Catching secrets in bare git repos using gitleaks and hooks
Note: this article relates specifically to the dotfile tracking approach with bare git repositories as outlined here on Atlassian
Background
gitleaks
detects secrets in your
staged files and warns you as you try to commit them. This has obvious value,
and it’s a snappy process, so there is little reason not to implement it. This
is particularly true when dealing with dotfiles, as they inherently deal with
user configuration data (your data) in various forms.
Getting this working in a regular git repository is simple and explained well in the respective documentation. However working with a bare git repository has some slight differences in detail. It is slightly more confusing still when working with bare repositories to track dotfiles.
The crux of the problem is that pre-commit
, which
is required to run gitleaks
, wants to find a .pre-commit-config.yaml
file in
the repository’s root. This is in essence your $HOME
directory, but because of
the ‘detached’ way of working with the $HOME
folder, simply placing the config
file in $HOME
and running pre-commit install
will throw an error.
$ pre-commit install
An error has occurred: FatalError: git failed. Is it installed, and are you in a Git repository directory?
Check the log at /Users/tjex/.cache/pre-commit/pre-commit.log
Solution
What we actually need to do is add a worktree from within the .git
folder
itself, to complete this installation process.
In keeping with the naming from the Atlassian tutorial and assuming the branch you’re working on is
main
.
Install pre-commit
as per the docs.
Then add and enter into a worktree, creating a .yaml
file for the
gitleaks
requirements.
# your git folder that holds the tracking information for your dotfiles
cd ~/.cfg
git worktree add main
cd main
touch .pre-commit-config.yaml
Populate .pre-commit-config.yaml
with contents as per the
gitleaks
docs.
At time of writing:
# ~/.cfg/main/.pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.1
hooks:
- id: gitleaks
Then install the gitleaks
hook with pre-commit
:
# we're still at: ~/.cfg/main
pre-config autoupdate
pre-config install
cd ~
Now gitleaks
and pre-commit
are installed. You’ll find the pre-commit
hook
at ~/.cfg/hooks
.
From here, pre-commit
will still want to find the .pre-commit-config.yaml
in
your git ($HOME
) root.
cd ~
cp ~/.cfg/main/.pre-commit-config.yaml .
# 'config' is the alias set as per the Atlassian tutorial
config add .pre-commit-config.yaml
config commit -m 'added pre-commit-config yaml'
As you commit this file, you should see that gitleaks
runs a secret check
against the file 🤞
If all is well, you can remove the worktree folder to tidy up a bit:
cd ~/.cfg
git worktree remove main
cd
From now, gitleaks
will run on your staged files, as you try to commit. Note:
the .pre-commit-config.yaml
file needs to remain in $HOME
(which I
personally find a bit annoying. If anyone knows otherwise, shoot me an email!)