Avoid leaking secrets in your GitLab repository

Apr 2, 2019 by Thibault Debatty - 615 views

https://cylab.be/blog/20/avoid-leaking-secrets-in-your-gitlab-repository

Shit happens! Chances are great that you or one of the developers in your team will one day commit a file containing secrets or private keys to a public GIT repository...

Most important thing: detect this quickly so you can take action immediately. Here comes gitleaks, a small tool that analyzes GIT repositories for leaked secrets.

Once downloaded, you can use it from the command line to analyze a local or remote repository:

gitleaks -v --repo-path=/path/to/my/repo
gitleaks -v --repo=https://github.com/gitleakstest/gronit

And here is how to automate this this in your GitLab tests (in .gitlab-ci.yml):

stages:
  - leaks
  - test

leaks:gitleaks:
  stage: leaks
  image: 
    name: "zricethezav/gitleaks"
    entrypoint: [""]
  script:
    - gitleaks -v --repo-path=./ --config=gitleaks.toml

If one of the commits produces a warning you should of course fix the problem. Then, to remove gitleaks warnings, you can either:

rewrite git history to hide the faulty commit
or add the faulty commit to gitleaks.toml whitelist:

# the leaks in these commits have been fixed...
[whitelist]
commits = [
    "213c603d16c07d8b7252b62b694104e7e01c1f59",
    "444f28d5437ad3127702bf1b0779ae6cd00ab146",
]