Gitleaks Process

06 May 2025 - less than 1 min read time
Tags: Travel

Objective: To ensure that sensitive information is properly managed by first reviewing findings from gitleaks and then adding any necessary entries to the .gitleaksignore file. Steps:

1. Run Gitleaks to Check for Findings:
   • Use the gitleaks command to scan the repository and generate a report in JSON format:

     gitleaks git . -f json -r findings.json
     

2. Review the Findings:
   • Open the findings.json file to review the detected secrets and sensitive information.
   • Use a text editor or a command-line tool like less or cat to examine the contents:

     less findings.json
     

3. Identify False Positives or Acceptable Risks:
   • Determine which findings are false positives or acceptable risks that should be ignored in future scans.
4. Extract Fingerprints of Findings to Ignore:
   • Use the following command to extract fingerprints of the findings you wish to ignore:

     cat findings.json | grep "Fingerprint" | awk '{print $2}' | sed 's/"//g' | awk -F':' '{for(i=1;i<=NF;i++) if(i>1) printf "%s%s", (i>2?":":""), $i; print ""}'
     

5. Add Fingerprints to .gitleaksignore:
   • Append the extracted fingerprints to the .gitleaksignore file to prevent them from being flagged in future scans:

     cat findings.json | grep "Fingerprint" | awk '{print $2}' | sed 's/"//g' | awk -F':' '{for(i=1;i<=NF;i++) if(i>1) printf "%s%s", (i>2?":":""), $i; print ""}' >> .gitleaksignore
     

6. Clean Up:
   • Remove the temporary findings.json file to keep the workspace tidy:

     rm findings.json
     

     Note: Always ensure that the entries added to .gitleaksignore are carefully reviewed to avoid ignoring genuine security issues.

Credits to my colleague and friend Tyson!