Git Leaks is a SAST tool for detecting hard-coded secrets such as passwords, API keys, and tokens in your repositories. You can find the complete list of secrets detected by Git Leaks here.
In order to identify secrets in all your Github Repositories, you need to configure your Github credentials first. More about how to setup your Github credentials here. Once you have configured your credentials, the following are the steps that need to be followed:
- Navigate to 'Git Leaks' under 'Static Security Scanners' in the connectors page.
- Click on 'Add Workflow'.
- In the first step, you will be prompted to enter your 'Configuration Name' and select the 'Baseline' to log your vulnerabilities. If you select the baseline as 'Strict' then vulnerabilities of all severities will be logged and if you select the baseline as 'High' then vulnerabilities of only 'Critical' and 'High' severities will be logged.
NOTE: You cannot provide the same configuration name more than once.
- In the second step, select the 'Version Control System' option as 'Github'.
- Select your Github Credential.
- Now choose the repositories for which you want to setup Git Leaks configuration.
NOTE: By default all the repositories will be selected.
- Select the agent as 'Strobes Default Agent'.
- Select whether you want to enable 'Smart Close' vulnerabilities or not. More about smart close here.
- Select the frequency at which you want to run the Git Leaks scan on your repositories.
- In the third step you can choose any Tracking & Notification tool configurations if needed and click on Submit.
- A configuration has now been created for you.
- Click on 'New Scan' to identify secrets in your repositories. When you click on 'New Scan' you will be prompted to enter the 'Branch' name. If you do not provide any branch name, then the scans will be run on the default branch.