Hello,

I wanted to provide different location to tool repository then its original github location. I have the gitleaks repo cloned but passing the address to my repository as a customtoollocation argument unfortunately doesn't work. I wanted to add a screenshot here but for some reason it's not possible, but the error message is as follows:
##[error]Gitleaks cannot be found at https:/dev.azure.com/az400-workshops/Creating%20a%20Release%20Dashboard/_git/gitleaks

How should I specify custom tool location? Thanks in advance for help!

Best regards,
Maria

when viewing the results in the scans tab( extension SARIF SAST Scans Tab) using the almost depricated credscan, I can click on the error line and it brings me to the specified line inside the repo.

Can this feature also be implemented in gitleaks? I saw the format was a little bit different, maybe this is the reason?

Hi There Joost Voskuil,

Great piece of work, Would you mind adding license to source code aka MIT / apache 2 or anything that works for you.

Cheers
Mani.

Thanks to John Lokkerse for providing feedback. should be Thanks to John Lokerse for providing feedback.

The task outputs the report to the agent's temp directory Agent.TempDirectory. This was worked out by observation and confirmed by reading the code (index.ts).

It would be useful if the output location of the report was mentioned in the README.md. This is useful for situations where someone is taking control of publishing the output instead of letting the task do it for them. In such a situation, the location of the output is important so it's helpful if it can be found more easily.

Hi,

When running gitleaks for a larger scope, I get a limitation error. Please let me know how to proceed or fix this.

##[error]API rate limit exceeded for xxxxxxxxxxx. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)

We have an agent set up to connect to out through our corporate proxy and we are seeing this issue when trying to run Gitleaks.

''' ##[error]unable to get local issuer certificate```

Any help is appreciated.

I've noticed weird behavior whilst using the GitLeaks ADO task. Please see below:

Describe the bug
Using the GitLeaks Azure DevOps Task, which is part of a template being called inside Azure DevOps pipelines, it's often producing the following error:

9:24AM ERR [git] fatal: bad object 613989346268393a95e9218ab63e917629216914
9:24AM ERR  error="stderr is not empty"
9:24AM INF scan completed in 4.92ms
9:24AM INF no leaks found

The scan claims not to have found any leaks, but also produces an error which doesn't fail the step, even with taskfail defaulted to true.

To Reproduce
Steps to reproduce the behavior:

1. Configure GitLeaks ADO task to run inside a template:

- task: Gitleaks@2
      inputs:
        scanlocation: ${{ parameters.gitleaks.scanlocation }}
        configtype: 'predefined'
        predefinedconfigfile: 'GitleaksUdmCombo.toml'
        scanmode: 'changes'
        reportformat: 'json'
        reportname: 'gitleaksreport'
        verbose: true

3. Call this template, from the service you wish to scan. ScanLocation parameter defaults to $(Build.SourcesDirectory), which in most scenarios is the correct location.
4. Ensure there is more than one commit to scan, then observe the error.

Expected behavior
Expect the scan to either produce a result and fail, or to not detect a leak, and pass.

Screenshots

Basic Info :

• OS: Ubuntu 22.04.04
• Gitleaks Version: 2.9.0

When working directly with gitleaks it is possible to add a baseline file that contains all the secrets that have been acknowledged and should be ignored (https://github.com/gitleaks/gitleaks/tree/master#creating-a-baseline). Would be great to add support for setting this file within the task configuration.

Need to create regex for Azure AD Client password to detect it in repositories.

This line from a web.config file is incorrectly flagged by generic-api-key as containing secrets:

<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />

When I run the scan with redact: false it displays "b77a5c561934e089" as secret.

Strangely enough it does not flag any of the other 59 occurrences of PublicKeyToken as a secret. Some examples of other lines (that are before the line shown above):

<sectionGroup name="system.web.webPages.razor" type="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
  <section name="host" type="System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" />
  <section name="pages" type="System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" />
</sectionGroup>

The Generic API Key rule is in the GitleaksUdmCombo.toml file.

Hi,
I am using Task version 1 in Azure DevOps Server and getting below error.
##[section]Starting: Gitleaks scan

Task : Gitleaks scan
Description : Scan git repos (or files) for secrets using regex and entropy.
Version : 1.3.1
Author : Joost Voskuil ([email protected])
Help : More information

Thanks to Zachary Rice (https://github.com/zricethezav) for creating and maintaining gitleaks.
Thanks to Jesse Houwing (https://github.com/jessehouwing) for providing a gitleaks config that has most of Microsoft's deprecated credscan rules ported to it.

Downloading: https://github.com/zricethezav/gitleaks/releases/download/v8.2.5/gitleaks-windows-amd64.exe
##[error]Error: Unexpected HTTP response: 404
##[section]Finishing: Gitleaks scan

While trying to install Task version on Azure DevOps Server Again facing an issue .Screen shot is attached for reference please.

Your valuable help is solicited.

Thanks in advance.

Regards,
Akhil Mishra

When running in revalidation mode, the start and end commit are passed towards Gitleaks to scan only the commits that are part of the pull request.

Somehow this is no longer working. Gitleaks is reporting an error that there is an 'bad object'

Gitleaks command

/opt/hostedtoolcache/gitleaks/8.13.0/x64/gitleaks detect --config=/home/vsts/work/_tasks/Gitleaks_11bd67d8-bfe7-497b-967d-e800eb673119/2.3.11/configs/GitleaksUdmCombo.toml --source=/home/vsts/work/1/s --log-opts=4421a1e00fdbaeb6a7a3850c213e8d409ef64c1b^! cfb58faf56ab9f4fe47111cd3957dbe6c55bc16d --redact --report-format=sarif --report-path=/home/vsts/work/_temp/gitleaks-report-12f1170f-54f2-53f3-20dd-22fc7dff55f9.sarif --exit-code=99

Error

10:51AM ERR [git] fatal: bad object 4421a1e00fdbaeb6a7a3850c213e8d409ef64c1b
10:51AM ERR git error encountered, see logs
10:51AM WRN partial scan completed in 60.7ms
10:51AM WRN no leaks found in partial scan

I'm implementing gitleaks as cred scanner alternative in a DevOps pipeline using YAML.
Trying out scanmode 'all' option on a feature branch with multiple commits, the runs seem to only detect the current state of the branch and not previous commits. What is the expected behavior, is any additional settings that I'm missing?

Hi there,
Could we add more than 1 gitleaks tasks in the pipeline?

  - job: GenerateArtifacts
    steps:
      - checkout: self  ### e.g  --->aks-microservice
      - checkout: terraform-modules

      - task: Gitleaks@2
        displayName: gitleaks-aks-microservice
        inputs:
          scanlocation: '$(Build.SourcesDirectory)/aks-microservice'
          configtype: 'custom'
          configfile: '$(Build.SourcesDirectory)/aks-microservice/.gitleaks.toml'
          reportformat: 'json'

      - task: Gitleaks@2
        displayName: gitleaks-terraform-modules
        inputs:
          scanlocation: '$(Build.SourcesDirectory)/terraform-modules'
          configtype: 'custom'
          configfile: '$(Build.SourcesDirectory)/aks-microservice/.gitleaks.toml'
          reportformat: 'json'

the 1st job works fine, but the 2nd job always gets the error:

1:04AM ERR [git] fatal: bad object 6ad170bc7c5a7e59145b5b1e6a17531666f1bcc2

the commit id 6ad170bc7c5a7e59145b5b1e6a17531666f1bcc2 belongs to the 1st(aks-microserice) not the 2nd repo(terrafrom-modules)

Thanks for any input.

Hi,

I'm trying to use a custom configuration file to identify guid as part of the secrets exposed however trying to allow certain occurrences of the guid in certain files we configured the allowlist to whitelist these; However these are still being identified as the substring contains the guid. How is the allowlist configured to work. Following are the snippet of regex and values we are working with.

Regex for the allowlist :

[allowlist]
description = "global allow lists"
regexes = ['''(?im)^\t\t@schedule_uid([\s|']|[\s|"]|[=]|)N'[{(]?[0-9A-F]{8}[-]?(?:[0-9A-F]{4}[-]?){3}[0-9A-F]{12}[)}]?([\s|'])'''

Sample for the allowlist: ** @schedule_uid=N''**
Rule for GUID:

[[rules]]
id = "CUSTOM-02" 
description = "GUID Rule" 
path = '''\.(?:xml|pubxml|definitions|ps1|wadcfgx|ccf|config|cscfg|json|js|txt|cpp|sql|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
regex = '''(?im)(?:[\s|']|[\s|"]|[=]|)[{(]?[0-9A-F]{8}[-](?:[0-9A-F]{4}[-]){3}[0-9A-F]{12}[)}]?'''

Hi Joost

Sorry for contacting you like this but I have been struggling to get this to work for some time now. I tried connecting via LinkedIn but was unable.

I've tried every possible combination of settings but cannot get this to work.

I have resorted to running them all in one yaml file but the only failures I get are in a readme file that doesn't even belong to the solution.

If you could advise me, I'd really appreciate it.

Regards,
William
[email protected]

trigger:

• dev

jobs:

• job: buildandtest

  pool:
  vmImage: ubuntu-latest

  variables:
  buildConfiguration: 'release'

  steps:

  • checkout: self
    fetchDepth: 0

  • task: DotNetCoreCLI@2
    displayName: 'Restore NuGet packages - dotnet restore'
    inputs:
    command: 'restore'
    projects: '**/*.csproj'

  • task: DotNetCoreCLI@2
    displayName: Build the project - dotnet build
    inputs:
    projects: '**/*.csproj'
    arguments: '--configuration $(buildConfiguration) --no-restore'

  • script: |
    sudo apt update
    sudo apt install -y wget
    wget -qO gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.17.0/gitleaks_8.17.0_linux_x64.tar.gz
    tar -xvf gitleaks.tar.gz
    sudo mv gitleaks /usr/local/bin/
    rm gitleaks.tar.gz
    gitleaks detect --source=. --exit-code 126 --verbose --redact --report-format junit --report-path=$(Common.TestResultsDirectory)/gitleaks
    displayName: 'Detect Secrets - Gitleaks'
    continueOnError: true

  • task: Gitleaks@2
    displayName: Run GitLeaks scan - nogit
    inputs:
    scanlocation: '$(Build.SourcesDirectory)'
    configtype: 'predefined'
    predefinedconfigfile: 'GitleaksUdmCombo.toml'
    reportformat: 'json'
    scanmode: 'nogit'
    verbose: true
    taskfail: false
    version: latest

  • task: Gitleaks@2
    displayName: Run GitLeaks scan - all
    inputs:
    scanlocation: '$(Build.SourcesDirectory)'
    configtype: 'predefined'
    predefinedconfigfile: 'GitleaksUdmCombo.toml'
    reportformat: 'json'
    scanmode: 'all'
    verbose: true
    taskfail: false
    version: latest

  • task: Gitleaks@2
    displayName: Run GitLeaks scan - changes
    inputs:
    scanlocation: '$(Build.SourcesDirectory)'
    configtype: 'predefined'
    predefinedconfigfile: 'GitleaksUdmCombo.toml'
    reportformat: 'json'
    scanmode: 'changes'
    verbose: true
    taskfail: false
    version: latest

  • task: Gitleaks@2
    displayName: Run GitLeaks scan - smart
    inputs:
    scanlocation: '$(Build.SourcesDirectory)'
    configtype: 'predefined'
    predefinedconfigfile: 'GitleaksUdmCombo.toml'
    reportformat: 'json'
    scanmode: 'smart'
    verbose: true
    taskfail: false
    version: latest

Hi team,
I am trying to pass multiple whitelist file under gitleaks task not within gitleaks.toml. i believe we use
--additional config in gitleaks7 in normal cli. Is there any option to pass it same like in azure devops task1. Please help

Hi,

I have configured a task in my build pipeline not to fail in case it detects a secret. However, when the task does detect a secret in the source control, it displays an error message that directs me to a documentation page for removing sensitive data from a repository (HelpOnSecretsFound).

This failed message will appear in the source control history under status, which may confuse others who see it. Because the pipeline is set to enforce certain policies for a branch, it may appear to others that the build process has failed even though the task did not actually cause the pipeline to fail.

We recently started receiving this warning when gitleaks runs during PR builds.

##[warning]For prevalidation/smart scanning mode, only 'Git' is supported as repository type. This repository type is 'TfsGit'

I believe it might be related to the changes from earlier today: #32

Is there an additional option we need to set or is this a bug in the extension?

I just stumbled over the non existing comments.
Please add the feature like in gitignore where you can add a comment by just adding "#" at the beginning of the line.

Describe the bug
I have gitleaks extension installed on my AzureDevops. I have added the stage in my yaml file for repo to detect the secrets.
Repo has different file types with hardcoded secrets ( AZURE PAT tokens).

.ps1
cs
yml
Readme.md
5.json
When I run my pipeline, it detects the secrets in .json/cs/.ps1 files and it is ignoring Readme.md/yml files. Is this expected.
I have attached screenshots of the logs and the sample yml file with hardcoded PAT token.

To Reproduce
Create a repo with above file extensions with some secrets and run the AzureDevops pipeline.

Expected behavior
It should detect the secrets in the yml and Readme.md files.

Code:

            inputs:
              scanlocation: '$(Build.SourcesDirectory)'
              configtype: 'predefined'
              predefinedconfigfile: 'GitleaksUdmCombo.toml'
              reportformat: 'sarif'
              verbose: true
            displayName: "Gitleaks Credential Scanner"

Screenshots

Thanks !!

@JoostVoskuil

After running this task in ADO pipeline , it scans .cer files as as secert and reports as a failed test.

Just wanted to understand why it's so.

We are experiencing issues with Gitleaks pipeline which is failing with ERR Failed to locate unzip command '/usr/bin/unzip'! although this is running on Windows agent.

If we run this same pipeline on Linux agent it finish without errors and works fine.

This is example of run on Windows agent:

Starting: Gitleaks

Task : Gitleaks scan
Description : Scan git repos (or files) for secrets using regex and entropy.
Version : 2.2.30
Author : Joost Voskuil ([email protected])
Help : More information

Thanks to Zachary Rice (https://github.com/zricethezav) for creating and maintaining gitleaks.
Thanks to Jesse Houwing (https://github.com/jessehouwing) for providing a gitleaks config that has most of Microsoft's deprecated credscan rules ported to it.

The latest version of the tool is available in the toolcache. Version is 8.9.0
Found tool in cache: gitleaks 8.9.0 x64
C:\hostedtoolcache\windows\gitleaks\8.9.0\x64\gitleaks.exe detect --config=./GitLeaks/GitLeaks.toml --source=F:\build\autobv.9\35\s --redact --report-format=sarif --report-path=F:\build\autobv.9_temp\gitleaks-report-12f1170f-54f2-53f3-20dd-22fc7dff55f9.sarif

○
│╲
│ ○
○ ░
░    gitleaks

8:26AM ERR Failed to locate unzip command '/usr/bin/unzip'!
8:26AM ERR Failed to locate unzip command '/usr/bin/unzip'!
8:26AM ERR Failed to locate unzip command '/usr/bin/unzip'!
8:28AM ERR Failed to locate unzip command '/usr/bin/unzip'!
##[error]See https://docs.github.com/en/github/authenticating-to-github/removing-sensitive-data-from-a-repository for information how to remove secrets.
##[warning]Secrets found or error encountered when running Gitleaks. See log and report for details.
Finishing: Gitleaks

And this is how our task is configured:

• task: Gitleaks@2
  inputs:
  scanlocation: '$(Build.SourcesDirectory)'
  configtype: 'custom'
  configfile: ./GitLeaks/GitLeaks.toml
  uploadresults: true
  reportformat: 'sarif'
  scanmode: all
  taskfail: false

Strange thing is that this error appears only when scanmode is set to all, if it's set to prevalidation and run for PR it goes through without errors on Windows agents.

Starting: Gitleaks

Task : Gitleaks scan
Description : Scan git repos (or files) for secrets using regex and entropy.
Version : 2.2.30
Author : Joost Voskuil ([email protected])
Help : More information

Thanks to Zachary Rice (https://github.com/zricethezav) for creating and maintaining gitleaks.
Thanks to Jesse Houwing (https://github.com/jessehouwing) for providing a gitleaks config that has most of Microsoft's deprecated credscan rules ported to it.

Only commits belonging to this Pull Request are scanned.
Scanning for 29 Git commit(s) for this build. First commit is 62322a1ee0b829, Last commit is fc75d133b48
The latest version of the tool is available in the toolcache. Version is 8.9.0
Found tool in cache: gitleaks 8.9.0 x64
C:\hostedtoolcache\windows\gitleaks\8.9.0\x64\gitleaks.exe detect --config=./GitLeaks/GitLeaks.toml --source=F:\build\autobv.3\221\s/src/Services/Functions/Reporting/ReportingFunction "--log-opts=62322a1ee0b829^! fc75d133b48" --redact --report-format=sarif --report-path=F:\build\autobv.3_temp\gitleaks-report-041a692d-d80f-5a06-0b64-9e4539023300.sarif

○
│╲
│ ○
○ ░
░    gitleaks

8:04AM INF scan completed in 190.5997ms
8:04AM INF no leaks found
Finishing: Gitleaks

I am already using the SARIF viewer extension in other parts of my build. When GitLeaks trying to upload the report it fails with the following error.
##[error]Artifact CodeAnalysisLogs already exists for build ####

This should upload even if it already exists.

Hi,

We are trying to use the extension so that only secrets introduced by a pull request are scanned.
This to keep the main branch free of secrets.

Experimenting with the depth parameter did not scan all of the changes in the Pull Request.
The thinking was that setting it to 1 would only scan the merge commit that brings in the changes.

Since this is a DevOps extension, and I think it is a common use case, I am very willing to contribute to code/documentation that would others help out as well. Can you set me in the right direction? Thanks!

This is what we tried so far

  - task: Gitleaks@1
    inputs:
      scanfolder: '$(Build.SourcesDirectory)'
      verbose: true
      depth: 1

  - task: Gitleaks@1
    inputs:
      scanfolder: '$(Build.SourcesDirectory)'
      verbose: true
      arguments: '--branch=$(System.PullRequest.SourceBranch)'

Hi,

Thanks for adapting the tool to the AzureDevOps. I have set up "uploadresults: true" but then checking the artifact of the Build I dont see the report.

Where is the report uploaded on ADO? Can we send additional arguments like --react?

Thanks

Jo

Hi, I have tried all scanmodes and configfiles and yet to come up with a way to scan all folders and files in an azure devops repository. What am I missing? How can scan a whole repo using the - task: Gitleaks@2 in azure pipelines.
Regards

If taskFail is set to True, and issues are detected, the task fails.

If taskFail is set to False, and issues are detected, the task presents a warning (!).

Is there a way to remove this warning, so if issues are detected, and the toggle is set to false, the task will Pass?

Hi,

Can we use a switch OR flag by which we can skip previous commits history or we can define a time period after/before for scanning while using Gitleaks task with Azure Devops Server pipeline ?
in current scenario If I select "All Commits" it goes for scanning for past years as well. Which I want to avoid OR can define a time period let say from date it start scanning.

Hi - we are trying to integrate this tool.

Manual build triggers for detecting secrets work fine, but PR validation is failing with the below error.

##[error]Cannot read property 'length' of null

Here is the code:

          - task: Gitleaks@2
            inputs:
              scanlocation: '$(Build.SourcesDirectory)'
              configtype: 'predefined'
              predefinedconfigfile: 'GitleaksUdmCombo.toml'
              reportformat: 'sarif'
              verbose: true
            displayName: "Gitleaks Credential Scanner"

Happy to provide any other required information.

Thank you in advance. Have a nice day!

At the moment it looks like extension doesn't support to specify the name for file published in the Azure Devops artifacts.

It looks like follows

<Standard name> <some guid>.csv
There is requirement to have specifi name for every file. Is it possible to provide variable value to fill the name?

Hi,

I'm interested in security aspect of this extension. Is it exposing code anywhere else - external service or it is only maintained within my instance - agent where I am executing the job?
As I understood it only downloads tool and runs it like I could do manually on my own desktop instance.

Thank you!

I am using folloiwng tasks in ADO pipeline. It works fine and publish the SAIRF test results under Scans tab with branch build but same thing doesn't work for PR build.

• task: Gitleaks@2
  displayName: "Scan secrets > Gitleaks"
  inputs:
  scanlocation: '$(workdir)'
  configtype: 'predefined'
  predefinedconfigfile: 'GitleaksUdmCombo.toml'
  reportformat: 'sarif'
  taskfail: false # true Fail the task if secrets are found
  verbose: true

Branch build pipeline output

PR build pipeline output

Please suggest.

I would like to request if it would be possible to develop a field for exceptions of folders to be scanned, or if there is some workaround for how to do it.

So, im thinking to add more options into the code but whenever i download the source code and repackage with the command line " tfx extension create --manifest-globs vss-extension.json" it creates me a new plugin, i tried to run this on my dev and its giving me an error saying it cant find the inde.js file, have you experience this?
error after installing the "new plugin"
##[error]File not found: '/home/vsts/work/_tasks/Gitleaks_11bd67d8-bfe7-497b-967d-e800eb673119/1.1.0/index.js'

when I install the plugin from the marketplace it doesnt give this error

I would like the ability to choose the name of the artifact that the GitLeaks task uses when uploading the results to AzureDevOps.

There are two use cases where this is useful:

1. When a pipeline is performing multiple gitleaks scans across multiple repos.
2. When a re-run of a job/stage is performed and the gitleaks task has already uploaded

It's easy to work around by suppressing the upload and taking manual control of uploading with the publish task, but this task offers to do it for me so it would be nice to make use of that functionality.

Does the scan happens remotely on other server or it runs directly in azure as a service?