Gitleaks for Secret Scanning The Repositories

GitLeaks is an open-source tool designed to scan git repositories for sensitive data leakage.

GitLab CI/CD is a platform used to automate the building, testing, and deployment of applications.

In this blog, we will discuss how to implement GitLeak scanning from GitLab CI/CD pipeline.

Environment is:

  • GitLab Online
  • Gitlab Runner on Windows Server 2016/2019

Before going further, you should be aware how to download/Clone multiple projects from gitlab, follow the below blogpost:

GIT – How to Clone Multiple Projects | Tech Wizard

Install GITleaks on your windows runner machine

https://github.com/zricethezav/gitleaks

To install gitleaks directly on a Windows runner, follow these steps:

  • Download the latest version of Go: Go can be downloaded from the official website at https://golang.org/dl/.
  • Install Go on your Windows runner: Follow the installation instructions provided on the Go website to install Go on your Windows runner.
  • Download the source code for gitleaks: You can download the source code for gitleaks from the GitHub repository at https://github.com/zricethezav/gitleaks.
  • Build gitleaks: Open a command prompt, navigate to the directory where you have downloaded the source code for gitleaks, and run the following command:

go build

Now, next step is to create a GITlab CICD pipleline.

GO TO PROJECT à CICD Pipeline EDITOR


  • stage: test: This specifies the name of the stage in the CI/CD pipeline, which is ‘test’ in this case. The ‘test’ stage is commonly used to perform automated tests on the code.
  • only: main: This specifies that this stage should only be run when the branch being tested is ‘main’.
  • script: This specifies the commands that will be run in this stage.
  • $smtpserver = $env:CI_SMTP_Server: This sets the SMTP server to be used for sending the email by retrieving it from an environment variable named ‘CI_SMTP_Server’.
  • $from = $env:CI_Sender_Address: This sets the sender email address to be used for the email by retrieving it from an environment variable named ‘CI_Sender_Address’.
  • $erroremail = $env:CI_RCPT_TO: This sets the recipient email address for the email by retrieving it from an environment variable named ‘CI_RCPT_TO’.
  • cd $env:CI_Ghorg: This changes the current directory to the path specified in the ‘CI_Ghorg’ environment variable.(Path where ghorg is present on your windows server)
  • .\ghorg.exe clone 123456 –base-url=https://gitlab.com –scm=gitlab –token=$env:CI_Ghorg_Token –preserve-dir –path $env:CI_Secret_Scan:

    This runs a command to clone a GitLab repository using ‘ghorg.exe’ and store it in a directory specified by the ‘CI_Secret_Scan’ environment variable. It also passes the repository URL, access token, and other parameters as arguments.

  • cd $env:CI_Gitleaks: This changes the current directory to the path specified in the ‘CI_Gitleaks’ environment variable.
  • .\gitleaks.exe detect -s $env:CI_Secret_Scan -r $env:CI_Scan_Report -f csv –no-git –exit-code 0:

    This runs a command to scan the cloned GitLab repository for secret leaks using ‘gitleaks.exe’ and store the scan report in a file specified by the ‘CI_Scan_Report’ environment variable. It also specifies the file format, enables non-git repository scanning, and sets the exit code to ‘0’ (i.e., success).

  • Send-MailMessage -SmtpServer $smtpserver -From $from -To $erroremail -Subject “Secret Scan – Report” -body “Git Leaks” -Attachments $env:CI_Scan_Report:

    This sends an email with the scan report as an attachment using the ‘Send-MailMessage’ command. It specifies the SMTP server, sender and recipient email addresses, subject, and body of the email, as well as the scan report file as an attachment.

  • artifacts: when: always: This specifies that the artifacts (i.e., files generated during the CI/CD process) should always be saved, regardless of whether the stage succeeds or fails.
  • tags: – GitlabRunner1: This specifies that this stage should only be run on GitLab Runner with the tag ‘GitlabRunner1’.

Now you can Schedule this PIPELINE to run weekly, and it will scan all the projects inside your root group.


You will receive a report of CSV files with the Secrets detected after that scan.


 

Thanks for reading…

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

PowerShell Fast Track

 

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s