What is Gitleaks?
Gitleaks is secret scanner for git repositories, files, and directories. It’s a popular tool because it’s open source (free!) and does a good job at spotting potential leaks.
It’s so easy for developers to accidentally commit a secret to a git repo, and so difficult to delete a secret once it’s been committed.
This blog post assumes you’re already comfortable using gitleaks and running bash scripts from the CLI.
The Problem
The first time you scan an old repository it can contain hundreds of false positives. Before we can add them to .gitleaksignore, we need to confirm they are not real secrets.
Typically you’ll expect to see a gitleaks finding in this format:
Finding: if auth == 'v4-unsigned-body'
Secret: v4-unsigned-body
RuleID: generic-api-key
Entropy: 3.625000
File: lambdas/handler.py
Line: 142
Commit: b32f0d047e4f_some_long_commit_id
Author: rhu
Email: redacted
Date: 2020-04-12T13:14:12Z
Fingerprint: b32f0d047e4f_some_long_commit_id:lambdas/handler.py:generic-api-key:142
The problem with this is that we are only getting the finding, we’re not retrieving the context around that line of code.
Our pipeline may even mask the Finding and Secret to stop the potential secrets being logged.
In this case v4-unsigned-body is most likely the auth type rather than a hardcoded password, but we need the surrounding context to confirm. I have seen worse code than this in the wild.
I have written a quick bash script to help speed up the triaging.
The Script
.gitl.sh
#!/bin/bash
# Covert the single fingerprint param into variables we can use
IFS=: read -r commit file type line <<< "$1"
# Number of lines of context to show
SHOW_LINES=5
echo ""
echo " * Commit: $commit"
echo " * File: $file"
echo " * Finding: $type"
echo " * Line: $line"
echo ""
# This is the magic, shows the context around the offending line for quicker triage
echo "### CONTEXT ###"
echo ""
# Pro tip: If you write bash scripts, then learn awk
eval "git show $commit:$file | awk '{if(NR>=$((line - $SHOW_LINES))&&NR<$((line + $SHOW_LINES))) print \$0}'"
echo ""
# Show the user which line triggered the alert
echo "### OFFENDING LINE ###"
echo ""
eval "git show $commit:$file | awk '{if(NR==$line) print \$0}'"
echo ""
# Print out a command to view the full file quickly
echo "### VIEW FULL FILE ###"
echo ""
echo " git show $commit:$file"
echo ""
Usage
Make sure the script has execute permissions. Bonus points if you create an alias for it.
./gitl.sh <insert_gitleaks_fingerprint>
So for example, this fingerprint was flagged as a possible issue to review:
./gitl.sh b32f0d047e4f_some_long_commit_id:lambdas/handler.py:generic-api-key:142
Running this command will show this output:
* Commit: b32f0d047e4f_some_long_commit_id
* File: lambdas/handler.py
* Finding: generic-api-key
* Line: 142
### CONTEXT ###
if signing_name == 's3':
signature_version = 's3v4'
# If the operation needs an unsigned body, we set additional context
# allowing the signer to be aware of this.
if auth == 'v4-unsigned-body':
context['payload_signing_enabled'] = False
return signature_version
### OFFENDING LINE ###
if auth == 'v4-unsigned-body':
### VIEW FULL FILE ###
git show b32f0d047e4f_some_long_commit_id:lambdas/handler.py
So based on this surrounding context we can quickly confirm that v4-unsigned-body isn’t a secret.
If you were still uncertain, then you can run the command shown to see the full file:
git show b32f0d047e4f_some_long_commit_id:lambdas/handler.py
This will save time jumping around the history and checking out old commit IDs.
Conclusion
Always scan your repos to avoiding leaking secrets. I hope this bash script helps speed up your triage times for legacy repositories.
You will likely find that the majority of findings are false positives, but it only takes one leak to cause major issues.
If you do find a real secret then follow best practice and rotate it as soon as possible!