GitLab CI template for Gitleaks¶
This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your Git repository with Gitleaks.
When run on the master branch, Gitleaks will audit all commits from all branches.
When run on other branches, Gitleaks will run a quick analysis on the current branch.
Usage¶
This template can be used both as a CI/CD component
or using the legacy include:project syntax.
Use as a CI/CD component¶
Add the following to your .gitlab-ci.yml:
include:
# 1: include the component
- component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.6.1
# 2: set/override component inputs
inputs:
args: "--no-banner" # ⚠ this is only an example
Use as a CI/CD template (legacy)¶
Add the following to your .gitlab-ci.yml:
include:
# 1: include the template
- project: 'to-be-continuous/gitleaks'
ref: '2.6.1'
file: '/templates/gitlab-ci-gitleaks.yml'
variables:
# 2: set/override template variables
GITLEAKS_ARGS: "--no-banner" # ⚠ this is only an example
gitleaks jobs configuration¶
Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch). They use the following configuration.
| Input / Variable | Description | Default value |
|---|---|---|
image / GITLEAKS_IMAGE |
The Docker image used to run Gitleaks | registry.hub.docker.com/zricethezav/gitleaks:latest |
rules / GITLEAKS_RULES |
Gitleaks configuration rules to use (you may also provide your own .gitleaks.toml configuration file in your project). |
none (uses default rules) |
args / GITLEAKS_ARGS |
Options for a full Gitleaks analysis (on master or develop branches) | --verbose --redact |
Configuring Gitleaks rules¶
Here is how this GitLab CI template chooses the Gitleaks rules to use:
- It first looks for a
.gitleaks.tomlfile at the root of your project repository. - If not found, it uses the
.tomlfile specified with the$GITLEAKS_RULESvariable. - If not specified, [default Gitleaks rules] (https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used.