Monitoring Git Leaks in Travis

Recently, we’ve wanted to add Gitleaks scanning into our repos to keep on top of any potential security issues. I checked out a number of tools such as detect-secrets and trufflehog but eventually I decided to use Gitleaks as the format was fairly CI friendly.

There is already a CI version of Gitleaks but it uses a stripped down version of Gitleaks with basic regex. I wanted to use the fully fledged version that was updated a bit more regularly. Additionally, with the CI version you had to configure a few environment variables which I didn’t want to do with every single repository.

Since there was not much documentation on how to use it in CI, I decided to post this blog.

Simply add this script in /.ci/ This will only audit the current script in the local repo


if [ ! -z $TRAVIS_PULL_REQUEST ]; then

    # Audit the current commit for secrets
    docker run --rm --name=gitleaks -v $PWD:$REPO_SLUG zricethezav/gitleaks -v --repo-path=$REPO_SLUG --commit=$TRAVIS_COMMIT

Next, add this into your .travis.yml. Alternatively just add an additional “script” if you don’t want to do different stages

- stage: Leaks
    language: generic
    - "./.ci/"

Additionally, add docker as a new service in the .travis.yml

That’s it! Tweet me @joshghent if you have any problems.