Gitleaks
GitLeaks is a security tool used in DevOps to detect sensitive and potentially compromising information in Git repositories. Its main purpose is to prevent the leakage of sensitive data, such as passwords, API keys and other secrets, that could be accidentally exposed in the version history of a Git repository.
Features
Search for sensitive patterns: GitLeaks searches for sensitive data patterns using predefined or custom rules. These rules may include password patterns, API keys, authentication tokens and other sensitive data.
Comprehensive history analysis: The tool scans the complete commit history in a Git repository, including old and new changes. This allows you to identify and correct sensitive data that may have been added in previous versions.
Integration with CI/CD workflows: GitLeaks can be integrated into CI/CD pipelines to automatically perform security analysis prior to deployment. This ensures that any new contributions are screened for potential information leaks.
Support for multiple file formats: GitLeaks is capable of parsing various file formats, such as source code files, configuration files and plain text files. This covers a wide range of possible locations for sensitive data.
Custom configuration: Users can configure search rules and patterns according to the specific needs of their project, allowing them to adapt GitLeaks to different contexts.
Usage
We can integrate Gitleaks with another of the tools available in our workflow, which is DefectDojo, to be able to visualize the information conveniently in the control panel.
Integration with Gitlab
To integrate Gitleaks with CI/CD from Gitlab, we have two options: use the image available at DockerHub or the one we have in the project OSDO, which already has Curl installed to allow integration with DefectDojo.
Once we have decided which option we need, we proceed to add the following section in our gitlab-ci.yml file:
secret_detection:
stage: secret_detection
variables:
GIT_STRATEGY: clone
GIT_DEPTH: 1
image:
name: Image-need
entrypoint: [""]
script:
- gitleaks detect -v --source=$PWD --report-path=gitleaks-report.json
artifacts:
paths:
- gitleaks-report.json
What we do with this stage is to clone the last commit only, since GitLeaks searches all commits and if there was a leak in an old commit with this security flaw it would still give the alert.
DefectDojo
To integrate with DefectDojo, we must add the after_script option in our GitLab CI/CD configuration file. In this step, we will call the defectdojo-finding.sh" script, which is located in the Monitoring Integrations section. To ensure that the script is only called if leaks have been encountered, we wrap it in an if conditional structure that checks the status of the job with the $CI_JOB_STATUS variable. We must also add the following configuration variables to customize the "finding": $DD_SCAN_TYPE, $DD_PRODUCT_NAME, $DD_SCAN_FILE, $DD_SCAN_ACTIVE, $DD_SCAN_VERIFIED.
secret_detection:
stage: secret_detection
dependencies: ["defectdojo_create_engagement"]
variables:
GIT_STRATEGY: clone
GIT_DEPTH: 1
DD_SCAN_TYPE: "Gitleaks Scan"
DD_PRODUCT_NAME: "GitLeaks"
DD_SCAN_FILE: "gitleaks-report.json"
DD_SCAN_ACTIVE: "true"
DD_SCAN_VERIFIED: "false"
image:
name: harbor.opensecdevops.com/osdo/gitleak@sha256:d348f3c616c5b51b8e6bb1702484d6f293712be43fc81c3b97793f0886b7f95b
entrypoint: [""]
script:
- gitleaks detect -v --source=$PWD --report-path=gitleaks-report.json
after_script:
- |
if [ $CI_JOB_STATUS == 'failed' ]; then
bash .gitlab-ci/defectdojo-finding.sh
fi
artifacts:
when: on_failure
paths:
- gitleaks-report.json