The Developer's Guide to Using Gitleaks to Detect Hardcoded Secrets
Published November 21, 2023.
With the rise of automation in application development, APIs, services, and other integrations need to communicate with each other to operate. These connections require authentication, which is usually achieved through secrets.
Secrets should remain a secret - yet on GitHub, three out of every thousand commits have leaked them. While you may want to believe that you're not part of these statistics, more than 395,000 secrets have been exposed by the top 1 million domains. Leaked secrets are becoming an overwhelming problem for every company. So, how can you prevent this?
Even the most security-minded of organizations can make the mistake of hard-coded secrets. That’s why the first step to ensuring your assets aren’t exposed is to verify your secret hygiene, which can be achieved through open-source tooling. Gitleaks is a non-intrusive way to detect secrets in your code before they reach production or are committed to a public-facing repository. This article guides you through leveraging Gitleaks to discover hardcoded secrets.
What is Gitleaks?
Gitleaks is a security scanning tool that helps you find potential security vulnerabilities in your git repositories, files, and directories. It does this by scanning your code and looking for sensitive information that may have been accidentally committed. This information can include passwords, APIs, private keys, and other sensitive data.
If Gitleaks detects a secret, it will generate an alert, so you are automatically informed. You can use it to improve visibility into all of your organization’s repositories. Plus, it helps you identify which users have access to secrets and when they were added or last modified.
The great part is that it is open source, free to use, and works on public, private, remote, or local repositories. It also supports multiple languages and encodings and provides a REST API for integration with other tools.
Why use Gitleaks
Gitleaks is a SAST tool that scans your latest source code and your entire git history to identify any secrets that may have been committed in the past. It is a valuable tool for preventing data breaches, as it can help to uncover hardcoded secrets that attackers could exploit.
Gitleaks is also ISO-27001 compliant, meaning it meets international information security management standards. Jit is the CI/CD tool for automated hardcoded secret detection through Gitleaks. How does it work? Set your triggers, and Jit will automatically run policies and scans repositories for potential issues based on your baseline settings.
How to install Gitleaks
Gitleaks can be installed on macOS, Linux, and Windows.
Installing on macOS with Homebrew
- Check if you have Homebrew installed:
$ brew --version
- If you don't have Homebrew installed, install it now:
$ /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
- Tap the Gitleaks Homebrew repository:
$ brew tap gitleakstools/gitleaks
- Install Gitleaks:
$ brew install gitleaks
Installing with Docker
- Check if you have Docker installed:
$ docker --version
- If you don't have Docker installed, follow the Docker installation instructions to install it.
- Run the Gitleaks Docker image:
$ docker run --rm -it gitleakstools/gitleaks
Installing with Go
- Check if you have Go installed:
$ go version
- If you don't have Go installed, follow the Go installation instructions to install it.
- Install Gitleaks:
$ go get -u github.com/gitleakstools/gitleaks
- Run Gitleaks:
Checking for Dependencies
Gitleaks has a few dependencies:
- Docker (if using the Docker image)
To check if you have these dependencies installed, you can run the check-dependencies command:
$ gitleaks check-dependencies check-dependencies
If any dependencies are missing, you will see an error message telling you which ones are missing. Install the missing dependencies and then try rerunning check-dependencies.
How to use Gitleaks to detect hardcoded secrets
Gitleaks completes its scan by matching repository commits against a set of regular expressions. Here’s how you can leverage Gitleaks for your secrets discovery.
Gitleaks has two main commands: detect and protect. The detect command scans a git repository for potential security vulnerabilities. This command will generate a report containing a list of potential vulnerabilities found.
The protect command creates a hook to prevent commits that introduce potential security vulnerabilities. This command will create a file called .gitleaks.hook in the repository's root directory. This file must be placed in the .git/hooks directory for the hook to be active.
To use the detect command, navigate to the repository's root directory and run the following command:
gitleaks --repo-url=https://github.com/gitleakstest/sample --report=report.json
This will scan the repository located at https://github.com/gitleakstest/sample and generate a report called report.json.
To use the protect command, navigate to the repository's root directory and run the following command:
gitleaks --repo-url=https://github.com/gitleakstest/sample --hook=true
This will create a file called .gitleaks.hook in the repository's root directory. This file must be placed in the .git/hooks directory for the hook to be active.
Creating a baseline
A baseline is a snapshot of your project at a specific time. Baselines are essential because they allow you to track the changes made to your project over time. They also allow you to restore your project to a specific point in time if necessary.
You can run the gitleaks command with the --create-baseline flag. This will create a snapshot of your project at the current point in time.
When you find a sensitive data leak in your Git repository, you need to mitigate the leak and prevent further damage immediately. Depending on the severity of the leak, you may need to take different actions.
If the leak is not severe and does not expose sensitive data, you can simply remove the sensitive data from your repository and commit the changes. You should also take measures to prevent similar leaks in the future, such as adding a .gitignore file to your repository.
If the leak is more severe and does expose sensitive data, you will need to take more drastic measures. You may need to delete the entire repository and start over from scratch. You should also consider changing all passwords that may have been exposed and taking other security measures as necessary.
There are many ways to configure Gitleaks, which are all detailed in the documentation.
To test for a secret, developers can create a file called ".gitleaks.toml" at the root of their project. This file should contain the following:
patterns = ["<your test secret>"]
Gitleaks will then scan for this secret and report any findings. To ignore specific findings, developers can add the following to their ".gitleaks.toml" file:
findings = ["<hash of finding>"]
Automate your leaks discovery
Manual detection through Gitleaks scanning can save your teams and repositories time, security headaches, and accidental leakages. When a problem is detected, Gitleaks can give you the information necessary to secure your application's codebase.
Managing secrets, such as passwords and API keys, can be challenging for developers. If these secrets are not handled properly, they can end up being hardcoded into the source code, posing a security risk if the code is compromised.
Gitleaks, when used with Jit, can help developers automate the process of detecting hardcoded secrets in their code. By running Gitleaks as part of the CI/CD process, developers can identify any secrets that have been committed in the past and take steps to fix them, improving the overall security of their code and helping to prevent data breaches and protect sensitive information. Get started for free to see how it works.