From 08eb1eee60e6e525fd7a9863cb3891d3a22aa886 Mon Sep 17 00:00:00 2001 From: Charles Danesi Date: Wed, 24 Sep 2025 20:32:50 -0400 Subject: [PATCH] add gitleaks scan for CI/CD --- .gitlab-ci.yml | 17 +++++++++++++++++ gitleaks.toml | 25 +++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 .gitlab-ci.yml create mode 100644 gitleaks.toml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..8a5843e --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,17 @@ +--- +gitleaks_scan: + image: + name: zricethezav/gitleaks:latest + entrypoint: [""] + stage: test + tags: [gitleaks, scan] + script: + - gitleaks detect --source=. --config=gitleaks.toml --report-format=json --report-path=gitleaks-report.json + allow_failure: false + only: [main, testing, merge_requests] + + artifacts: + when: always + paths: + - gitleaks-report.json + expire_in: 1 week \ No newline at end of file diff --git a/gitleaks.toml b/gitleaks.toml new file mode 100644 index 0000000..3abe3c8 --- /dev/null +++ b/gitleaks.toml @@ -0,0 +1,25 @@ +title = "Gitleaks Docker Compose CI/CD Config" + +[[rules]] +id = "docker-env-password" +description = "Possible password in docker-compose environment" +regex = '''(?i)([A-Z0-9_]*(PASSWORD|PASS|PWD))[=:]\s*['"]?[A-Za-z0-9!@#$%^&*()_+={}\[\]:;,.<>?~-]{6,}['"]?''' +tags = ["docker", "compose", "password", "env"] + +[[rules]] +id = "docker-env-secret" +description = "Generic secret or token in docker-compose environment" +regex = '''(?i)(SECRET|TOKEN|API[_-]?KEY)[=:]\s*['"]?[A-Za-z0-9_\-]{16,}['"]?''' +tags = ["docker", "compose", "secret", "env"] + +[[rules]] +id = "aws-credentials" +description = "AWS Access Key or Secret" +regex = '''(AKIA[0-9A-Z]{16}|(?i)aws[_-]secret[_-]access[_-]key\s*[:=]\s*[A-Za-z0-9/+=]{40})''' +tags = ["aws", "compose", "credentials"] + +[[rules]] +id = "private-key" +description = "Private key detected" +regex = '''-----BEGIN( RSA| EC| DSA)? PRIVATE KEY-----''' +tags = ["key", "pem", "compose"]