Setup GitLab CI pipeline and pre-commit script to scan for secrets using GitLeaks

Project Description

• Configure GitLeaks job in GitLab CI to check commits for secrets

• Create a Git pre-commit hook script that runs GitLeaks and performs GitLeaks scan before code is committed

• Create an Artifact of the scan from the CI Pipeline

Technologies used

• GitLab CI

• Pre-Commit Hook

• GitLeaks

• Git

• Linting and Formatting Tools for Js and Python

Architecture

Setup Instructions

1. GitLab CI Pipeline Configuration

Created .gitlab-ci.yml in the root directory:

# Stages for the CI/CD pipeline
stages:
  - test
  - build
  - deploy

# Test stage: Secret scanning using Gitleaks
secret-scan:
  stage: test
  image:
    name: zricethezav/gitleaks:latest
    entrypoint: [""]
  variables:
    GIT_DEPTH: 0
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '\(CI_COMMIT_BRANCH == \)CI_DEFAULT_BRANCH'
  script:
    - gitleaks detect --source . --verbose --no-banner --exit-code 0
    - gitleaks detect --source . --redact --no-banner \
      --report-format json --report-path gitleaks-report.json --exit-code 1
  after_script:
    - test -f gitleaks-report.json || echo '{}' > gitleaks-report.json
  artifacts:
    when: always
    expire_in: 1 week
    paths:
      - gitleaks-report.json

2. Pre-commit Hook Configuration

Created .pre-commit-config.yaml in the root directory:

repos:
  # 1. General Code & Config Validation
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v6.0.0
    hooks:
      - id: detect-aws-credentials
      - id: detect-private-key
      - id: check-yaml
      - id: check-json
      - id: check-xml
      - id: check-added-large-files

  # 2. Secret Scanning with Gitleaks
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.30.0
    hooks:
       - id: gitleaks
         name: Detect secrets
         entry: gitleaks protect --staged --verbose
         language: system
         pass_filenames: false

Installation:

# Install pre-commit
pip install pre-commit

# Install hooks
pre-commit install

# Test
pre-commit run --all-files

Usage

Local Development

Pre-commit hook runs automatically on git commit:

git add .
git commit -m "Your commit message"
# GitLeaks scans staged files automatically

CI/CD Pipeline

Pipeline triggers automatically on push to GitLab:

git push origin main
# GitLeaks job runs in GitLab CI

Results

GitLab CI Pipeline Scan

Pre-commit Hook Scan

Scan Summary

• Total Files Scanned: [10 files]

• Secrets Detected: 0

• Pipeline Status: ✅ Passed

• Pre-commit Status: ✅ Passed

Key Learnings

1. Defense in Depth: Two-layer protection (local + CI) prevents secrets from reaching remote repository

2. Developer Experience: Pre-commit hooks catch issues early, reducing CI failures

3. Staged-only Scanning: Using --staged flag in pre-commit improves performance by scanning only changed files

Next Steps

• Implement additional SAST tools (NJSScan, Semgrep)

• Add dependency vulnerability scanning (Snyk)

• Configure custom GitLeaks rules for organization-specific secrets

• Access Project: https://gitlab.com/sang-david-devsecops-projects/devsecops-projects-codebase