This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your
Git repository with [Gitleaks](https://github.com/zricethezav/gitleaks/wiki).
When run on merge requests, Gitleaks will run a quick analysis of added commits (i.e. the diff).
When run on branches, Gitleaks will run an analysis of all commits in the branch.
## Usage
This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component)
@@ -41,6 +37,25 @@ variables:
GITLEAKS_ARGS:"--no-banner"# ⚠ this is only an example
```
## Understand
Gitleaks performs static analysis of your Git repository to find hardcoded secrets such as passwords, API keys, tokens, and other sensitive information.
It will scan commit history to identify secrets in previous versions of files as well as in the current codebase.
- When run on merge requests, Gitleaks will run a quick analysis of added commits (i.e. the diff).
- When run on branches, Gitleaks will run an analysis of all commits in the branch.
### Dealing with findings
If Gitleaks finds hardcoded secrets, the job will fail and the findings will be displayed in the job log.
You should review the findings and take appropriate actions such as rotating the exposed secrets and storing new ones outside of the codebase (e.g. using project variables).
We recommend against rewriting Git history to remove the secrets that were already pushed, as this can cause issues for collaborators and does not prevent future leaks.
Once the secrets have been rotated or confirmed as false positives, you can mark the findings as resolved by adding a [`.gitleaksignore` file](https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore) to your repository. It should contain one fingerprint per line as reported in the job log.
## `gitleaks` jobs configuration
Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).
