git leaks

Git leaks is a popular open source secret scanning tool. It scans a git repository for secrets that may have been leaked into the source code, even going back through the git commit history to find secrets that may have been added and then removed later on.

Given the simplicity of this tool, it's great for using as a client side scanning utility for developers to run in their commit hooks. It checks for the existence of secrets in the commits before allowing the commits to be pushed up to a source code like GitHub or GitLab. This is crucial for repositories that are public facing, where even a branch with new code could be the cause of a leaked credential.

However, when an organization is working on a security overhaul of their repositories and they first implement secret scanning, they may find a treasure trove of secrets hidden in their repositories over the years.

When working with multiple repos, the git leaks tool is great for running in a scripted tool that scans every repository for possibly leaked secrets that need to be rotated and removed from the git history.

The one issue I ran into with this tool was the printing of the git-leaks banner every time the tool was used. This banner was printed to the stderr file, which caused issues when parsing the errors or findings from a script.

To fix this I submitted a pull request to the git leaks repo that added an option to not print the banner on every run of the git-leaks command.

https://github.com/gitleaks/gitleaks/pull/852

The --no-banner flag was finally merged in and made running the git-leaks tool in a script a breeze without filling up the stderr file with banner prints.