Many teams use non-masked GITLAB CI variables and print sensitive data in CI stdout. This scanner will help you indentify such repositories and hide sensitive data then.
- Generate your
read_apitoken
- Run the following
docker build -t whitespots/gitlab-ci-secrets .
docker run -it \
-e "gitlab_private_token=<user_token_read_api>" \
-e "gitlab_hostname=https://gitlab.com/" \
-e "pipeline_count_to_check=1" \
-e "check_for_false_positives=True" \
whitespots/gitlab-ci-secrets
This latest version has the following parameters:
gitlab_private_token(visit /-/profile/personal_access_tokens to get yours. Should haveread_apiaccess)gitlab_hostnameto set your corporate gitlab. By default -https://gitlab.com/pipeline_count_to_checkdefines how many pipelines per one project to scan. By default -1. Set0for unlimitedcheck_for_false_positivesisTrueby default. It checks for${constructions in findings to avoid FPs
You can add any custom pattern in patterns.json and mount it to your docker container like:
docker run -it \
-e "gitlab_private_token=<user_token_read_api>" \
-e "gitlab_hostname=https://gitlab.com/" \
-e "pipeline_count_to_check=1" \
-e "check_for_false_positives=True" \
-v $(pwd):/app
whitespots/gitlab-ci-secrets
- Passing config path as an argument
- DefectDojo integration