Gitleaks is great small tool for detecting and preventing hardcoded secrets like passwords, API keys and tokens in git repos. How we can use it ?

Let’s create simple folder and initialize git repository:

mkdir demo
cd demo
git init

then let’s create simple script and commit changes:

echo hostname > script.sh
chmod +x script.sh
git add script.sh
git commit -am "Simple script"

Now let’s install gitleaks and try to use it:

brew install gitleaks
gitleaks detect --source . -v

Most probably not leaks should be found. Let’s something more interesting by creating simple file provider.tf with content as below:

provider "aws" {
  region     = "us-west-2"
  access_key = "lkKJkJsi819jc8s9jd8ciejr5.34.22kdksfASASS"
  secret_key = "alkskadsKKj81jsodio1j98Aasd1.asio32JJJ8ss"
}

After creating file, let’s commit changes:

git add provider.tf
git commit -am "Add TF provider with AWS API key"

Let’s check what results from gitleaks we have:

gitleaks detect --source . -v

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

Finding:     access_key = "lkKJkJsi819jc8s9jd8ciejr5.34.22kdksfASASS""
Secret:      lkKJkJsi819jc8s9jd8ciejr5.34.22kdksfASASS
RuleID:      generic-api-key
Entropy:     4.308295
File:        provider.tf
Line:        3
Commit:      d496e23a1872af79917e78f80a6fac9da1fd7063
Author:      Sebastian Czech
Email:       sebaczech@gmail.com
Date:        2023-08-02T20:43:09Z
Fingerprint: d496e23a1872af79917e78f80a6fac9da1fd7063:provider.tf:generic-api-key:3

Finding:     secret_key = "alkskadsKKj81jsodio1j98Aasd1.asio32JJJ8ss""
Secret:      alkskadsKKj81jsodio1j98Aasd1.asio32JJJ8ss
RuleID:      generic-api-key
Entropy:     3.840947
File:        provider.tf
Line:        4
Commit:      d496e23a1872af79917e78f80a6fac9da1fd7063
Author:      Sebastian Czech
Email:       sebaczech@gmail.com
Date:        2023-08-02T20:43:09Z
Fingerprint: d496e23a1872af79917e78f80a6fac9da1fd7063:provider.tf:generic-api-key:4

10:43PM INF 5 commits scanned.
10:43PM INF scan completed in 65.1ms
10:43PM WRN leaks found: 2

It has detected generic-api-key. Let’s remove that file from our repository and commit changes:

rm provider.tf
git commit -am "Remove AWS API key"

Execute gitleaks and verify that still we have an issue, even if file with secrets was removed. The problem is with git history. Of course there is a solution for that problem, which is described in documentation removing sensitive data from a repository.

For that purpose we need additional tool git-filter-repo:

brew install git-filter-repo

which can be used with below approach to remove sensitive data from history:

git filter-repo --invert-paths --path provider.tf
git filter-repo --invert-paths --path provider.tf --force

Now gitleaks doesn’t find any leaks:

gitleaks detect --source . -v

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

10:54PM INF 3 commits scanned.
10:54PM INF scan completed in 62.4ms
10:54PM INF no leaks found