Skip to content
/ azure-devops-gitleaks Public
forked from JoostVoskuil/azure-devops-gitleaks

This is an extension for Azure DevOps that is a wrapper arround gitleaks created by Zachary Rice for easy execution inside your pipeline. Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for finding secrets, past or present, in your code.

License

MIT license
0 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cliftonz1/azure-devops-gitleaks

BranchesTags
 
 

Repository files navigation

Gitleaks

This Azure DevOps task downloads gitleaks and runs a gitleak scan on the specified location.

  • Thanks to Zachary Rice for creating and maintaining gitleaks.
  • Thanks to Jesse Houwing for providing a gitleaks config that has most of Microsoft's deprecated credscan rules ported to it.

Please note:

  • Task version 1 supports older versions of GitLeaks (7.x).
  • Task version 2 supports the newer versions of GitLeaks (8.x and up).

The behaviour between task version 1 and 2 is different. See Changelog for changes.

YAML Snippet

# Run Gitleaks on Source Repository
- task: Gitleaks@2
  inputs:
    scanlocation: '$(Build.SourcesDirectory)'
    configtype: 'predefined'
    predefinedconfigfile: 'GitleaksUdmCombo.toml'
    reportformat: 'sarif'

Prerequisites

  • Linux/Osx based agents requires tar to unpack Gitleaks from GitHub
  • Windows based agents require zip to unpack Gitleaks from GitHub

Original Authors

Any feedback on gitleaks, please reach out to Zachary Rice for creating and maintaining gitleaks.

Any feedback on the Azure configuration file ('UDMSecretChecks.toml') is welcome. See Jesse Houwing's GitHub repo. The configuration file isn't as good as credscan was before, it had a bunch of helper functions to rule out false positives that aren't (yet) possible with gitleaks.

Contributions

Thanks to Dariusz Porowski for contributing and making awesome adjustments!

Thanks to John Lokerse for providing feedback on this extension.

Arguments for Version 2 of the Task

Name Description
scanlocation The location to be scanned.
Defaults to $(Build.SourcesDirectory).
configtype Can be 'default', 'predefined', 'custom'.
'default' for GitLeaks default configuration.
'predefined' allows you to select a predefined configurations.
'custom' allows you to set a custom configuration file.
predefinedconfigfile Can be 'UDMSecretChecksv8.toml' or 'GitleaksUdmCombo.toml'.
'UDMSecretChecksv8.toml' uses the Credscan config file provided by Jesse Houwing.
'GitleaksUdmCombo.toml' uses the default GitLeaks configuration icm the CredScan configuration.
configfile Sets the custom configfile in your repo.
scanmode 'all' will scan all commits.
'prevalidation' will scan only the commits that are part of a Pull Request.
'changes' will scan only the changes between this build and the previous build.
'smart' will detect the best scanmode.
'nogit' will run GitLeaks in no-git mode (flat file scan).
'custom' will allow you to provide custom -log-opts.
logoptions When scanmode is set to 'custom', this allows you to fill in custom log-options that are passed to GitLeaks
redact Redact secrets from log messages and leaks. Default is true.
taskfail Sets the behavior of the task when secrets are detected.
When set to true, fail the task. When set to false and secrets present end with warning. Default is true
uploadresults When set to true, the results of gitleaks will be uploaded as an artifact to Azure DevOps. Default is true.
reportformat Sets gitleaks report format. Default is 'sarif').
reportname Sets the report file name. Default this will be 'gitleaks-.
verbose When set to true, gitleaks prints verbose output. Default is false.
version Version of Gitleaks to be used. See the GitLeaks GitHub page.
Set to 'latest' to download the latest version of GitLeaks.
customtoollocation You can set the custom location of GitLeaks. When set, GitLeaks will not be downloaded but fetched from this location.
taskfailonexecutionerror Sets the behavior of the task when execution errors occurs.
When set to true, fail the task. When set to false and the tasks fails to execute the task is SuccededWithWarnings. Default is true

Notes for GitHub repositories:

  • Only Git repositories hosted in Azure DevOps are supported for prevalidation/smart scanning mode. This is because the extension fetches the Pull Request changes from the Azure DevOps API. The API has no knowledge on the PR's on GitHub.

Arguments for Version 1 of the Task

Name Description
scanfolder The location to be scanned. Defaults to $(Build.SourcesDirectory). This is passed to gitleaks as '--path='
configtype Can be 'default', 'predefined', 'custom'. 'default' is using the default gitleaks setup. When set to 'predefined' you can pass the argument 'predefinedconfigfile'. When set to 'custom' you need to pass the argument 'configfile' with the filename of your gitleaks config file.
predefinedconfigfile When set to 'UDMSecretChecks.toml' it uses the Credscan config file provided by Jesse Houwing.
configfile Sets the custom configfile in your repo. Use a relative path within the scanfolder. Example: 'config/gitleaks.toml'
verbose When set to true, gitleaks prints verbose output.
nogit When set to true, gitleaks will be executed with the --no-git option.
scanonlychanges When set to true, gitleaks will scan only the changes for this Build. It fetches the changes between this build and the previous build from the Azure DevOps API.
prevalidationbuild When set to true, and the pipeline runs as part as pre-validation (pull request), this task will automatically scan only the commits that will be merged after a succesful build.
depth Sets number of commits to scan.
reportformat Sets gitleaks report format: JSON, CSV, SARIF (default: json)
uploadresults When set to true, the results of gitleaks will be uploaded as an artifact to Azure DevOps.
redact Redact secrets from log messages and leaks.
taskfail Sets the behavior of the task when secrets are detected. When set to true, fail the task. When set to false and secrets present end with warning Default is true
taskfailonexecutionerror Sets the behavior of the task when execution errors occurs. When set to true, fail the task. When set to false and the tasks fails to execute the task is SuccededWithWarnings. Default is true
arguments Provide extra arguments to gitleaks. See GitHub
version Version of Gitleaks to be used. See the gitleaks GitHub page. Set to 'latest' to download the latest version of gitleaks.

SARIF display in Summary

You can display gitleaks report nicely in your Pipeline run summary. To realize it set reportformat to sarif and make sure your Azure DevOps organization has SARIF SAST Scans Tab extension installed.

How do I remove a secret from git's history?

GitHub has a great article on this using the BFG Repo Cleaner.

About

This is an extension for Azure DevOps that is a wrapper arround gitleaks created by Zachary Rice for easy execution inside your pipeline. Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for finding secrets, past or present, in your code.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • TypeScript 100.0%