Adding Gitleaks to Gitlab CI Pipeline

Badshah included in category Experiments

2020-03-22 2020-03-22 183 words One minute

Gitleaks has become quite popular. Its features gives a tough competition to its predecessor trufflehog. Some of its uber cool features are:

Comparatively fast when scanning large repos (as it is a compiled Golang binary)
It can run on all platforms that Golang supports.
User can add custom regex to detect more secrets
Allows whitelisting of detected secrets / false positives
Allows audit of GitLab and GitHub repos, groups and orgs.

There are an article on how to add Gitleaks to Gitlab pipeline by Cyber Defence Lab. But the CI pipeline is not quite optimised. In this experiment, I will show you how to implement gitleaks to GitLab CI pipeline.

Setting up gitleaks on Gitlab CI

Gitleaks is available as docker image. We can directly download use them on our Gitlab CI config. Gitleaks scans for all commits. It can be optimised to scan the new commits that were recently pushed to a particular branch.

1
2
3
4
5
6
7
8
9


stages:
  - secrets-detection

gitleaks:
  stage: secrets-detection
  image: 
    name: "zricethezav/gitleaks"
    entrypoint: [""]
  script: gitleaks -v --pretty --repo-path . --commit-from=$CI_COMMIT_SHA --commit-to=$CI_COMMIT_BEFORE_SHA --branch=$CI_COMMIT_BRANCH