Who did not once in his/her life commit secrets to the code and instantly regretted it? Well we can use git-hooks to avoid that.

What is it?

Based on Git-hooks - a practical example with tf docs I extended the git-hooks so it check for secrets and aborts the commit if secrets are found. All you neds it After that also install gitleaks, which is a SAST tool for

detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.

Configure pre-commit-hook

I create the following config, which also checks if gitleaks is actually installed, otherwise it skips the step

# @description: Check for secrets in current state and block commit, for secrets in commits only report them
function run_gitleaks() {
    ## skip setp if you add an empty file .skip_gitleaks
    if [[ -f "./.skip_gitleaks" ]]; then
        return
    fi
    if which gitleaks &>/dev/null ; then
        if [[ -z "$GITLEAKS_BASELINE" ]]; then
            GITLEAKS_BASELINE="./.gitleaks-report.json"
        fi
        if [[ -f "$GITLEAKS_BASELINE" ]]; then
            gitleaks detect $BASELINE --baseline-path "$GITLEAKS_BASELINE"
        else
            gitleaks detect -vls
        fi
    fi
}
run_gitleaks

I also added this part

## skip setp if you add an empty file .skip_gitleaks
if [[ -f "./.skip_gitleaks" ]]; then
    return
fi

This allows you do explicitly skip the gitleaks scan, for repositories you don’t want to be scanned - e.g. demo repositories or whatsoever.

Usage

You simply run a git commit or do a commit in your favorite editor. If secrets are detected you might see something like this

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks


Finding:     "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef",
Secret:      cafebabe:deadbeef
RuleID:      sidekiq-secret
Entropy:     2.609850
File:        cmd/generate/config/rules/sidekiq.go
Line:        23
Commit:      cd5226711335c68be1e720b318b7bc3135a30eb2
Author:      John
Email:       [email protected]
Date:        2022-08-03T12:31:40Z
Fingerprint: cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:23

Wo what do do if you find secrets?

Verify the secrets

Verify if this is a valid secret you can find details on how in the official docu. Based on the outcome you have the following options:

Remove the secrets

At first try to remove them or encrypt them if possible. If you have secrets in your history and you have admin permissions (or permissions to change main branch) you might also remove secrets from the history, following github - Remove sensitive files and their commits from Git history - Stack Overflow.

Baseline

When scanning large repositories or repositories with a long history, it can be convenient to use a baseline. When using a baseline, gitleaks will ignore any old findings that are present in the baseline. A baseline can be any gitleaks report. To create a gitleaks report, run gitleaks with the --report-path parameter.

gitleaks detect --report-path .gitleaks-report.json

The git-hooks checks for a file .gitleaks-report.json and will automatically use that as a baseline if exists. I believe for convenience you can commit this to your repo, so all developers use the same baseline.

gitleaks:allow

If you are knowingly committing a test secret that gitleaks will catch you can add a gitleaks:allow comment to that line which will instruct gitleaks to ignore that secret. Ex:

class CustomClass:
    discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'  #gitleaks:allow