Gitleaks Process
Objective:
To ensure that sensitive information is properly managed by first reviewing findings from gitleaks and then adding any necessary entries to the .gitleaksignore file.
Steps:
- Run Gitleaks to Check for Findings:
- Use the
gitleakscommand to scan the repository and generate a report in JSON format:gitleaks git . -f json -r findings.json
- Use the
- Review the Findings:
- Open the
findings.jsonfile to review the detected secrets and sensitive information. - Use a text editor or a command-line tool like
lessorcatto examine the contents:less findings.json
- Open the
- Identify False Positives or Acceptable Risks:
- Determine which findings are false positives or acceptable risks that should be ignored in future scans.
- Extract Fingerprints of Findings to Ignore:
- Use the following command to extract fingerprints of the findings you wish to ignore:
cat findings.json | grep "Fingerprint" | awk '{print $2}' | sed 's/"//g' | awk -F':' '{for(i=1;i<=NF;i++) if(i>1) printf "%s%s", (i>2?":":""), $i; print ""}'
- Use the following command to extract fingerprints of the findings you wish to ignore:
- Add Fingerprints to .gitleaksignore:
- Append the extracted fingerprints to the
.gitleaksignorefile to prevent them from being flagged in future scans:cat findings.json | grep "Fingerprint" | awk '{print $2}' | sed 's/"//g' | awk -F':' '{for(i=1;i<=NF;i++) if(i>1) printf "%s%s", (i>2?":":""), $i; print ""}' >> .gitleaksignore
- Append the extracted fingerprints to the
- Clean Up:
- Remove the temporary
findings.jsonfile to keep the workspace tidy:rm findings.jsonNote: Always ensure that the entries added to
.gitleaksignoreare carefully reviewed to avoid ignoring genuine security issues.
- Remove the temporary
Credits to my colleague and friend Tyson!