Recently, we’ve wanted to add Gitleaks scanning into our repos to keep on top of any potential security issues. I checked out a number of tools such as detect-secrets and trufflehog but eventually I decided to use Gitleaks as the format was fairly CI friendly.

There is already a CI version of Gitleaks but it uses a stripped down version of Gitleaks with basic regex. I wanted to use the fully fledged version that was updated a bit more regularly. Additionally, with the CI version you had to configure a few environment variables which I didn’t want to do with every single repository.

Since there was not much documentation on how to use it in CI, I decided to post this blog.

Simply add this script in /.ci/leaks.shThis will only audit the current script in the local repo

#!/bin/bash

if [! -z $TRAVIS_PULL_REQUEST]; then
    REPO_SLUG="/${TRAVIS_REPO_SLUG}"

    # Audit the current commit for secrets
    docker run --rm --name=gitleaks -v $PWD:$REPO_SLUG zricethezav/gitleaks -v --repo-path=$REPO_SLUG --commit=$TRAVIS_COMMIT
fi

Next, add this into your .travis.yml. Alternatively just add an additional “script” if you don’t want to do different stages

- stage: Leaks
    language: generic
    script:
    - "./.ci/leaks.sh"

Additionally, add docker as a new service in the .travis.yml

That’s it! Tweet me @joshghent if you have any problems.