What is Gitleaks?
Gitleaks is a Static Application Security Testing (SAST) tool that scans git repositories, files, and directories for secrets. By integrating Gitleaks into your development workflow, you can catch potential vulnerabilities early and prevent them from being committed to your codebase.
Why Are Secrets Committed to Code?
Secrets, such as tokens, API keys, database passwords, and credentials, are often inadvertently committed to code repositories. This can happen for several reasons:
- Multiple developers working together
- Ease of accidental commits (e.g.,
git add .) - Increasing number of repositories and codebases in modern projects
Since git tracks the history of changes, a bad actor can access older commits containing secrets and exploit them.
How to Fix It
To address this issue, it’s essential to shift security left and catch vulnerabilities early in the development cycle. Gitleaks uses pattern-based scanning and configurable rules to detect secrets in your codebase.
Different Modes to Use Gitleaks
- Local scanning
- Pre-commit hooks
- CI/CD pipelines
Installing Gitleaks
The installation process for Gitleaks varies depending on your operating system:
#MacOS
brew install gitleaks
#Linux Debian
sudo apt update && sudo apt install -y gitleaks
# Docker (DockerHub)
docker pull zricethezav/gitleaks:latest
docker run -v ${path_to_host_folder_to_scan}:/path zricethezav/gitleaks:latest [COMMAND] [OPTIONS] [SOURCE_PATH]
# If Golang is Installed
git clone https://github.com/gitleaks/gitleaks.git
cd gitleaks
make build
Using Gitleaks
To scan a git repository, navigate to the repository’s root directory and run:
gitleaks detect --source .
To see a verbose output run
gitleaks detect -v
If no leaks are found, you should see output similar to:
○
│╲
│ ○
○ ░
░ gitleaks
10:01AM INF 1 commits scanned.
10:01AM INF scanned ~37922 bytes (37.92 KB) in 48.6ms
10:01AM INF no leaks found
if a leak is found Gitleaks will provide the commit hash when the leak was detected if run in verbose mode i.e. -v
Finding: REACT_APP_ZOOM_CLIENT_SECRET = "nPCxs6GlvNVWZ8ImsTxajOaDFxuGI36G"
Secret: nPCxs6GlvNVWZ8ImsTxajOaDFxuGI36G
RuleID: generic-api-key
Entropy: 4.452819
File: env.txt
Line: 74
Commit: 57a4e54013485d0557d31f9b161ec770e54ccf5e
Author: test user
Email: test@test.com
Date: 2025-03-23T10:52:27Z
Fingerprint: 57a4e54013485d0557d31f9b161ec770e54ccf5e:env.txt:generic-api-key:74
To generate a report of detected leaks, use the following command:
gitleaks detect --source . -r gitleaks.json -f json
To scan the last 10 commits for leaks, use:
gitleaks detect --source . --log-opts="-10"
Handling Detected Secrets
Secret Detected Locally (Not Pushed)
If a secret is found in the last commit, you can revert the commit using:
git reset --soft HEAD~1
Edit the file to remove the secret, then recommit the changes.
Secret Detected Locally (Not Pushed) Deeper in Commit History
Use git rebase to remove secrets from deeper in the commit history. Note that rebasing should only be performed on changes that have not been pushed or if you are the sole user of the repository.
git rebase -i <commit-id>~1
Modify the commit with the issue by changing pick to e (edit). Edit the file to remove the secret, then add the modified file back:
git add .
Continue the rebase process:
git rebase --continue
Secret Detected in a Pushed Repo
If a secret has been pushed to a remote repository, it’s best to rotate the secret and set up a baseline report to prevent Gitleaks from reporting any leaks before the baseline.
Tools such as BFG Repo-Cleaner can help clean large codebases.
Best Practices for Using Secrets in Code
- Pass secrets to your application at runtime using environment variables or a secret manager.
- Use a
.envfile to store secrets locally and ensure this file is in.gitignore. - Load the
.envfile using libraries available in most modern programming languages:- Python:
python-dotenv - Node.js:
dotenv - Rust:
dotenv - Go:
godotenv
- Python: