Skip to content

Easy Deploy GitLeaks

  • by

Gitleaks is a tool for finding sensitive information accidentally committed to a git repository. To set it up, you will need to install it on your system. Here’s how to do that:

  1. Install go if you don’t have it already. You can do this by following the instructions on the Go website (https://golang.org/doc/install).
  2. Clone the gitleaks repository from GitHub by running the following command:
Copy code
git clone <https://github.com/zricethezav/gitleaks.git>

3. Change into the gitleaks directory and install the dependencies by running the following commands:

Copy code
cd gitleaks
go get -v -t -d ./...

4. Build the gitleaks binary by running the following command:

Copy code
go build

5. Once the build is complete, you should have a gitleaks binary in your gitleaks directory. You can run it by running the following command:

Copy code
./gitleaks

To run gitleaks on a specific repository, you can use the -repo flag followed by the URL of the repository you want to scan, like this:

Copy code
./gitleaks --repo <https://github.com/my-user/my-repo.git>

To see all of the available options for running gitleaks, you can use the -help flag, like this:

Copy code
./gitleaks --help

Scan through organisation

To scan an entire organization using gitleaks, you will first need to set up a gitleaks configuration file. This file specifies the settings for your scan, such as the organization to scan, the repositories to include or exclude, and any keywords or regular expressions to search for.

Here’s an example gitleaks configuration file that you can use to scan an organization:

Copy code
---
# This is the base URL for the GitHub API. You should not need to change this.
api: <https://api.github.com>

# This is the name of the organization you want to scan.
org: my-organization

# This is the list of repositories to include in the scan. If left empty, all repositories in the organization will be scanned.
# You can use wildcards to match multiple repositories. For example, "*" will match all repositories, and "repo-*" will match
# all repositories whose names start with "repo-".
include:
  - repo-1
  - repo-2

# This is the list of repositories to exclude from the scan. If a repository is both included and excluded, it will be excluded.
# You can use wildcards to match multiple repositories, just like with the include list.
exclude:
  - *-test
  - *-staging

# This is a list of keywords and regular expressions to search for in the repository.
# Keywords are matched case-insensitively, and regular expressions are matched using the Go regexp syntax (<https://golang.org/pkg/regexp/syntax/>).
# Any sensitive information found in the repository that matches one of these patterns will be reported as a leak.
patterns:
  - password
  - secret
  - "private key"
  - "(?i)access token"

Once you have created your configuration file, you can run gitleaks using the --config flag followed by the path to your configuration file, like this:

Copy code
./gitleaks --config /path/to/gitleaks.yml

This will run gitleaks using the settings specified in your configuration file, scanning the specified organization and repositories for sensitive information.

I hope this helps! Let me know if you have any other questions.