GitLeaks GitLab CI Component¶
A GitLab CI component for Gitleaks - a SAST tool for detecting and preventing hardcoded secrets like passwords, API keys, and tokens in git repos.
Features¶
- Secret Detection: Scans repositories for hardcoded secrets and sensitive information
- Comprehensive Rules: Extensive set of built-in rules for detecting various types of secrets
- Custom Configuration: Support for local and remote configuration files
- Multiple Output Formats: Support for JSON, SARIF, and other report formats
- Flexible Arguments: Pass additional flags directly to Gitleaks
- Remote Configuration: Download and use configuration files from remote URLs
- Configurable Job Settings: Customise job name, stage, and container image
Usage¶
Basic Usage¶
With Custom Configuration¶
include:
- component: $CI_SERVER_FQDN/niclas-zone/ci/gitleaks/main@latest
inputs:
GITLEAKS_CONFIG: ".gitleaks.toml"
GITLEAKS_EXTRA_ARGS: "--verbose --report-format sarif"
stages:
- test
With Remote Configuration¶
include:
- component: $CI_SERVER_FQDN/niclas-zone/ci/gitleaks/main@latest
inputs:
GITLEAKS_REMOTE_CONFIG: "https://gitlab.com/niclas-zone/ci/gitleaks/-/raw/main/configs/gitleaks.toml"
stages:
- test
Inputs¶
| Input | Description | Default |
|---|---|---|
job_name |
Name of the CI job | "secret scanning" |
stage |
Pipeline stage | "test" |
image |
Docker image for Gitleaks | "registry.gitlab.com/niclas-zone/ctr/gitleaks:8.28.0" |
GITLEAKS_EXTRA_ARGS |
Extra arguments for Gitleaks | "--verbose --redact --report-format json" |
GITLEAKS_CONFIG |
Path to local Gitleaks config file | "" |
GITLEAKS_REMOTE_CONFIG |
URL to download Gitleaks config file | "" |
Configuration Files¶
Local Configuration¶
Place a .gitleaks.toml file in your repository root or specify the path using GITLEAKS_CONFIG.
Remote Configuration¶
Set GITLEAKS_REMOTE_CONFIG to download a configuration file from a URL. This is useful for sharing configurations across multiple projects.
Default Configuration¶
If no local or remote configuration is specified, the component will use Gitleaks' built-in default rules.
Artifacts¶
The component generates the following artifacts:
gitleaks-report.json: Scan results in JSON format (or other format based on--report-formatargument)
Documentation¶
For more information about Gitleaks configuration and options, see: