Gitleaks is a tool for finding sensitive information accidentally committed to a git repository. To set it up, you will need to install it on your system. Here’s how to do that:
- Install go if you don’t have it already. You can do this by following the instructions on the Go website (https://golang.org/doc/install).
- Clone the gitleaks repository from GitHub by running the following command:
git clone <https://github.com/zricethezav/gitleaks.git>
3. Change into the gitleaks directory and install the dependencies by running the following commands:
cd gitleaks
go get -v -t -d ./...
4. Build the gitleaks binary by running the following command:
go build
5. Once the build is complete, you should have a gitleaks binary in your gitleaks directory. You can run it by running the following command:
./gitleaks
To run gitleaks on a specific repository, you can use the -repo flag followed by the URL of the repository you want to scan, like this:
./gitleaks --repo <https://github.com/my-user/my-repo.git>
To see all of the available options for running gitleaks, you can use the -help flag, like this:
./gitleaks --help
Scan through organisation
To scan an entire organization using gitleaks, you will first need to set up a gitleaks configuration file. This file specifies the settings for your scan, such as the organization to scan, the repositories to include or exclude, and any keywords or regular expressions to search for.
Here’s an example gitleaks configuration file that you can use to scan an organization:
---
# This is the base URL for the GitHub API. You should not need to change this.
api: <https://api.github.com>
# This is the name of the organization you want to scan.
org: my-organization
# This is the list of repositories to include in the scan. If left empty, all repositories in the organization will be scanned.
# You can use wildcards to match multiple repositories. For example, "*" will match all repositories, and "repo-*" will match
# all repositories whose names start with "repo-".
include:
- repo-1
- repo-2
# This is the list of repositories to exclude from the scan. If a repository is both included and excluded, it will be excluded.
# You can use wildcards to match multiple repositories, just like with the include list.
exclude:
- *-test
- *-staging
# This is a list of keywords and regular expressions to search for in the repository.
# Keywords are matched case-insensitively, and regular expressions are matched using the Go regexp syntax (<https://golang.org/pkg/regexp/syntax/>).
# Any sensitive information found in the repository that matches one of these patterns will be reported as a leak.
patterns:
- password
- secret
- "private key"
- "(?i)access token"
Once you have created your configuration file, you can run gitleaks using the --config flag followed by the path to your configuration file, like this:
Copy code
./gitleaks --config /path/to/gitleaks.yml
This will run gitleaks using the settings specified in your configuration file, scanning the specified organization and repositories for sensitive information.
Gitleaks using Git Actions –
https://github.com/gitleaks/gitleaks-action
name: gitleaks
on:
pull_request:
push:
workflow_dispatch:
schedule:
- cron: "0 4 * * *" # run once a day at 4 AM
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts.
I hope this helps! Let me know if you have any other questions.