Avoid leaking secrets in your GitLab repository

Apr 2, 2019 by Thibault | 1804 views


Shit happens! Chances are great that you or one of the developers in your team will one day commit a file containing secrets or private keys to a public GIT repository...

Most important thing: detect this quickly so you can take action immediately. Here comes gitleaks, a small tool that analyzes GIT repositories for leaked secrets.

Once downloaded, you can use it from the command line to analyze a local or remote repository:

gitleaks -v --repo-path=/path/to/my/repo
gitleaks -v --repo=https://github.com/gitleakstest/gronit

And here is how to automate this this in your GitLab tests (in .gitlab-ci.yml):

  - leaks
  - test

  stage: leaks
    name: "zricethezav/gitleaks"
    entrypoint: [""]
    - gitleaks -v --repo-path=./ --config=gitleaks.toml

If one of the commits produces a warning you should of course fix the problem. Then, to remove gitleaks warnings, you can either:

# the leaks in these commits have been fixed...
commits = [