Introduction
Gitleaks is a well-known tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. The way it works is based on regular expression to match the file content of the git commits with predefined patterns, so apart from working with secrets, do you know that we can utilize it for things like content filtering? Is it possible? Let’s find out.
Installing Gitleaks
There are several ways to get Gitleaks installed, please check out the link https://github.com/gitleaks/gitleaks#getting-started for instructions, I’ll be installing by downloading the binary and configuring the PATH environment variable pointing to the folder containing the executable file.
Let’s test if Gitleaks installed successfully by typing the gitleaks command.
Configuring Gitleaks
Create a file named gitleaks.toml at the root of your git repo.
Let’s open the file and define the first rule to detect some bad words like: hell, heck, … by copying and pasting the below text:
title = "gitleaks config"
[allowlist]
description = "global allow lists"
paths = ['''gitleaks.toml''']
[[rules]]
id = "BadWords"
description = "Bad Words"
regex = '''.*(hell|heck).*'''
Save the file, open any file in your repo, and try to put some bad words defined in the file above. For example:
Stage the changes by typing git add . command. Then continue to run the below command:
gitleaks protect -v --staged --config gitleaks.toml
As you can see, it detected that you’re going to commit changes that contain bad word in line number 5 of the Program.cs file. However at this time, if we want to commit we can still continue as it doesn’t prevent us from doing that unless we configure a git pre-commit hook.
Configuring Git Hooks
Git Hooks are scripts that Git can execute automatically when certain events occur, such as before or after a commit, push, or merge. There are several types of Git Hooks, each with a specific purpose. Pre-commit hooks, for example, can be used to enforce code formatting or run tests before a commit is made.
So, pre-commit hook is exactly what we want for our purpose which is to execute gitleaks command to detect any bad words and raise errors to prevent committing.
Go to the .git/hooks folder and create a file named pre-commit.
Open the pre-commit file, copy and paste the below script:
#!/usr/bin/env python3
"""Helper script to be used as a pre-commit hook."""
import os
import sys
import subprocess
exitCode = os.system('gitleaks protect -v --staged --config gitleaks.toml')
if exitCode == 1:
print('''Warning: gitleaks has detected sensitive information in your changes.''')
sys.exit(1)
Save the file, if you’re using Windows, open the Microsoft Store, and install Python 3.x
Now back to the root of the git repo, let’s try to commit the changes.
git commit -m "update abc xyz"
As you can see, it raised the error and prevented the changes from being committed.
Summary
Now we know that Gitleaks is also very good at doing things like bad word filtering, or we can even use it to apply 3rd party package filtering by defining the list of unwanted packages.
However, using pre-commit hook will not be helpful if the developer doesn’t configure it properly on his/her local machine, if we depend only on git hook, we will not be 100% sure that we can prevent things from being bypassed. So we should also run it as part of our CI process to prevent merging bad code. In the next article, I’ll demonstrate how we can use Gitleaks with Azure Pipeline.
