BlogSecrets

Catch secrets before commit with gitleaks and pre-commit

Block credentials at the git hook, scan history for what already leaked, and wire the same check into CI.

Feb 25, 2025·6 min readBeginner

The cheapest secret leak to fix is the one that never gets committed. gitleaks scans staged changes at the git hook and blocks the commit if it spots a key, token, or password. Wire the same binary into CI and history scanning and you have three layers for the price of one tool.

Block it at commit time

.pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
bash — a caught secretlive
git commit -m "add config"
gitleaks............Failed
Finding: AWS Access Key File: config/prod.env:4
commit aborted — the key never enters history

Scan what already happened

bash — audit the whole repolive
gitleaks detect --source . --redact
3 leaks found across 1,204 commits
A leaked secret is a rotated secret
Rewriting history does not help — assume anything that was ever committed is compromised and rotate it. Then add the hook so it cannot happen again.

Backstop in CI

.gitlab-ci.yml
secret_scan:
image: zricethezav/gitleaks
script: [gitleaks detect --source . --no-git --redact]
Go deeper in a courseSecrets management foundationsWhere secrets belong, and how to keep them out of Git.View course

Related posts