GitLeaks is an open source tool used to detect and prevent secrets like passwords, api-keys, tokens be checked in to git repository. The main advantage of GitLeaks is that it not only scans your latest source code but also the entire git history identifying any secrets committed to your source code in the past as well. The tool might be used as mandatory check during static analysis step in CI pipeline detecting credentials leak and preventing code to be pushed away.
GitLeaks usage
GitLeaks easy integrates with existing Github repository, Gitlab project, Jenkins and Azure DevOps Pipelines using extension. It might be configured in two general modes: detect and protect.
1. Detect mode. In most common scenario, we need only detect what sensitive information are already leaked to sanitize repositorium. It might be especially important forking reop to another version control sever or upgrading existing solution.
gitleaks detect -v
2. Protect mode. The mode prevents any sensitive information to be pushed away to remote server.
gitleaks protect --staged -v
If you want to make sure that a developer does not check-in any secret in the source code repository, we have to create git hook. For this, we can use a pre-commit tool
for managing this configuration across developer’s machine.
repos:
- repo: https://github.com/<repo>
rev: v8.*
hooks:
- id: gitleaks
If you do not use git repositorium, it is possible to check against any source code with:
gitleaks detect --no-git
How-To with CI/CD Goat Duchess challenge
I would like to present a very straightforward lab environment to see GetLeaks in action leveraging awesome CI/CD CTF Goat tools.
After, the infrastructure is installed (see my previous article here). Open CTF portal and go to Duchess challenge.
In the description, we could find a clue, about some token hidden somewhere in code.
Let’s pull repo and run GitLeask in detect mode with higher verbosity:
git clone http://localhost:3000/Wonderland/duchess.git
cd duchess
It found 11 leaks in repo but the most interesting is:
...
{
"Description": "PyPI upload token",
"StartLine": 8,
"EndLine": 8,
"StartColumn": 13,
"EndColumn": 184,
"Match": "pypi-AgEIcHlwaS5vcmcCJGNmNTI5MjkyLWYxYWMtNDEwYS04OTBjLWE4YzNjNGY1ZTBiZAACJXsicGVybWlzc2lvbnMiOiAidXNlciIsICJ2ZXJzaW9uIjogMX0AAAYg7T5yHIewxGoh-3st7anbMSCoGhb-U3HnzHAFLHBLNBY",
"Secret": "pypi-AgEIcHlwaS5vcmcCJGNmNTI5MjkyLWYxYWMtNDEwYS04OTBjLWE4YzNjNGY1ZTBiZAACJXsicGVybWlzc2lvbnMiOiAidXNlciIsICJ2ZXJzaW9uIjogMX0AAAYg7T5yHIewxGoh-3st7anbMSCoGhb-U3HnzHAFLHBLNBY",
"File": ".pypirc",
"Commit": "43f216c2268a94ff03e5400cd4ca7a11243821b0",
"Entropy": 0,
"Author": "Asaf",
"Email": "asaf@cidersecurity.io",
"Date": "2021-11-16T09:22:31Z",
"Message": ".",
"Tags": [],
"RuleID": "pypi-upload-token"
}
...
We found the flag! Very easy.
Another way to do so is get commit guid and reset repo to this specific commit where .pypirc file was indecently committed:
git reset --hard 43f216c2268a94ff03e5400cd4ca7a11243821b0
Now, go and find .pypirc and open it:
This is a nice example why we always have to take care about what is pushed to remote. Use GitLeasks or any other tool to prevent credential to be exposed But if even data already on repo, it nice to know about and take appropriate action to cleanup git history.
Be an ethical, save your data!