Apr 2, 2019 by Thibault Debatty - 615 views
Shit happens! Chances are great that you or one of the developers in your team will one day commit a file containing secrets or private keys to a public GIT repository...
Most important thing: detect this quickly so you can take action immediately. Here comes gitleaks, a small tool that analyzes GIT repositories for leaked secrets.
Once downloaded, you can use it from the command line to analyze a local or remote repository:
gitleaks -v --repo-path=/path/to/my/repo gitleaks -v --repo=https://github.com/gitleakstest/gronit
And here is how to automate this this in your GitLab tests (in .gitlab-ci.yml):
stages: - leaks - test leaks:gitleaks: stage: leaks image: name: "zricethezav/gitleaks" entrypoint: [""] script: - gitleaks -v --repo-path=./ --config=gitleaks.toml
If one of the commits produces a warning you should of course fix the problem. Then, to remove gitleaks warnings, you can either:
# the leaks in these commits have been fixed... [whitelist] commits = [ "213c603d16c07d8b7252b62b694104e7e01c1f59", "444f28d5437ad3127702bf1b0779ae6cd00ab146", ]