BlogSecrets
Catch secrets before commit with gitleaks and pre-commit
Block credentials at the git hook, scan history for what already leaked, and wire the same check into CI.
The cheapest secret leak to fix is the one that never gets committed. gitleaks scans staged changes at the git hook and blocks the commit if it spots a key, token, or password. Wire the same binary into CI and history scanning and you have three layers for the price of one tool.
Block it at commit time
.pre-commit-config.yaml
repos:- repo: https://github.com/gitleaks/gitleaksrev: v8.18.4hooks:- id: gitleaks
git commit -m "add config"gitleaks............Failed Finding: AWS Access Key File: config/prod.env:4commit aborted — the key never enters historyScan what already happened
gitleaks detect --source . --redact3 leaks found across 1,204 commitsA leaked secret is a rotated secret
Rewriting history does not help — assume anything that was ever committed is compromised and rotate it. Then add the hook so it cannot happen again.
Backstop in CI
.gitlab-ci.yml
secret_scan:image: zricethezav/gitleaksscript: [gitleaks detect --source . --no-git --redact]