pylapp

secrets

Some words about secrets leaks in Git repositories

🇺🇸 – Sunday, March 6th 2022

Keywords: #Git, #GitLeaks, #leaks, #secrets, #repository

We all know it could be quite easy to leak secrets or sensitive data in our Git repositories.

In most of cases we just acted too fast, or were not aware we added in the version control systems (VCS) such sensitive files or objects. Bad SSH configuration with private or public keys in the VCS tree, API keys defined in hard-coded variables in the source code, keystore files with credentials in the Gradle files (including alias, key and password of course), IP addresses, sensitive URL, and so on.

And when we work on public or shared repositories, we have all those sensitive data spread outside!

When people get noticed of these leaks, they may apply bad patterns to fix these issues, for example :

  • Make a commit “just to remove the change”, (useless because the Git history still contains the data)
  • Make the project private (bad, because users won't be able to get it)
  • Delete the repository (useless if there are forks of it)

One tool can be useful, Gitleaks.

Note that Gitleaks looks both in the files tree of the project and the Git history. That's a reason why we must not make such “fix commit” because the history keeps traces of what we do and tried to hide.

So, I would like to share three useful and cool things:

The command to run Gitleaks is very simple:

Shell command to run gitleakswhere. json is the type ouf output for the report called report.json created after the scan of your git repository named folder.

Beware if you scan big repositories (like a fork or a project with an old history), Gitleaks will take long time to run.

In addition, the Git configuration value diff.renameLimit should be updated to allow Gitleaks to work.

Note that the Orange group provides a GitLab CI template dedicated to GitLeaks with the To Be Continous project! Get it here.

Have fun by scanning your projects! — Last update: Wednesday, August, 10th 2022 Previously on Medium and paper.wf

Did you enjoy reading this blog? Give me a beer 🍺 or use something else ❤️‍🔥 Licensed under CC-BY-SA 4.0. Opinions are my own. To contact me, feel free to choose the most suitable medium for you, or for example Mastodon.