Gitleaks for Secret Scanning The Repositories

GitLeaks is an open-source tool designed to scan git repositories for sensitive data leakage.

GitLab CI/CD is a platform used to automate the building, testing, and deployment of applications.

In this blog, we will discuss how to implement GitLeak scanning from GitLab CI/CD pipeline.

Environment is:

GitLab Online
Gitlab Runner on Windows Server 2016/2019

Before going further, you should be aware how to download/Clone multiple projects from gitlab, follow the below blogpost:

GIT – How to Clone Multiple Projects | Tech Wizard

Install GITleaks on your windows runner machine

https://github.com/zricethezav/gitleaks

To install gitleaks directly on a Windows runner, follow these steps:

Download the latest version of Go: Go can be downloaded from the official website at https://golang.org/dl/.
Install Go on your Windows runner: Follow the installation instructions provided on the Go website to install Go on your Windows runner.
Download the source code for gitleaks: You can download the source code for gitleaks from the GitHub repository at https://github.com/zricethezav/gitleaks.
Build gitleaks: Open a command prompt, navigate to the directory where you have downloaded the source code for gitleaks, and run the following command:

go build

Now, next step is to create a GITlab CICD pipleline.

GO TO PROJECT à CICD Pipeline EDITOR

stage: test: This specifies the name of the stage in the CI/CD pipeline, which is ‘test’ in this case. The ‘test’ stage is commonly used to perform automated tests on the code.
only: main: This specifies that this stage should only be run when the branch being tested is ‘main’.
script: This specifies the commands that will be run in this stage.
$smtpserver = $env:CI_SMTP_Server: This sets the SMTP server to be used for sending the email by retrieving it from an environment variable named ‘CI_SMTP_Server’.
$from = $env:CI_Sender_Address: This sets the sender email address to be used for the email by retrieving it from an environment variable named ‘CI_Sender_Address’.
$erroremail = $env:CI_RCPT_TO: This sets the recipient email address for the email by retrieving it from an environment variable named ‘CI_RCPT_TO’.
cd $env:CI_Ghorg: This changes the current directory to the path specified in the ‘CI_Ghorg’ environment variable.(Path where ghorg is present on your windows server)
.\ghorg.exe clone 123456 –base-url=https://gitlab.com –scm=gitlab –token=$env:CI_Ghorg_Token –preserve-dir –path $env:CI_Secret_Scan:

This runs a command to clone a GitLab repository using ‘ghorg.exe’ and store it in a directory specified by the ‘CI_Secret_Scan’ environment variable. It also passes the repository URL, access token, and other parameters as arguments.
cd $env:CI_Gitleaks: This changes the current directory to the path specified in the ‘CI_Gitleaks’ environment variable.
.\gitleaks.exe detect -s $env:CI_Secret_Scan -r $env:CI_Scan_Report -f csv –no-git –exit-code 0:

This runs a command to scan the cloned GitLab repository for secret leaks using ‘gitleaks.exe’ and store the scan report in a file specified by the ‘CI_Scan_Report’ environment variable. It also specifies the file format, enables non-git repository scanning, and sets the exit code to ‘0’ (i.e., success).
Send-MailMessage -SmtpServer $smtpserver -From $from -To $erroremail -Subject “Secret Scan – Report” -body “Git Leaks” -Attachments $env:CI_Scan_Report:

This sends an email with the scan report as an attachment using the ‘Send-MailMessage’ command. It specifies the SMTP server, sender and recipient email addresses, subject, and body of the email, as well as the scan report file as an attachment.
artifacts: when: always: This specifies that the artifacts (i.e., files generated during the CI/CD process) should always be saved, regardless of whether the stage succeeds or fails.
tags: – GitlabRunner1: This specifies that this stage should only be run on GitLab Runner with the tag ‘GitlabRunner1’.