks in Redact mode

The --redact will help show lines containing the secrets without logging the content.

$ gitleaks --repo=https://github.com/gitleakstest/gronit --redact
INFO[2019-02-13T16:10:16+03:00] cloning https://github.com/gitleakstest/gronit
Enumerating objects: 135, done.
Total 135 (delta 0), reused 0 (delta 0), pack-reused 135
WARN[2019-02-13T16:10:20+03:00] 2 leaks detected. 33 commits inspected in 3 seconds 786 milliseconds

Saving Gitleaks audit results to file

You can also run an audit on a bunch of repositories and save reports for each repo in a file. For this, use the --report option.

$ gitleaks --repo=https://github.com/jmutai/dotfiles --report=gitleaks_results.csv
INFO[2019-02-13T16:13:57+03:00] cloning https://github.com/jmutai/dotfiles
Enumerating objects: 42, done.
Counting objects: 100% (42/42), done.
Compressing objects: 100% (34/34), done.
Total 2255 (delta 10), reused 26 (delta 8), pack-reused 2213
INFO[2019-02-13T16:14:15+03:00] 0 leaks detected. 159 commits inspected in 17 seconds 685 milliseconds

The report must end in .csv or .json.

Check the project Git documentation for more advanced configurations and examples.

Similar articles:

How to remove git files, directories in .gitignore from a remote repository

GitLab and Slack Integration for notifications

How to Configure GitLab FreeIPA Authentication

.td_uid_4_5d9083a14c901_rand.td-a-rec-img{text-align:left}.td_uid_4_5d9083a14c901_rand.td-a-rec-img img{margin:0 auto 0 0}

Related posts

KnCMiner Offers ‘Plan B’ in Case of Neptune Miner Delivery Delay

SXI ADMIN

What’s the Big Idea Behind Ethereum’s World Computer?

SXI ADMIN

Meet the US Politicians Who Are Embracing Bitcoin

SXI ADMIN

Timeline: Putin Adds to Bitcoin’s Rocky History in Russia

SXI ADMIN

OpenBSD: Install Firefox Web Browser

SXI ADMIN

Bitcoin Futures Trading Questioned By Chinese National Media

SXI ADMIN

Police Arrest Japanese Man Who Bought Bitcoin With Stolen Funds

SXI ADMIN

Brave Browser to Raise Over $30 Million in Series A Equity Round: Sources

SXI ADMIN

Report Casts Doubt on Future of China’s Bitcoin Exchanges

SXI ADMIN

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More