How To

Gitleaks – How to Audit git repository for secrets

Josphat Mutai Updated Aug 19, 2023 · 4 min read

Do you store unencrypted passwords, secrets and any other unwanted data types in your git source code repositories?. Gitleaks gives you a way to scan your git repositories for these unwanted data which should be private. The scans can be automated to fit perfectly into CI/CD workflow for secrets identification before they make it deeper into the codebase.

Original content from computingforgeeks.com - post 7870

Gitleaks Features

Some of the cool features of Gitleaks include:

  • Support for private repository scans as well as repositories that require key-based authentication
  • Support for Gitlab bulk organization and repository owner (user) repository scans, and pull request scanning for use in common CI workflows.
  • You can output the scan results in JSON and CSV and formats for consumption in other reporting tools and frameworks.
  • Externalised configuration for environment specific customisation including regex rules
  • Customisable repository name, file type, commit ID, branchname and regex whitelisting to reduce false positives
  • High performance through the use of src-d’s go-git framework

How to Install Gitleaks on Linux

Gitleaks is written in Go and the binary file is available for many popular platforms and OS types from the releases page.

Download Gitleaks on Linux | macOS

Check the latest release and save it to a variable like below.

For Linux Users

curl -s  https://api.github.com/repos/zricethezav/gitleaks/releases/latest |grep browser_download_url  |  cut -d '"' -f 4  | grep '\linux-amd64$'| wget -i -

For macOS user:

curl -s  https://api.github.com/repos/zricethezav/gitleaks/releases/latest |grep browser_download_url  |  cut -d '"' -f 4  | grep '\darwin-amd64$'| wget -i -

If you’re a Windows user, download and install the gitleaks-windows-amd64.exe package.

Install Gitleaks on Linux | macOS

Once the file is downloaded, give it executable bot and put it inside the /usr/local/bin directory.

mv gitleaks-linux-amd64 gitleaks
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/

For macOS:

mv gitleaks-darwin-amd64 /usr/local/bin/gitleaks
sudo chmod +x /usr/local/bin/gitleaks

Confirm that you can call the gitleaks command.

$ gitleaks --version
v8.17.0

How to Use Gitleaks to Audit Git repositories

Gitleaks has lots of tunables that you don’t actually need for basic usage. The default mode should work against a single repo without any tweaks.

$ gitleaks --repo-url=https://github.com/jmutai/dotfiles
 INFO[2019-02-13T15:55:43+03:00] cloning https://github.com/jmutai/dotfiles
 Enumerating objects: 42, done.
 Counting objects: 100% (42/42), done.
 Compressing objects: 100% (34/34), done.
 Total 2255 (delta 10), reused 26 (delta 8), pack-reused 2213
 INFO[2019-02-13T15:55:57+03:00] 0 leaks detected. 159 commits inspected in 13 seconds 389 milliseconds

To view the output of the audit as gitleaks processes the repository, use the -v or --verbose flags which turns on verbose mode.

$ gitleaks --repo-url=https://github.com/gitleakstest/gronit -v
INFO[0000] cloning... https://github.com/gitleakstest/gronit
Enumerating objects: 135, done.
Total 135 (delta 0), reused 0 (delta 0), pack-reused 135
{
	"line": "const AWS_KEY = \"AKIALALEMEL33243OLIAE\"",
	"lineNumber": 15,
	"offender": "AKIALALEMEL33243OLIA",
	"offenderEntropy": -1,
	"commit": "cb5599aeed261b2c038aa4729e2d53ca050a4988",
	"repo": "gronit",
	"repoURL": "https://github.com/gitleakstest/gronit",
	"leakURL": "https://github.com/gitleakstest/gronit/blob/cb5599aeed261b2c038aa4729e2d53ca050a4988/main.go#L15",
	"rule": "AWS Access Key",
	"commitMessage": "fake key",
	"author": "Zachary Rice",
	"email": "[email protected]",
	"file": "main.go",
	"date": "2018-02-04T19:10:58-06:00",
	"tags": "key, AWS"
}
INFO[0000] scan time: 48 milliseconds 122 microseconds
INFO[0000] commits scanned: 33
WARN[0000] leaks found: 1

To enable Threading, use the --threads option.

CPU=$(cat /proc/cpuinfo | grep -ic ^processor)
gitleaks --repo=https://github.com/jmutai/dotfiles --threads=$CPU

This option specifies the max number of threads spawned.

Running Gitleaks in Redact mode

The --redact will help show lines containing the secrets without logging the content.

$ gitleaks --repo-url=https://github.com/gitleakstest/gronit --redact
INFO[0000] cloning... https://github.com/gitleakstest/gronit
INFO[0000] scan time: 47 milliseconds 664 microseconds
INFO[0000] commits scanned: 33
WARN[0000] leaks found: 1

Saving Gitleaks audit results to file

You can also run an audit on a bunch of repositories and save reports for each repo in a file. For this, use the --report option.

$ gitleaks --repo-url=https://github.com/jmutai/dotfiles --report=gitleaks_results.csv
INFO[0000] cloning... https://github.com/jmutai/dotfiles
INFO[0003] scan time: 2 seconds 774 milliseconds 597 microseconds
INFO[0003] commits scanned: 183
INFO[0003] No leaks found

The report must end in .csv or .json.

Scan local directory:

If you want to scan the current contents of a repo, ignoring git all together. You can use the –no-git option to do this.

gitleaks --path=path/to/local/repo -v --no-git

Check the project Git documentation for more advanced configurations and examples.

Similar articles:

How to remove git files, directories in .gitignore from a remote repository

GitLab and Slack Integration for notifications

How to Configure GitLab FreeIPA Authentication

Josphat Mutai

Founder of Computingforgeeks. Expertise in Virtualization, Cloud, Linux/UNIX Administration, Automation,Storage Systems, Containers, Server Clustering e.t.c.

Related Articles

Containers Clone Private Git Repository in Kubernetes With User Authentication Git Install Gitea Git service on Ubuntu 22.04|20.04|18.04|16.04 Git Install Sourcegraph code search engine on Ubuntu 24.04|22.04|20.04| Automation Install Vault Cluster in GKE via Helm, Terraform and BitBucket Pipelines

Leave a Comment

Press ESC to close