Protect and discover secrets using Git-leaks
- Git-leaks is a SAST tool for detecting and preventing hardcoded secrets like Passwords, API keys and tokens in GitHub Repository.
- Git-leaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
- Git-leaks would be configured as part of GitHub actions workflow for all the repositories we want to monitor for any sensitive secret patterns.
Example of Git-Leaks basic workflow:
The above GitHub Actions workflow does couple of things:
- It only runs when the repository event is a push (direct commit) or a pull request against main branch. This is defined in the ‘on’ section of workflow file.
- The job runs against the latest Ubuntu environment.
- The steps defined in the job checks out the repository and install the Git-leaks.
- Git-leaks will scan and if leaks are present, it will detect in the Action logs and same time it will generate the artifact also.
- If required, we can download those reports to identify the leaks in our Repository.
- By using some public actions, you can also generate the report on the Pull-request.
- This is Pretty useful feature, for easily identifying the secrets or leaks while merging to the main/master branch.
Git-leaks Actions log Report:
- From the GitHub Actions live logs, you can see something like this if no leaks are detected
Git-leaks report artifact:
Download reports when leaks are present from GitHub Actions.
Pull Request Comments:
- Easy to understand report of a Git-leaks job. If no leaks are detected during pull-request, you'll see:
- If leaks are encountered during a pull request, you’ll see something like this.
How to remove the valid detected secrets:
- By using the generate artifact report or pull-request comments we can identify, where the secrets are leaking and simply, we can do modifications in that to remove the detected secrets.
- By using BFG repo cleaner also you can remove the secrets.
Benefits of using Git-Leaks with GitHub Actions:
- Pretty useful feature, to identify the leaks like Passwords, API keys, and tokens in GitHub repos.
- With GitHub Actions you can also generate the report on the Pull-request and live logs.
- By using Reusable workflows, easily you can trigger in all the workflows and get the results