Skip to content

Gitleaks Secret Detection

Secrets Detection

This feature is available in the self-hosted version of GitFlic

Secrets Detection is an automated process for identifying confidential information such as passwords, keys, access tokens, and other sensitive data that may accidentally end up in source code, configuration files, or other development artifacts.

The presence of such secrets in a repository can pose a security risk, so it is important to detect and remove them in a timely manner.

To minimize the risk of secrets appearing in commits, it is recommended to use Gitleaks — an open-source SAST tool designed to search for secrets in code.

Integrating Gitleaks with GitFlic using a pre-receive hook

Pre-receive hooks are scripts that run on the Git server before accepting new commits. They allow you to check incoming changes and reject them if certain conditions are violated, for example, if secrets are found.

Installing Gitleaks

To integrate Gitleaks into your workflow, you need to install it on the GitFlic server where pre-receive hooks will be executed. Installation instructions are available in the official Gitleaks repository.

Example of installing Gitleaks on Linux (Ubuntu):

apt update
apt install gitleaks

After successful installation, you can configure a hook to automatically check each commit for secrets before it is accepted into the repository.

Hook structure in GitFlic

On the GitFlic server where your Git repository is hosted, hooks are stored in the project directory. With the standard GitFlic installation, the path to the hooks directory looks like this: /var/tmp/gitflic/repo/c20242c3-aaaa-aaaa-aaaa-49afff94c56c.git/hooks, where c20242c3-aaaa-aaaa-aaaa-49afff94c56c is the project UUID.

All executable scripts that are triggered by the corresponding event (such as pre-receive, post-receive, and others) are stored in this folder.

Each hook file must be named according to its type. If you want to create a pre-receive hook, the script file should be named pre-receive and must have execution permissions.

Example of using gitleaks with a pre-receive hook

Below is an example of a pre-receive hook script that checks new commits for secrets using Gitleaks.

Create a pre-receive file in the hooks directory:

#!/bin/bash

echo "Check commits for secrets"

zero_commit="0000000000000000000000000000000000000000"
excludeExisting="--not --all"

while read old_sha new_sha refname; do
    echo "$old_sha $new_sha $refname"

    # Check for new branch
    if [ "$old_sha" = "$zero_commit" ]; then
      new_commits=(`git rev-list $new_sha $excludeExisting`)
    else
      new_commits=(`git rev-list $old_sha..$new_sha $excludeExisting`)
    fi

    output=$(gitleaks git -v --log-opts="${new_commits[-1]}^! ${new_commits[0]}" --exit-code 1 ../ 2>&1)

    # return code of the last process
    status=$?

    if [ $status -ne 0 ]; then
      echo "$output"
      exit 1
    fi
done
exit 0

Make the file executable:

chmod +x pre-receive

Now, every time changes are pushed to the repository, this script will be triggered.

How it works:

  • The script reads the range of new commits that need to be checked.

  • New branch check: If a branch is being created, all commits in this branch are checked. Otherwise, only the commits added during the merge or changes are checked.

  • Running Gitleaks: For each commit, Gitleaks is run with the --exit-code 1 option to stop the process if secrets are found.

  • Rejecting changes: If secrets are detected in the commits, the hook outputs the scan result and interrupts the process by returning error code 1, which blocks the acceptance of commits on the server.

Automated translation!

This page was translated using automatic translation tools. The text may contain inaccuracies.