README ΒΆ
β
ββ²
β β
β β
β gitleaks
Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
π«ββ¨ Temporary README message π«ββ¨
It would be so great if you could fill out this quick gitleaks user survey. <3
Getting Started
Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the releases page. In addition, Gitleaks can be implemented as a pre-commit hook directly in your repo.
MacOS
brew install gitleaks
Docker
DockerHub
docker pull zricethezav/gitleaks:latest
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS]
ghrc.io
docker pull ghcr.io/zricethezav/gitleaks:latest
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] --source="/path" [OPTIONS]
From Source
- Download and install Go from https://golang.org/dl/
- Clone the repo
git clone https://github.com/zricethezav/gitleaks.git
- Build the binary
cd gitleaks
make build
Usage
Usage:
gitleaks [command]
Available Commands:
completion generate the autocompletion script for the specified shell
detect Detect secrets in code
help Help about any command
protect Protect secrets in code
version Display gitleaks version
Flags:
-c, --config string config file path
order of precedence:
1. --config/-c
2. (--source/-s)/.gitleaks.toml
if --config/-c is not set and no (--source/-s)/.gitleaks.toml present
then .gitleaks.toml will be written to (--source/-s)/.gitleaks.toml for future use
--exit-code string exit code when leaks have been encountered (default: 1)
-h, --help help for gitleaks
-l, --log-level string log level (debug, info, warn, error, fatal) (default "info")
--redact redact secrets from logs and stdout
-f, --report-format string output format (json, csv, sarif)
-r, --report-path string report file
-s, --source string path to source (git repo, directory, file)
-v, --verbose show verbose output from scan
Use "gitleaks [command] --help" for more information about a command.
Commands
There are two commands you will use to detect secrets; detect
and protect
.
Detect
The detect
command is used to scan repos, directories, and files. This comand can be used on developer machines and in CI environments.
When running detect
on a git repository, gitleaks will parse the output of a git log -p
command (you can see how this executed
here).
git log -p
generates patches which gitleaks will use to detect secrets.
You can configure what commits git log
will range over by using the --log-opts
flag. --log-opts
accepts any option for git log -p
.
For example, if you wanted to run gitleaks on a range of commits you could use the following command: gitleaks --source . --log-opts="--all commitA..commitB"
.
See the git log
documentation for more information.
You can scan files and directories by using the --no-git
option.
Protect
The protect
command is used to uncommitted changes in a git repo. This command should be used on developer machines in accordance with
shifting left on security.
When running protect
on a git repository, gitleaks will parse the output of a git diff
command (you can see how this executed
here). You can set the
--staged
flag to check for changes in commits that have been git add
ed. The --staged
flag should be used when running Gitleaks
as a pre-commit.
NOTE: the protect
command can only be used on git repos, running protect
on files or directories will result in an error message.
Verify Findings
You can verify a finding found by gitleaks using a git log
command.
Example output:
{
"Description": "AWS",
"StartLine": 37,
"EndLine": 37,
"StartColumn": 19,
"EndColumn": 38,
"Match": "\t\t\"aws_secret= \\\"AKIAIMNOJVGFDXXXE4OA\\\"\": true,",
"Secret": "AKIAIMNOJVGFDXXXE4OA",
"File": "checks_test.go",
"Commit": "ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29",
"Entropy": 0,
"Author": "zricethezav",
"Email": "thisispublicanyways@gmail.com",
"Date": "2018-01-28 17:39:00 -0500 -0500",
"Message": "[update] entropy check",
"Tags": [],
"RuleID": "aws-access-token"
}
We can use the following format to verify the leak:
git log -L {StartLine,EndLine}:{File} {Commit}
So in this example it would look like:
git log -L 37,37:checks_test.go ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29
Which gives us:
commit ec2fc9d6cb0954fb3b57201cf6133c48d8ca0d29
Author: zricethezav <thisispublicanyways@gmail.com>
Date: Sun Jan 28 17:39:00 2018 -0500
[update] entropy check
diff --git a/checks_test.go b/checks_test.go
--- a/checks_test.go
+++ b/checks_test.go
@@ -28,0 +37,1 @@
+ "aws_secret= \"AKIAIMNOJVGFDXXXE4OA\"": true,
Pre-Commit hook
You can run Gitleaks as a pre-commit hook by copying the example pre-commit.py
script into
your .git/hooks/
directory.
Configuration
Gitleaks offers a configuration format you can follow to write your own secret detection rules:
# Title for the gitleaks configuration file.
title = "Gitleaks title"
# An array of tables that contain information that define instructions
# on how to detect secrets
[[rules]]
# Unique identifier for this rule
id = "awesome-rule-1"
# Short human readable description of the rule.
description = "awsome rule 1"
# Golang regular expression used to detect secrets. Note Golang's regex engine
# does not support lookaheads.
regex = '''one-go-style-regex-for-this-rule'''
# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
# in conjunction with a valid `regex` entry.
path = '''a-file-path-regex'''
# Array of strings used for metadata and reporting purposes.
tags = ["tag","another tag"]
# Int used to extract secret from regex match and used as the group that will have
# its entropy checked if `entropy` is set.
secretGroup = 3
# Float representing the minimum shannon entropy a regex group must have to be considered a secret.
entropy = 3.5
# You can include an allowlist table for a single rule to reduce false positives or ignore commits
# with known/rotated secrets
[rules.allowlist]
description = "ignore commit A"
commits = [ "commit-A", "commit-B"]
paths = ['''one-file-path-regex''']
regexes = ['''one-regex-within-the-already-matched-regex''']
# This is a global allowlist which has a higher order of precendence than rule-specific allowlists.
# If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
# secrets will be detected for said commit. The same logic applies for regexes and paths.
[allowlist]
description = "ignore commit A"
commits = [ "commit-A", "commit-B"]
paths = ['''one-file-path-regex''']
regexes = ['''one-regex-within-the-already-matched-regex''']
Refer to the default gitleaks config for examples and advice on writing regular expressions for secret detection.
Tips on Writing Regular Expressions
Gitleaks rules are defined by regular expressions and entropy ranges.
Some secrets have unique signatures which make detecting those secrets easy.
Examples of those secrets would be Gitlab Personal Access Tokens, AWS keys, and Github Access Tokens.
All these examples have defined prefixes like glpat
, AKIA
, ghp_
, etc.
Other secrets might just be a hash which means we need to write more complex rules to verify that what we are matching is a secret.
Here is an example of a semi-generic secret
discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
We can write a regular expression to capture the variable name (identifier), the assignment symbol (like '=' or ':='), and finally the actual secret. The structure of a rule to match this example secret is below:
Beginning string
quotation
β End string quotation
β β
βΌ βΌ
(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]
β² β² β²
β β β
β β β
identifier assignment symbol
Secret
A Note on Generic Secrets
Let's continue with the example discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
.
This secret would match both the discord-client-secret
rule and the generic-api-key
rule in the default config.
[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
entropy = 3.7
secretGroup = 4
If gitleaks encountered discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
, only the discord
rule would report a finding because
the generic rule has the string generic
somewhere in the rule's id
. If a secret is encountered and both a generic
and non-generic rule have discovered the same secret, the non-generic
will be given precedence.
Exit Codes
You can always set the exit code when leaks are encountered with the --exit-code flag. Default exit codes below:
0 - no leaks present
1 - leaks or error encountered
126 - unknown flag
Documentation ΒΆ
There is no documentation for this package.