Recently, we've wanted to add Gitleaks scanning into our repos to keep on top of any potential security issues. I checked out a number of tools such as detect-secrets and trufflehog but eventually I decided to use Gitleaks as the format was fairly CI friendly.
There is already a CI version of Gitleaks but it uses a stripped down version of Gitleaks with basic regex. I wanted to use the fully fledged version that was updated a bit more regularly. Additionally, with the CI version you had to configure a few environment variables which I didn't want to do with every single repository.
Since there was not much documentation on how to use it in CI, I decided to post this blog.
Simply add this script in /.ci/leaks.sh
This will only audit the current script in the local repo
#!/bin/bash
if [ ! -z $TRAVIS_PULL_REQUEST ]; then
REPO_SLUG="/${TRAVIS_REPO_SLUG}"
# Audit the current commit for secrets
docker run --rm --name=gitleaks -v $PWD:$REPO_SLUG zricethezav/gitleaks -v --repo-path=$REPO_SLUG --commit=$TRAVIS_COMMIT
fi
Next, add this into your .travis.yml. Alternatively just add an additional "script" if you don't want to do different stages
- stage: Leaks
language: generic
script:
- "./.ci/leaks.sh"
Additionally, add docker as a new service in the .travis.yml
That's it! Tweet me @joshghent if you have any problems.