Gitleaks: detecting and preventing hardcoded secrets in git repos
Gitleaks
Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
Features:
- All code is open-source (Gitleaks) or source-available (Gitleaks-Action).
- Over 160 secret types with new types being added all the time.
- Easily configurable `gitleaks.toml` for customizing rules
Commands
There are two commands you will use to detect secrets; detect and protect.
Detect
The detect command is used to scan repos, directories, and files. This command can be used on developer machines and in CI environments.
When running detect on a git repository, gitleaks will parse the output of a git log -p command (you can see how this executed here). git log -p generates patches which gitleaks will use to detect secrets. You can configure what commits git log will range over by using the --log-opts flag. --log-opts accepts any option for git log -p. For example, if you wanted to run gitleaks on a range of commits you could use the following command: gitleaks detect --source . --log-opts="--all commitA..commitB". See the git log documentation for more information.
You can scan files and directories by using the --no-git option.
If you want to run only specific rules you can do so by using the --enable-rule option (with a rule ID as a parameter), this flag can be used multiple times. For example: --enable-rule=atlassian-api-token will only apply that rule. You can find a list of rules here.
Protect
The protect command is used to scan uncommitted changes in a git repo. This command should be used on developer machines in accordance with shifting left on security. When running protect on a git repository, gitleaks will parse the output of a git diff command (you can see how this executed here). You can set the --staged flag to check for changes in commits that have been git added. The --staged flag should be used when running Gitleaks as a pre-commit.
NOTE: the protect command can only be used on git repos, running protect on files or directories will result in an error message.
Install & Use
Copyright (c) 2019 Zachary Rice
