Avoid leaking secrets in your GitLab repository

Apr 2, 2019 by Thibault Debatty | 4166 views

GitLab

https://cylab.be/blog/20/avoid-leaking-secrets-in-your-gitlab-repository

Shit happens! Chances are great that you or one of the developers in your team will one day commit a file containing secrets or private keys to a public GIT repository...

Most important thing: detect this quickly so you can take action immediately. Here comes gitleaks, a small tool that analyzes GIT repositories for leaked secrets.

Updated November 2021: with version 8, the syntax has been modified. You'll find the original version of the blog post at the bottom of this page...

Updated April 2022: with recent versions of git, you might get an error fatal: unsafe repository ('/builds/...' is owned by someone else). The gitlab-ci job below has been updated to avoid this error.

Usage

Once installed, you can use gitleaks from the command line to analyze a local or remote repository:

gitleaks detect -v /path/to/my/repo

GitLab

Here is how to automate this in your GitLab tests (in .gitlab-ci.yml):

stages:
  - leaks
  - test

# https://cylab.be/blog/20/avoid-leaking-secrets-in-your-gitlab-repository
leaks:gitleaks:
  stage: leaks
  image: 
    name: "zricethezav/gitleaks"
    entrypoint: [""]
  script:
    # to avoid
    # fatal: unsafe repository ('/builds/...' is owned by someone else)
    # with recent git versions
    - git config --global --add safe.directory $CI_PROJECT_DIR
    - gitleaks detect -v -c gitleaks.toml ./

Fixing issues

If one of the commits produces a warning you should of course fix the problem and revoke the leaked secret. Then, to remove gitleaks warnings, you can either:

# the leaks in these commits have been fixed...
[whitelist]
commits = [
    "213c603d16c07d8b7252b62b694104e7e01c1f59",
    "444f28d5437ad3127702bf1b0779ae6cd00ab146",
]

Previous versions

With previous version of gitleaks, you can analyze a local or remote repository with:

gitleaks -v -p /path/to/my/repo
gitleaks -v -p https://github.com/gitleakstest/gronit

And here is how to automate this in your GitLab tests (in .gitlab-ci.yml):

stages:
  - leaks
  - test

# https://cylab.be/blog/20/avoid-leaking-secrets-in-your-gitlab-repository
leaks:gitleaks:
  stage: leaks
  image: 
    name: "zricethezav/gitleaks"
    entrypoint: [""]
  script:
    - gitleaks -v -c gitleaks.toml -p ./

If one of the commits produces a warning you should of course fix the problem. Then, to remove gitleaks warnings, you can either:

# the leaks in these commits have been fixed...
[whitelist]
commits = [
    "213c603d16c07d8b7252b62b694104e7e01c1f59",
    "444f28d5437ad3127702bf1b0779ae6cd00ab146",
]
Build and store Docker images with GitLab
With GitLab, you can add a job to your pipeline to build Docker images, and push them to the built-in container registry. Here is how...
Jun 27, 2022 | 1278 views
Secure your project with the GitLab SAST analyzers
Learn how to secure any project with the GitLab SAST analyzers and easily separate the false positives from the real threats that should be addressed before deploying the project.
Oct 28, 2021 | 3905 views
GitLab : enable 2-Factor Authentication (2FA)
GitLab is a very powerful tool, and it also implements decent security measures and protections. But still, by default all your work on GitLab is protected by a single password, which could be guessed or stolen. To add an additional layer of protection, you can (and should) configure 2-Factor Authentication (2FA).
Aug 20, 2021 | 2429 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept