gitleaks v2.0 releases: Searches full repo history for secrets and keys

gitleaks – Check git repos for secrets and keys

Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.

As part of its core functionality, it provides;

  • Github support including support for the bulk organisation and repository owner (user) repository scans, as well as pull request scanning for use in common CI workflows.
  • Support for private repository scans, and repositories that require key-based authentication
  • Output in CSV and JSON formats for consumption in other reporting tools and frameworks
  • Externalised configuration for environment specific customisation including regex rules
  • Customisable repository name, file type, commit ID, branchname and regex whitelisting to reduce false positives
  • High performance through the use of src-d’s go-git framework

It has been successfully used in a number of different scenarios, including;

  • Adhoc scans of local and remote repositories by filesystem path or clone URL
  • Automated scans of github users and organisations (Both public and enterprise platforms)
  • As part of a CICD workflow to identify secrets before they make it deeper into your codebase
  • As part of a wider secret auditing automation capability for git data in large environments

Changelog v2.0

Version 2.0.0 of gitleaks introducing a major change to the gitleaks.toml configuration file. This change allows users to define more aggressive filters by combining three techniques: regex, entropy, and file matching. Goodbye [[regexes]], hello [[rules]]. Below is an example rule that combines these three filtering techniques:

description = "Generic Key"
regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
entropies = [
entropyROI = "line"
filetypes = [".go", ".py", ".c"]
tags = ["key"]
severity = "8"


This rule will first attempt to match the regex, then see if the entropy value of either the line or word –depending on entropyROI— is within the range of entropies, then it will check if the filetype. If all three conditions are met, then voilà, you have a leak.

tags and severity are used for post-audit reporting as per #193






Alt Text

Copyright (C) 2018 zricethezav