Secrets Detection with Gitleaks

Overview

Gitleaks is a secret detection tool that scans git repositories, files, and directories for hardcoded credentials including passwords, API keys, tokens, and other sensitive information. It uses regex-based pattern matching combined with Shannon entropy analysis to identify secrets that could lead to unauthorized access if exposed.

This skill provides comprehensive guidance for integrating Gitleaks into DevSecOps workflows, from pre-commit hooks to CI/CD pipelines, with emphasis on preventing secret leakage before code reaches production.

Quick Start

Scan current repository for secrets:

# Install gitleaks
brew install gitleaks  # macOS
# or: docker pull zricethezav/gitleaks:latest

# Scan current git repository
gitleaks detect -v

# Scan specific directory
gitleaks detect --source /path/to/code -v

# Generate report
gitleaks detect --report-path gitleaks-report.json --report-format json

Core Workflows

1. Repository Scanning

Scan existing repositories to identify exposed secrets:

# Full repository scan with verbose output
gitleaks detect -v --source /path/to/repo

# Scan with custom configuration
gitleaks detect --config .gitleaks.toml -v

# Generate JSON report for further analysis
gitleaks detect --report-path findings.json --report-format json

# Generate SARIF report for GitHub/GitLab integration
gitleaks detect --report-path findings.sarif --report-format sarif

When to use: Initial security audit, compliance checks, incident response.

2. Pre-Commit Hook Protection

Prevent secrets from being committed in the first place:

# Install pre-commit hook (run in repository root)
cat << 'EOF' > .git/hooks/pre-commit
#!/bin/sh
gitleaks protect --verbose --redact --staged
EOF

chmod +x .git/hooks/pre-commit

Use the bundled script for automated hook installation:

./scripts/install_precommit.sh

When to use: Developer workstation setup, team onboarding, mandatory security controls.

3. CI/CD Pipeline Integration

GitHub Actions

name: gitleaks
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

GitLab CI

gitleaks:
  image: zricethezav/gitleaks:latest
  stage: test
  script:
    - gitleaks detect --report-path gitleaks.json --report-format json --verbose
  artifacts:
    paths:
      - gitleaks.json
    when: always
  allow_failure: false

When to use: Automated security gates, pull request checks, release validation.

4. Baseline and Incremental Scanning

Establish security baseline and track only new secrets:

# Create initial baseline
gitleaks detect --report-path baseline.json --report-format json

# Subsequent scans detect only new secrets
gitleaks detect --baseline-path baseline.json --report-path new-findings.json -v

When to use: Legacy codebase remediation, phased rollout, compliance tracking.

5. Configuration Customization

Create custom .gitleaks.toml configuration:

title = "Custom Gitleaks Configuration"

[extend]
# Extend default config with custom rules
useDefault = true

[[rules]]
id = "custom-api-key"
description = "Custom API Key Pattern"
regex = '''(?i)(custom_api_key|custom_secret)[\s]*[=:][\s]*['"][a-zA-Z0-9]{32,}['"]'''
tags = ["api-key", "custom"]

[allowlist]
description = "Global allowlist"
paths = [
  '''\.md$''',           # Ignore markdown files
  '''test/fixtures/''',  # Ignore test fixtures
]
stopwords = [
  '''EXAMPLE''',         # Ignore example keys
  '''PLACEHOLDER''',
]

Use bundled configuration templates in assets/:

• assets/config-strict.toml - Strict detection (low false negatives)
• assets/config-balanced.toml - Balanced detection (recommended)
• assets/config-custom.toml - Template for custom rules

When to use: Reducing false positives, adding proprietary secret patterns, organizational standards.

Security Considerations

Sensitive Data Handling

• Secret Redaction: Always use --redact flag in logs and reports to prevent accidental secret exposure
• Report Security: Gitleaks reports contain detected secrets - treat as confidential, encrypt at rest
• Git History: Detected secrets in git history require complete removal using tools like git filter-repo or BFG Repo-Cleaner
• Credential Rotation: All exposed secrets must be rotated immediately, even if removed from code

Access Control

• CI/CD Permissions: Gitleaks scans require read access to repository content and git history
• Report Access: Restrict access to scan reports containing sensitive findings
• Baseline Files: Baseline JSON files contain secret metadata - protect with same controls as findings

Audit Logging

Log the following for compliance and incident response:

• Scan execution timestamps and scope (repository, branch, commit range)
• Number and types of secrets detected
• Remediation actions taken (credential rotation, commit history cleanup)
• False positive classifications and allowlist updates

Compliance Requirements

• PCI-DSS 3.2.1: Requirement 6.5.3 - Prevent hardcoded credentials in payment applications
• SOC2: CC6.1 - Logical access controls prevent unauthorized credential exposure
• GDPR: Article 32 - Appropriate security measures for processing personal data credentials
• CWE-798: Use of Hard-coded Credentials
• CWE-259: Use of Hard-coded Password
• OWASP A07:2021: Identification and Authentication Failures

Bundled Resources

Scripts (scripts/)

• install_precommit.sh - Automated pre-commit hook installation with configuration prompts
• scan_and_report.py - Comprehensive scanning with multiple output formats and severity classification
• baseline_manager.py - Baseline creation, comparison, and incremental scan management

References (references/)

• detection_rules.md - Comprehensive list of built-in Gitleaks detection rules with CWE mappings
• remediation_guide.md - Step-by-step secret remediation procedures including git history cleanup
• false_positives.md - Common false positive patterns and allowlist configuration strategies
• compliance_mapping.md - Detailed mapping to PCI-DSS, SOC2, GDPR, and OWASP requirements

Assets (assets/)

• config-strict.toml - High-sensitivity configuration (maximum detection)
• config-balanced.toml - Production-ready balanced configuration
• config-custom.toml - Template with inline documentation for custom rules
• precommit-config.yaml - Pre-commit framework configuration
• github-action.yml - Complete GitHub Actions workflow template
• gitlab-ci.yml - Complete GitLab CI pipeline template

Common Patterns

Pattern 1: Initial Repository Audit

First-time secret scanning for security assessment:

# 1. Clone repository with full history
git clone --mirror https://github.com/org/repo.git audit-repo
cd audit-repo

# 2. Run comprehensive scan
gitleaks detect --report-path audit-report.json --report-format json -v

# 3. Generate human-readable report
./scripts/scan_and_report.py --input audit-report.json --format markdown --output audit-report.md

# 4. Review findings and classify false positives
# Edit .gitleaks.toml to add allowlist entries

# 5. Create baseline for future scans
cp audit-report.json baseline.json

Pattern 2: Developer Workstation Setup

Protect developers from accidental secret commits:

# 1. Install gitleaks locally
brew install gitleaks  # macOS
# or use package manager for your OS

# 2. Install pre-commit hook
./scripts/install_precommit.sh

# 3. Test hook with dummy commit
echo "api_key = 'EXAMPLE_KEY_12345'" > test.txt
git add test.txt
git commit -m "test"  # Should be blocked by gitleaks

# 4. Clean up test
git res