gitleaks on your laptop

gitleaks on your laptop

If you ended up on this handbook page it’s probably because you have been pointed here during a git commit by our gitleaks installation on your local machine. The tool gitleaks is being used on GitLab endpoints to prevent a common security issue, namely accidental commits of secrets like Personal Access Token or other credentials to public repositories. It is important that all repositories are covered as a leaked access token in one repository can impact all repositories and projects to which your account has access.

What did just happen?

gitleaks detected that you tried to commit something which looks like a secret to a git repository. The output should look something like this:

    │╲
    │ ○
    ○ ░
    ░    gitleaks

{
        "Description": "GitLab Personal Access Token",
        "StartLine": 7,
        "EndLine": 7,
        "StartColumn": 2,
        "EndColumn": 27,
        "Match": "REDACTED",
        "Secret": "REDACT",
        "File": "testfile",
        "Commit": "",
        "Entropy": 0,
        "Author": "",
        "Email": "",
        "Date": "0001-01-01T00:00:00Z",
        "Message": "",
        "Tags": [],
        "RuleID": "gitlab-pat"
}
9:27AM WRN leaks found: 1
9:27AM INF scan duration: 51.840347ms

The Description field will tell you what kind of secret gitleaks detected, you can verify this by inspecting the file listed in the File field at StartLine.

What should I do now?

It’s never a good practice to store plain secrets within code repositories. You should remove the offending secrets from the files you wanted to commit and find a safe place for them. If you’re unsure what to do, feel free to reach out in the #security Slack channel.

If you are absolutely sure the secret detected by gitleaks is a false positive and you want to commit anyhow set the environment variable I_WANT_GITLEAKS_SKIP once for the commit to avoid the gitleaks scan for this commit. This would look like so on the command line:

I_WANT_GITLEAKS_SKIP=1 git commit -m 'Commit a dummy secret'

Please do not set this variable permanently as it would subvert the protection mechanism. Since version 8.5.0 there’s also a feature in gitleaks to ignore dummy secrets by having gitleaks:allow in the same line with the secret.