Jenkins Pipeline Git Secret Scanning

Secrets are sensitive information that you want to tightly control access to such as AWS keys, database passwords or API keys. Anyone could make the mistake to commit a secret to a repository and potentially expose it. We can combat this problem in a few ways through education, pre-commit hooks and with regular secret scanning scanning of the repository.

To help solve the problem we’ve built a Jenkins pipeline method called secretScan to scan a git repository for any secrets that may have been committed.

pipeline {
  
  stages {
    stage('scan for secrets') {
      steps {
        secretScan()
      }
    }

    // rest of the pipeline stages
  }
}

The method uses an open-source SAST (static application security testing) tool called gitleaks to scan the repository commit history for any secrets. The method uses the default config to detect secrets but can be overridden with a custom config file in your repository.

secretScan(
  gitleaksConfigFile: '.custom-gitleaks.toml'
)

Check out the [secretScan](https://github.com/base2Services/ciinabox-pipelines/blob/master/vars/secretScan.groovy method for further options and start adding it into your pipeline!