Tooling: GitLab SaaS
OpenSource Component: GitLeaks
Environment: GitLab Pages
Estimated Time: 10 mins
One of the very first things you should add to your repository is secret scanning. This will give you the ability to get notified of a potential security credential being leaked by the repository. In general, you should be adding a pre-commit hook to prevent it earlier in the process, but is also good to do it as part of the pipeline processing and ability to have an audit trail.
The easiest way to enable this In is to go to the Configuration section in Security and Compliance and enable Secret Detection. Review the change and submit.
In the Pipeline area you should now see an additional stage.
The Ultimate version of GitLab will give you a great view of the finding in the Security and Compliance sections, however, If you are using the basic GitLab version and don’t have access to Premium or Ultimate you will have to download the json version and view it manually.
Other configurations can be found here: https://docs.gitlab.com/ee/user/application_security/secret_detection/index.html#configuration
Other Secret Scanning Tools:
GitGuardian
Removing secrets already committed: BFG
After reading the documents on BFG, here are some key elements to getting it to work with GitLab.
Close all pull requests and recommend deleting any branches, this is going to cause issues if you don’t do this as the hash keys will change which is linking your repos to pull requests.
Create a passwords.txt file with the passwords you want to remove
Make sure the bfg<version>.jar is in the directory you want to run and java is installed and run the following.
java -jar bfg-1.14.0.jar --replace-text passwords.txt
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git commit -m "Removing Secrets"
In GitLab you will want to turn off your protection on the main branch.
git push --forceAfter a successful push, reenable the protection on the main branch.
Looking back on the history you will see ***REMOVED*** where the key/password was.
Be First to Comment