Canarys | IT Services

Blogs

Protect and discover secrets using Git-leaks

Date:
Author:
Tags:
Share
  • Git-leaks is a SAST tool for detecting and preventing hardcoded secrets like Passwords, API keys and tokens in GitHub Repository.
  • Git-leaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
  • Git-leaks would be configured as part of GitHub actions workflow for all the repositories we want to monitor for any sensitive secret patterns.

Example of Git-Leaks basic workflow:

Workflow

The above GitHub Actions workflow does couple of things:

  • It only runs when the repository event is a push (direct commit) or a pull request against main branch. This is defined in the ‘on’ section of workflow file.
  • The job runs against the latest Ubuntu environment.
  • The steps defined in the job checks out the repository and install the Git-leaks.
  • Git-leaks will scan and if leaks are present, it will detect in the Action logs and same time it will generate the artifact also.
  • If required, we can download those reports to identify the leaks in our Repository.
  • By using some public actions, you can also generate the report on the Pull-request.
  • This is Pretty useful feature, for easily identifying the secrets or leaks while merging to the main/master branch.

Results:

Git-leaks Actions log Report:

  • From the GitHub Actions live logs, you can see something like this if no leaks are detected

log-report

Git-leaks report artifact:

Download reports when leaks are present from GitHub Actions.

artifact

Pull Request Comments:

  • Easy to understand report of a Git-leaks job. If no leaks are detected during pull-request, you’ll see:

Pr-1

  • If leaks are encountered during a pull request, you’ll see something like this.

Pr-2

How to remove the valid detected secrets:

  • By using the generate artifact report or pull-request comments we can identify, where the secrets are leaking and simply, we can do modifications in that to remove the detected secrets.
  • By using BFG repo cleaner also you can remove the secrets.

Benefits of using Git-Leaks with GitHub Actions:

  • Pretty useful feature, to identify the leaks like Passwords, API keys, and tokens in GitHub repos.
  • With GitHub Actions you can also generate the report on the Pull-request and live logs.
  • By using Reusable workflows, easily you can trigger in all the workflows and get the results

Leave a Reply

Your email address will not be published. Required fields are marked *

Reach Us

With Canarys,
Let’s Plan. Grow. Strive. Succeed.