DevSecOps: Scan for Secrets in Your Git Repository¶
Accidentally committed API keys and tokens cause breaches. Gitleaks scans Git history for these patterns.
TL;DR: Install gitleaks, configure your repository, run a scan, and add it to your CI pipeline to catch secrets before they reach production.
Install gitleaks¶
Verify the install:
Configure gitleaks¶
Create a gitleaks.toml file in your repository root:
[extend]
using = "github.com/gitleaks/gitleaks"
[allowlist]
description = "global allow lists"
regexes = [
# patterns to allow
]
Add a custom rule:
[[rules]]
id = "my-custom-secret"
description = "Custom secret pattern"
regex = '''(your-pattern-here)'''
Scan Your Repository¶
# Full history scan
gitleaks detect --source .
# Verbose output (shows actual secrets)
gitleaks detect --source . --verbose
# Verbose output (redacts actual secrets)
gitleaks detect --source . --verbose --redact
Add to local git hooks¶
#!/bin/sh
# .git/hooks/pre-commit
sudo apt install gitleaks
gitleaks detect --source . --verbose --redact /dev/null
Make it executable:
Add gitleaks to CI/CD¶
name: gitleaks
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Takeaways¶
- Scan the full Git history. People commit secrets and then delete them from current files, but the values remain in commit history.
- Use
--verbosewhen investigating findings. It reveals the secret value, not just the file and line. - Add gitleaks to your CI on pull requests. Preventing the secret from reaching production is cheaper than responding after it does.