Skip to content

GitLab CI template for Gitleaks

This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your Git repository with Gitleaks.

When run on merge requests, Gitleaks will run a quick analysis of added commits (i.e. the diff).

When run on branches, Gitleaks will run an analysis of all commits in the branch.

Usage

This template can be used both as a CI/CD component or using the legacy include:project syntax.

Use as a CI/CD component

Add the following to your .gitlab-ci.yml:

include:
  # 1: include the component
  - component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7.1
    # 2: set/override component inputs
    inputs:
      args: "--no-banner" # ⚠ this is only an example

Use as a CI/CD template (legacy)

Add the following to your .gitlab-ci.yml:

include:
  # 1: include the template
  - project: 'to-be-continuous/gitleaks'
    ref: '2.7.1'
    file: '/templates/gitlab-ci-gitleaks.yml'

variables:
  # 2: set/override template variables
  GITLEAKS_ARGS: "--no-banner" # ⚠ this is only an example

gitleaks jobs configuration

Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch). They use the following configuration.

Input / Variable Description Default value
image / GITLEAKS_IMAGE The Docker image used to run Gitleaks registry.hub.docker.com/zricethezav/gitleaks:latest
Trivy Badge
rules / GITLEAKS_RULES Gitleaks configuration rules to use (you may also provide your own .gitleaks.toml configuration file in your project). none (uses default rules)
args / GITLEAKS_ARGS Options for a full Gitleaks analysis (on master or develop branches) --verbose --redact

Configuring Gitleaks rules

Here is how this GitLab CI template chooses the Gitleaks rules to use:

  1. It first looks for a .gitleaks.toml file at the root of your project repository.
  2. If not found, it uses the .toml file specified with the $GITLEAKS_RULES variable.
  3. If not specified, default Gitleaks rules are used.

Your Gitleaks rule file can extend the default rules by using [extend] + useDefault = true as explained in the Gitleaks documentation