securecodebox/scanner-gitleaks repository overview

⁠What is OWASP secureCodeBox?

OWASP secureCodeBox⁠ is an automated and scalable open source solution that can be used to integrate various security vulnerability scanners with a simple and lightweight interface. The secureCodeBox mission is to support DevSecOps Teams to make it easy to automate security vulnerability testing in different scenarios.

With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.

The secureCodeBox project is running on Kubernetes⁠. To install it you need Helm⁠, a package manager for Kubernetes. It is also possible to start the different integrated security vulnerability scanners based on a docker infrastructure.

⁠Quickstart with secureCodeBox on kubernetes

You can find resources to help you get started on our documentation website⁠ including instruction on how to install the secureCodeBox project⁠ and guides to help you run your first scans⁠ with it.

⁠Supported Tags

• latest (represents the latest stable release build)
• tagged releases, e.g. v7.6.1

⁠How to use this image

This scanner image is intended to work in combination with the corresponding parser image to parse the scanner findings to generic secureCodeBox results. For more information details please take a look at the project page⁠ or [documentation page][https://docs.securecodebox.io/docs/scanners/gitleaks⁠].

docker pull securecodebox/scanner-gitleaks

⁠What is Gitleaks?

Gitleaks is a free and open source tool for finding secrets in git repositories. These secrets could be passwords, API keys, tokens, private keys or suspicious file names or file extensions like id_rsa, .pem, htpasswd. Furthermore, gitleaks can scan your whole repository's history with all commits up to the initial one.

To learn more about gitleaks visit https://github.com/zricethezav/gitleaks⁠.

⁠Scanner Configuration

For a complete overview of the configuration options checkout the Gitleaks documentation⁠.

The only mandatory parameters are:

• -r: The link to the repository you want to scan.
• --access-token: Only for non-public repositories.
• --username and --password: Only for non-public repositories.
• --config-path: The ruleset you want to use.

⁠Ruleset

At this point we provide three rulesets which you can pass to the --config-path oprtion:

• /home/config_all.toml: Includes every rule.
• /home/config_filenames_only.toml: Gitleaks scans only file names and extensions.
• /home/config_no_generics.toml: No generic rules like searching for the word password. With this option you won't find something like password = Ej2ifDk2jfeo2, but it will reduce resulting false positives.

If you like to provide your custom ruleset, you can create a configMap and mount it into the scan. Checkout the examples for more information about providing your own gitleaks rules config.

⁠Community

You are welcome, please join us on... 👋

• GitHub⁠
• Slack⁠
• Twitter⁠

secureCodeBox is an official OWASP⁠ project.

⁠License

As with all Docker images, these likely also contain other software which may be under other licenses (such as Bash, etc from the base distribution, along with any direct or indirect dependencies of the primary software being contained).

As for any pre-built image usage, it is the image user's responsibility to ensure that any use of this image complies with any relevant licenses for all software contained within.