Do you store unencrypted passwords, secrets and any other unwanted data types in your git source code repositories?. Gitleaks gives you a way to scan your git repositories for these unwanted data which should be private. The scans can be automated to fit perfectly into CI/CD workflow for secrets identification before they make it deeper into the codebase.

Gitleaks Features

Some of the cool features of Gitleaks include:

  • Support for private repository scans as well as repositories that require key-based authentication
  • Support for Gitlab bulk organization and repository owner (user) repository scans, and pull request scanning for use in common CI workflows.
  • You can output the scan results in JSON and CSV and formats for consumption in other reporting tools and frameworks.
  • Externalised configuration for environment specific customisation including regex rules
  • Customisable repository name, file type, commit ID, branchname and regex whitelisting to reduce false positives
  • High performance through the use of src-d’s go-git framework

How to Install Gitleaks on Linux

Gitleaks is written in Go and the binary file is available for many popular platforms and OS types from the releases page.

Step 1: Download Gitleaks on Linux | macOS

Check the latest release and save it to a variable like below.

For Linux Users

curl -s  https://api.github.com/repos/zricethezav/gitleaks/releases/latest |grep browser_download_url  |  cut -d '"' -f 4  | grep '\linux-amd64$'| wget -i -

For macOS user:

curl -s  https://api.github.com/repos/zricethezav/gitleaks/releases/latest |grep browser_download_url  |  cut -d '"' -f 4  | grep '\darwin-amd64$'| wget -i -

If you’re a Windows user, download and install the gitleaks-windows-amd64.exe package.

Step 2: Install Gitleaks on Linux | macOS

Once the file is downloaded, give it executable bot and put it inside the /usr/local/bin directory.

mv gitleaks-linux-amd64 gitleaks
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/

For macOS:

mv gitleaks-darwin-amd64 /usr/local/bin/gitleaks
sudo chmod +x /usr/local/bin/gitleaks

Confirm that you can call the gitleaks command.

$ gitleaks --version
v7.5.0

How to Use Gitleaks to Audit Git repositories

Gitleaks has lots of tunables that you don’t actually need for basic usage. The default mode should work against a single repo without any tweaks.

$ gitleaks --repo-url=https://github.com/jmutai/dotfiles
 INFO[2019-02-13T15:55:43+03:00] cloning https://github.com/jmutai/dotfiles
 Enumerating objects: 42, done.
 Counting objects: 100% (42/42), done.
 Compressing objects: 100% (34/34), done.
 Total 2255 (delta 10), reused 26 (delta 8), pack-reused 2213
 INFO[2019-02-13T15:55:57+03:00] 0 leaks detected. 159 commits inspected in 13 seconds 389 milliseconds

To view the output of the audit as gitleaks processes the repository, use the -v or --verbose flags which turns on verbose mode.

$ gitleaks --repo-url=https://github.com/gitleakstest/gronit -v
INFO[0000] cloning... https://github.com/gitleakstest/gronit
Enumerating objects: 135, done.
Total 135 (delta 0), reused 0 (delta 0), pack-reused 135
{
	"line": "const AWS_KEY = \"AKIALALEMEL33243OLIAE\"",
	"lineNumber": 15,
	"offender": "AKIALALEMEL33243OLIA",
	"offenderEntropy": -1,
	"commit": "cb5599aeed261b2c038aa4729e2d53ca050a4988",
	"repo": "gronit",
	"repoURL": "https://github.com/gitleakstest/gronit",
	"leakURL": "https://github.com/gitleakstest/gronit/blob/cb5599aeed261b2c038aa4729e2d53ca050a4988/main.go#L15",
	"rule": "AWS Access Key",
	"commitMessage": "fake key",
	"author": "Zachary Rice",
	"email": "[email protected]",
	"file": "main.go",
	"date": "2018-02-04T19:10:58-06:00",
	"tags": "key, AWS"
}
INFO[0000] scan time: 48 milliseconds 122 microseconds
INFO[0000] commits scanned: 33
WARN[0000] leaks found: 1

To enable Threading, use the --threads option.

CPU=$(cat /proc/cpuinfo | grep -ic ^processor)
gitleaks --repo=https://github.com/jmutai/dotfiles --threads=$CPU

This option specifies the max number of threads spawned.

Running Gitleaks in Redact mode

The --redact will help show lines containing the secrets without logging the content.

$ gitleaks --repo-url=https://github.com/gitleakstest/gronit --redact
INFO[0000] cloning... https://github.com/gitleakstest/gronit
INFO[0000] scan time: 47 milliseconds 664 microseconds
INFO[0000] commits scanned: 33
WARN[0000] leaks found: 1

Saving Gitleaks audit results to file

You can also run an audit on a bunch of repositories and save reports for each repo in a file. For this, use the --report option.

$ gitleaks --repo-url=https://github.com/jmutai/dotfiles --report=gitleaks_results.csv
INFO[0000] cloning... https://github.com/jmutai/dotfiles
INFO[0003] scan time: 2 seconds 774 milliseconds 597 microseconds
INFO[0003] commits scanned: 183
INFO[0003] No leaks found

The report must end in .csv or .json.

Scan local directory:

If you want to scan the current contents of a repo, ignoring git all together. You can use the –no-git option to do this.

gitleaks --path=path/to/local/repo -v --no-git

Check the project Git documentation for more advanced configurations and examples.

Git Learning Video Courses

Similar articles:

How to remove git files, directories in .gitignore from a remote repository

GitLab and Slack Integration for notifications

How to Configure GitLab FreeIPA Authentication

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here