Adding Gitleaks to Gitlab CI Pipeline

Gitleaks has become quite popular. Its features gives a tough competition to its predecessor trufflehog. Some of its uber cool features are:

  • Comparatively fast when scanning large repos (as it is a compiled Golang binary)
  • It can run on all platforms that Golang supports.
  • User can add custom regex to detect more secrets
  • Allows whitelisting of detected secrets / false positives
  • Allows audit of GitLab and GitHub repos, groups and orgs.

There are an article on how to add Gitleaks to Gitlab pipeline by Cyber Defence Lab. But the CI pipeline is not quite optimised. In this experiment, I will show you how to implement gitleaks to GitLab CI pipeline.

Setting up gitleaks on Gitlab CI

Gitleaks is available as docker image. We can directly download use them on our Gitlab CI config. Gitleaks scans for all commits. It can be optimised to scan the new commits that were recently pushed to a particular branch.

  - secrets-detection

  stage: secrets-detection
    name: "zricethezav/gitleaks"
    entrypoint: [""]
  script: gitleaks -v --pretty --repo-path . --commit-from=$CI_COMMIT_SHA --commit-to=$CI_COMMIT_BEFORE_SHA --branch=$CI_COMMIT_BRANCH
Feel free to share this article:

Leave a Reply

Your email address will not be published. Required fields are marked *