Skip to content

GitLab CI template for Gitleaks

This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your Git repository with Gitleaks.

When run on the master branch, Gitleaks will audit all commits from all branches.

When run on other branches, Gitleaks will run a quick analysis on the current branch.

Usage

This template can be used both as a CI/CD component or using the legacy include:project syntax.

Use as a CI/CD component

Add the following to your gitlab-ci.yml:

include:
  # 1: include the component
  - component: gitlab.com/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.6.0
    # 2: set/override component inputs
    inputs:
      args: "--no-banner" # ⚠ this is only an example

Use as a CI/CD template (legacy)

Add the following to your gitlab-ci.yml:

include:
  # 1: include the template
  - project: 'to-be-continuous/gitleaks'
    ref: '2.6.0'
    file: '/templates/gitlab-ci-gitleaks.yml'

variables:
  # 2: set/override template variables
  GITLEAKS_ARGS: "--no-banner" # ⚠ this is only an example

gitleaks jobs configuration

Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch). They use the following configuration.

Input / Variable Description Default value
image / GITLEAKS_IMAGE The Docker image used to run Gitleaks registry.hub.docker.com/zricethezav/gitleaks:latest
rules / GITLEAKS_RULES Gitleaks configuration rules to use (you may also provide your own .gitleaks.toml configuration file in your project). none (uses default rules)
args / GITLEAKS_ARGS Options for a full Gitleaks analysis (on master or develop branches) --verbose --redact

Configuring Gitleaks rules

Here is how this GitLab CI template chooses the Gitleaks rules to use:

  1. It first looks for a .gitleaks.toml file at the root of your project repository.
  2. If not found, it uses the .toml file specified with the $GITLEAKS_RULES variable.
  3. If not specified, [default Gitleaks rules] (https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used.