├── .github ├── FUNDING.yml └── workflows │ └── gitleaks.yml ├── Dockerfile ├── action.yml ├── LICENSE ├── README.md ├── entrypoint.sh └── .gitleaks.toml /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [zricethezav] 4 | custom: ["https://www.paypal.me/zricethezav"] 5 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM zricethezav/gitleaks:v7.3.0 2 | 3 | LABEL "com.github.actions.name"="gitleaks-action" 4 | LABEL "com.github.actions.description"="runs gitleaks on push and pull request events" 5 | LABEL "com.github.actions.icon"="shield" 6 | LABEL "com.github.actions.color"="purple" 7 | LABEL "repository"="https://github.com/zricethezav/gitleaks-action" 8 | 9 | ADD entrypoint.sh /entrypoint.sh 10 | ENTRYPOINT ["/entrypoint.sh"] 11 | -------------------------------------------------------------------------------- /.github/workflows/gitleaks.yml: -------------------------------------------------------------------------------- 1 | name: gitleaks 2 | 3 | on: [push, pull_request, workflow_dispatch] 4 | 5 | jobs: 6 | gitleaks: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v1 10 | - name: gitleaks-action with defaults 11 | uses: zricethezav/gitleaks-action@master 12 | - name: gitleaks-action with config 13 | uses: zricethezav/gitleaks-action@master 14 | with: 15 | config-path: .gitleaks.yml 16 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: Gitleaks 2 | description: Run Gitleaks on Push and PR events 3 | branding: 4 | color: purple 5 | icon: eye 6 | inputs: 7 | config-path: 8 | description: 'Path to config (relative to $GITHUB_WORKSPACE)' 9 | required: false 10 | default: '.github/.gitleaks.toml' 11 | outputs: 12 | result: # id of output 13 | description: 'Gitleaks log output' 14 | exitcode: # id of output 15 | description: 'Success for failure value from scan' 16 | runs: 17 | using: "docker" 18 | image: "Dockerfile" 19 | args: 20 | - ${{ inputs.config-path }} 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Zachary Rice 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | gitleaks 3 |

4 | 5 | Gitleaks Action provides a simple way to run gitleaks in your CI/CD pipeline. 6 | 7 | 8 | ### Sample Workflow 9 | ``` 10 | name: gitleaks 11 | 12 | on: [push,pull_request] 13 | 14 | jobs: 15 | gitleaks: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - uses: actions/checkout@v1 19 | - name: gitleaks-action 20 | uses: zricethezav/gitleaks-action@master 21 | ``` 22 | 23 | ### Using your own .gitleaks.toml configuration 24 | ``` 25 | name: gitleaks 26 | 27 | on: [push,pull_request] 28 | 29 | jobs: 30 | gitleaks: 31 | runs-on: ubuntu-latest 32 | steps: 33 | - uses: actions/checkout@v1 34 | - name: gitleaks-action 35 | uses: zricethezav/gitleaks-action@master 36 | with: 37 | config-path: security/.gitleaks.toml 38 | ``` 39 | > The `config-path` is relative to your GitHub Worskpace 40 | 41 | ### NOTE!!! 42 | You must use `actions/checkout` before the gitleaks-action step. If you are using `actions/checkout@v2` you must specify a commit depth other than the default which is 1. 43 | 44 | ex: 45 | ``` 46 | steps: 47 | - uses: actions/checkout@v2 48 | with: 49 | fetch-depth: '0' 50 | - name: gitleaks-action 51 | uses: zricethezav/gitleaks-action@master 52 | ``` 53 | 54 | using a fetch-depth of '0' clones the entire history. If you want to do a more efficient clone, use '2', but that is not guaranteed to work with pull requests. 55 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | INPUT_CONFIG_PATH="$1" 4 | CONFIG="" 5 | 6 | # check if a custom config have been provided 7 | if [ -f "$GITHUB_WORKSPACE/$INPUT_CONFIG_PATH" ]; then 8 | CONFIG=" --config-path=$GITHUB_WORKSPACE/$INPUT_CONFIG_PATH" 9 | fi 10 | 11 | echo running gitleaks "$(gitleaks --version) with the following command👇" 12 | 13 | DONATE_MSG="👋 maintaining gitleaks takes a lot of work so consider sponsoring me or donating a little something\n\e[36mhttps://github.com/sponsors/zricethezav\n\e[36mhttps://www.paypal.me/zricethezav\n" 14 | 15 | if [ "$GITHUB_EVENT_NAME" = "push" ] 16 | then 17 | echo gitleaks --path=$GITHUB_WORKSPACE --verbose --redact $CONFIG 18 | CAPTURE_OUTPUT=$(gitleaks --depth=5 --path=$GITHUB_WORKSPACE --verbose --redact $CONFIG) 19 | elif [ "$GITHUB_EVENT_NAME" = "pull_request" ] 20 | then 21 | git --git-dir="$GITHUB_WORKSPACE/.git" log --left-right --cherry-pick --pretty=format:"%H" remotes/origin/$GITHUB_BASE_REF... > commit_list.txt 22 | echo gitleaks --path=$GITHUB_WORKSPACE --verbose --redact --commits-file=commit_list.txt $CONFIG 23 | CAPTURE_OUTPUT=$(gitleaks --path=$GITHUB_WORKSPACE --verbose --depth=5 --redact --commits-file=commit_list.txt $CONFIG) 24 | fi 25 | 26 | if [ $? -eq 1 ] 27 | then 28 | GITLEAKS_RESULT=$(echo -e "\e[31m🛑 STOP! Gitleaks encountered leaks") 29 | echo "$GITLEAKS_RESULT" 30 | echo "exitcode=$GITLEAKS_RESULT" >> $GITHUB_OUTPUT 31 | echo "----------------------------------" 32 | echo "$CAPTURE_OUTPUT" 33 | echo "result=$CAPTURE_OUTPUT" >> $GITHUB_OUTPUT 34 | echo "----------------------------------" 35 | echo -e $DONATE_MSG 36 | exit 1 37 | else 38 | GITLEAKS_RESULT=$(echo -e "\e[32m✅ SUCCESS! Your code is good to go!") 39 | echo "$GITLEAKS_RESULT" 40 | echo "exitcode=$GITLEAKS_RESULT" >> $GITHUB_OUTPUT 41 | echo "------------------------------------" 42 | echo -e $DONATE_MSG 43 | fi 44 | -------------------------------------------------------------------------------- /.gitleaks.toml: -------------------------------------------------------------------------------- 1 | title = "gitleaks config" 2 | [[rules]] 3 | description = "AWS Manager ID" 4 | regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''' 5 | tags = ["key", "AWS"] 6 | [[rules]] 7 | description = "AWS Secret Key" 8 | regex = '''(?i)aws(.{0,20})?(?-i)['\"][0-9a-zA-Z\/+]{40}['\"]''' 9 | tags = ["key", "AWS"] 10 | [[rules]] 11 | description = "AWS MWS key" 12 | regex = '''amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}''' 13 | tags = ["key", "AWS", "MWS"] 14 | [[rules]] 15 | description = "Facebook Secret Key" 16 | regex = '''(?i)(facebook|fb)(.{0,20})?(?-i)['\"][0-9a-f]{32}['\"]''' 17 | tags = ["key", "Facebook"] 18 | [[rules]] 19 | description = "Facebook Client ID" 20 | regex = '''(?i)(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]''' 21 | tags = ["key", "Facebook"] 22 | [[rules]] 23 | description = "Twitter Secret Key" 24 | regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{35,44}['\"]''' 25 | tags = ["key", "Twitter"] 26 | [[rules]] 27 | description = "Twitter Client ID" 28 | regex = '''(?i)twitter(.{0,20})?['\"][0-9a-z]{18,25}['\"]''' 29 | tags = ["client", "Twitter"] 30 | [[rules]] 31 | description = "Github" 32 | regex = '''(?i)github(.{0,20})?(?-i)['\"][0-9a-zA-Z]{35,40}['\"]''' 33 | tags = ["key", "Github"] 34 | [[rules]] 35 | description = "LinkedIn Client ID" 36 | regex = '''(?i)linkedin(.{0,20})?(?-i)['\"][0-9a-z]{12}['\"]''' 37 | tags = ["client", "LinkedIn"] 38 | [[rules]] 39 | description = "LinkedIn Secret Key" 40 | regex = '''(?i)linkedin(.{0,20})?['\"][0-9a-z]{16}['\"]''' 41 | tags = ["secret", "LinkedIn"] 42 | [[rules]] 43 | description = "Slack" 44 | regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?''' 45 | tags = ["key", "Slack"] 46 | [[rules]] 47 | description = "Asymmetric Private Key" 48 | regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----''' 49 | tags = ["key", "AsymmetricPrivateKey"] 50 | [[rules]] 51 | description = "Generic Credential" 52 | regex = '''(?i)(api_key|apikey|secret)(.{0,20})?['|"][0-9a-zA-Z]{16,45}['|"]''' 53 | tags = ["key", "API", "generic"] 54 | [[rules]] 55 | description = "Google API key" 56 | regex = '''AIza[0-9A-Za-z\\-_]{35}''' 57 | tags = ["key", "Google"] 58 | [[rules]] 59 | description = "Heroku API key" 60 | regex = '''(?i)heroku(.{0,20})?['"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]''' 61 | tags = ["key", "Heroku"] 62 | [[rules]] 63 | description = "MailChimp API key" 64 | regex = '''(?i)(mailchimp|mc)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''' 65 | tags = ["key", "Mailchimp"] 66 | [[rules]] 67 | description = "Mailgun API key" 68 | regex = '''(?i)(mailgun|mg)(.{0,20})?['"][0-9a-z]{32}['"]''' 69 | tags = ["key", "Mailgun"] 70 | [[rules]] 71 | description = "PayPal Braintree access token" 72 | regex = '''access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}''' 73 | tags = ["key", "Paypal"] 74 | [[rules]] 75 | description = "Picatic API key" 76 | regex = '''sk_live_[0-9a-z]{32}''' 77 | tags = ["key", "Picatic"] 78 | [[rules]] 79 | description = "SendGrid API Key" 80 | regex = '''SG\.[\w_]{16,32}\.[\w_]{16,64}''' 81 | tags = ["key", "SendGrid"] 82 | [[rules]] 83 | description = "Slack Webhook" 84 | regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' 85 | tags = ["key", "slack"] 86 | [[rules]] 87 | description = "Stripe API key" 88 | regex = '''(?i)stripe(.{0,20})?['\"][sk|rk]_live_[0-9a-zA-Z]{24}''' 89 | tags = ["key", "Stripe"] 90 | [[rules]] 91 | description = "Square access token" 92 | regex = '''sq0atp-[0-9A-Za-z\-_]{22}''' 93 | tags = ["key", "square"] 94 | [[rules]] 95 | description = "Square OAuth secret" 96 | regex = '''sq0csp-[0-9A-Za-z\\-_]{43}''' 97 | tags = ["key", "square"] 98 | [[rules]] 99 | description = "Twilio API key" 100 | regex = '''(?i)twilio(.{0,20})?['\"][0-9a-f]{32}['\"]''' 101 | tags = ["key", "twilio"] 102 | [allowlist] 103 | description = "Allowlisted files" 104 | files = ['''^\.?gitleaks.toml$''', 105 | '''(.*?)(jpg|gif|doc|pdf|bin)$''', 106 | '''(go.mod|go.sum)$''', 107 | '''.*\/test\/.*'''] 108 | --------------------------------------------------------------------------------