Gitleaks is a free and open-source tool developed by GitHub to help developers detect secrets like API keys and passwords in their projects before the final push. The main benefit is its capability to scan your latest code and the entire Git history to identify any previously committed secrets.

Accidental leaks of secrets are among the primary reasons for many data breaches on the internet; once leaked, there’s no turning back. The only solution is to generate new secrets and securely store them, such as by using environment variables in GitHub projects.

In this guide, we discuss some of its features, how to install it on Linux, and how to use it to detect secrets in your existing project.

Features of GitLeaks

Here are the highlighted features it offers:

• It’s free, open-source, and cross-platform.
• Support more than 160 secret types, with new ones added regularly.
• It can access the third-party code.
• Easily configurable via the “gitleaks.toml” file.
• Gitleaks-Action on GitHub is available to run Gitleaks scans on each pull and commit automatically.

How to Install GitLeaks on Linux

There are several ways to install Gitleaks on Linux, but the best and most recommended method is to use the default package manager. If you are running Debian or Ubuntu-based distributions, or Red Hat or Fedora-based distributions, simply execute the appropriate command to start the installation.

# On Debian and Ubuntu-based distributions.
$ sudo apt install gitleaks

# On Red Hat and Fedora-based distributions.
$ sudo dnf install gitleaks

MacOS users can use the following brew command for installation:

$ brew install gitleaks

Once the installation is complete, the “gitleaks” command becomes accessible.

How to Use GitLeaks for Scanning Secret Leaks

There are various ways to use Gitleaks for detecting secrets in a project. You can either scan for secrets in your existing project or, if you’re a penetration tester, use the Git URL to clone the project and find any accidental secret leaks using Gitleaks.

For the demonstration, we will use a Node.js project that includes a “.env” file containing secrets. This file is currently in the staging area, with only a pending commit. Let’s see if Gitleaks can detect these secrets.

We’ll begin by navigating to the project directory, and for confirmation,we will also show you the content of the “.env” file using the cat command.

$ cd myproj/
$ cat .env

Checking the project “.env” file

Let’s use the “gitleaks” command with the “protect –staged” option, which scans the code in the staging area and alerts if any secrets are found.

$ gitleaks protect --staged

Checking secrets in staging area

The final line in the output above warns that there is a secret in the staging area that could leak if not addressed before the final commit.

Now, if you have already committed your code, you can use the “gitleaks” command with the “detect –source .” parameter to scan all code in the commit area and enable verbose mode with the “-v” option, which will show the parts identified as leaks during the scan.

$ gitleaks detect --source . -v

Checking secrets in committed code

As you can see, Gitleaks successfully detected the secret in the committed code.

What if you’re not using Git? Can you still use Gitleaks to detect secrets in your code? Yes, you can. For demonstration, we have removed the “.git” directory and used the “detect –no-git -v” option with the “gitleaks” command to detect secrets in a non-git controlled project.

$ gitleaks detect --no-git -v

Checking secrets in non-Git controlled project

As you can see, Gitleaks was easily able to scan the entire code to find the exposed secret that is not version controlled by Git.

If you are a penetration tester and want to look for secrets in specific GitHub repositories, you can simply clone the repository to your system and use the “gitleaks” command mentioned in this article to scan for leaked secrets.

Find secrets in GitHub repositories

This way, you can report the issues to the project maintainer or prevent yourself from accidentally leaking important secrets on the internet using Gitleaks.

If you are a project manager, then make sure to use Gitleaks-Action, which automatically runs a Gitleaks scan on all your team’s pull requests and commits or performs on-demand scans.

How to Uninstall GitLeaks from Linux

To remove Gitleaks from your Linux system installed via the package manager, run:

# On Debian and Ubuntu-based distributions.
$ sudo apt uninstall gitleaks

# On Red Hat and Fedora-based distributions.
$ sudo dnf uninstall gitleaks

If you have installed it on macOS via the Homebrew package manager, then run:

$ brew uninstall gitleaks

Conclusion

Gitleaks is a useful and free tool that you should definitely use to prevent secret leaks. However, remember that it’s still possible some secrets might not be detected, so after using Gitleaks, ensure you manually review your code at least once before the final commit.

What is GitLeaks and How to Use It? – FAQs

What is Gitleaks?

Ans: Gitleaks is a free and open-source tool developed by GitHub to help developers detect secrets like API keys and passwords in their projects before the final push.

What are the main features of Gitleaks?

Ans: Gitleaks is free, open-source, and cross-platform. It supports more than 160 secret types, can access third-party code, is easily configurable, and has a GitHub Action for automatic scanning.

How can I install Gitleaks on Linux?

Ans: You can install Gitleaks using package managers. For Debian/Ubuntu, use “sudo apt install gitleaks”. For Red Hat/Fedora, use “sudo dnf install gitleaks”.

Is there a way to automate Gitleaks scans?

Ans: Yes, you can use Gitleaks-Action on GitHub to automatically run Gitleaks scans on all pull requests and commits.

Is Gitleaks 100% effective in detecting all secrets?

Ans: While Gitleaks is very useful, it’s still possible that some secrets might not be detected. It’s recommended to manually review your code at least once after using Gitleaks.