Stop Leaking Secrets — Configuration (2/3) (2024)

Stop Leaking Secrets — Configuration (2/3) (1)

Published in

Gitleaks

·

4 min read

·

Sep 29, 2022

--

Gitleaks-Action is a simple solution to prevent and detect secret leaks at your organization. Read the previous blog post in this series to get started. In this blog post we’ll cover how to configure your Gitleaks-Action using a Gitleaks configuration file.

One of the main benefits of using Gitleaks and Gitleaks-Action is the powerful and simple to use configuration file, gitleaks.toml. In this blog post we will focus on how to use custom configuration files in the context of Gitleaks-Action, but the information explained here can be used outside the context of a CI/CD environment.

By default, Gitleaks-Action uses the configuration file located here. At the time of writing there are over 150 secret types including a powerful generic secret rule. However, your organization might not care about the majority of the secrets listed in the default configuration.

There are two ways to do this:

  1. You can put a file named .gitleaks.toml at the root of your repo. Gitleaks will automatically load that configuration file.
  2. Alternatively, you can put the config file elsewhere in your repo and then set an env variable, GITLEAKS_CONFIG, in your job definition to point to it. This should be the relative path from the root of your repo.

Example below:

name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITLEAKS_CONFIG: path/to/config.toml
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}

Check the Gitleaks-Action log to confirm a custom configuration file has been loaded. If you used method 1, you should see something like:

Stop Leaking Secrets — Configuration (2/3) (3)

If you used method 2, you should see something like this:

Stop Leaking Secrets — Configuration (2/3) (4)

You may be running Gitleaks on many repos and want some way to control the configuration that is used to scan all of those repos. If that’s the case you can add a run step in the job to download your central config file to be picked up by Gitleaks-Action. For example, adding this step will download a config file to the repo root directory and name it .gitleaks.toml:

— run: wget -O .gitleaks.toml https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml.

Putting it all together:

name: gitleaks-action
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks-action
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- run: wget -O .gitleaks.toml https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}

Now you can change your config in one central place and those changes will be picked up by all the Gitleaks-Actions workflows that use it.

Your organization may have a central Gitleaks configuration full of rules that are required to run on all repos, but there might also be some repos that have specific rules. For example, your organization might rely heavily on a few different API providers, but there is only one repo that uses the PlanetScale API. In that case, you can use the wget method above to pull down a central config and extend it with a repo-specific config that contains an [extend] table.

See this repo for an example.

The workflow definition contains this run step:

— run: wget -O central-gitleaks.toml https://raw.githubusercontent.com/whoopsify/.github/main/.gitleaks.toml

This step downloads a central config from the organization’s .github repo and saves it to the repo root as central-gitleaks.toml.

Meanwhile, the repo root already contains a repo-specific config called .gitleaks.toml, which we learned earlier will automatically get picked up by Gitleaks-Action (see Using a custom config above).

This repo-specific config contains an [extend] table pointing to the central config that was downloaded using wget:

[extend]
path = "central-gitleaks.toml"

This tells Gitleaks that the rules in .gitleaks.toml should extend the rules in central-gitleaks.toml.

Stop Leaking Secrets — Configuration (2/3) (5)

Now you have a repo-specific configuration that extends a central configuration.

Note that you can also extend the default Gitleaks configuration (which is updated every week or so with new rules) by setting the useDefault flag in your repo’s configuration:

[extend]
useDefault = true

This tells Gitleaks to treat the current config file as an extension of the default Gitleaks configuration file. Since Gitleaks-Action will always use the latest (or near-latest) version of Gitleaks, it will always have a very recent version of the default config.

You should have enough information to configure your GitHub organization with secret scanning. Whether you want to use a custom configuration for every repo, a central configuration that can handle many repos, or a repo-specific configuration that extends a central configuration — we got you covered! If you have any questions feel free to contact us at https://gitleaks.io/contact.html or open an issue on one of our repos (https://github.com/zricethezav/gitleaks and https://github.com/gitleaks/gitleaks-action).

Stop Leaking Secrets — Configuration (2/3) (2024)

FAQs

How to fix git leaks? ›

✅ Step by step guide to remediate the leak​
  1. Step 1: Revoke the exposed secret.
  2. Step 2: Clean the git history.
  3. Step 3: Inspect logs.

How to ignore gitleaks? ›

gitleaksignore. False positive findings can be ignored by creating a . gitleaksignore file at the root of your repo. This file will help to ignore the false positive findings from the repo which a developer would like to keep as part of the codebase.

What is gitleaks toml file? ›

To test for a secret, developers can create a file called ".gitleaks.toml" at the root of their project. This file should contain the following: [[test-secret]] patterns = ["<your test secret>"] Gitleaks will then scan for this secret and report any findings.

How to install gitleaks? ›

Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the releases page. In addition, Gitleaks can be implemented as a pre-commit hook directly in your repo or as a GitHub action using Gitleaks-Action.

What are the secrets exposed in GitHub? ›

The exposed secrets include account passwords, API keys, TLS/SSL certificates, encryption keys, cloud service credentials, OAuth tokens, and other sensitive data that could give external actors unlimited access to various private resources and services, leading to data breaches and financial damage.

What is a high entropy secret? ›

Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.

How to ignore config files in git? ›

To always ignore a certain file or directory, add it to a file named ignore that's located inside the directory ~/.config/git . By default, Git will ignore any files and directories that are listed in the global configuration file ~/.config/git/ignore .

How to ignore all hidden files in git? ›

If you want to ignore a file that you've committed in the past, you'll need to delete the file from your repository and then add a . gitignore rule for it. Using the --cached option with git rm means that the file will be deleted from your repository, but will remain in your working directory as an ignored file.

Is Gitleaks good? ›

Gitleaks is a completely free and open source command line tool. Gitleaks is great if you are a solo dev wanting to ensure either no secrets are in your repository or that no new secrets ever enter your repository.

What is the purpose of Gitleaks? ›

Gitleaks is a free and open-source tool developed by GitHub to help developers detect secrets like API keys and passwords in their projects before the final push.

What app opens toml files? ›

Open Extension With:
NameFile NameManufacturer
Notepadnotepad.exeMicrosoft Corporation
CODE Multimediacode.exeThiemeMeulenhoff
秀丸エディタhidemaru.exe有限会社サイトー企画

Is gitleaks free? ›

Obtaining a Gitleaks-Action License

If you are scanning repos that belong to a GitHub personal account, then no license key is required. If you are scanning repos that belong to a GitHub organization account, then you'll have to obtain a free license below.

How to ignore Git leaks? ›

You can use various mechanisms to let Git know which files in your project not to track, and to ensure that Git won't report changes to those files. For files that Git doesn't track, you can use a . gitignore or exclude file. For files that Git does track, you can tell Git to stop tracking them and to ignore changes.

What is gitrob? ›

Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.

What is secret scanning in GitHub? ›

Secret scanning is a security feature that helps detect and prevent the accidental inclusion of sensitive information such as API keys, passwords, tokens, and other secrets in your repository.

How to resolve issues in git? ›

Step 1: The easiest way to resolve a conflicted file is to open it and make any necessary changes. Step 2: After editing the file, we can use the git add a command to stage the new merged content. Step 3: The final step is to create a new commit with the help of the git commit command.

Is GitGuardian safe to use? ›

GitGuardian is trusted by individual developers as well as security teams from companies of all sizes. Thanks to our community of 583k+ developers, we are now the #1 security app on the GitHub marketplace! We treat our user's data with great care, and protecting this information is our top priority.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Carmelo Roob

Last Updated:

Views: 6166

Rating: 4.4 / 5 (45 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Carmelo Roob

Birthday: 1995-01-09

Address: Apt. 915 481 Sipes Cliff, New Gonzalobury, CO 80176

Phone: +6773780339780

Job: Sales Executive

Hobby: Gaming, Jogging, Rugby, Video gaming, Handball, Ice skating, Web surfing

Introduction: My name is Carmelo Roob, I am a modern, handsome, delightful, comfortable, attractive, vast, good person who loves writing and wants to share my knowledge and understanding with you.