Add GitLab CI template for secret scanning with Gitleaks #44

rtrofimenkov-ssdlc · 2025-10-07T07:07:55Z

What's added:

New gitleaks.gitlab-ci.yml template for automatic secret detection in code
Support for two scan modes: diff (PR changes only) and full (entire repository)
Automatic Gitleaks v8.28.0 installation with Linux x64/ARM64 support
GitLab CI integration via three jobs:
- gitleaks_diff - for MRs (automatic)
- gitleaks_full_manual - for manual runs
- gitleaks_full_scheduled - for scheduled scans
Custom configuration support via gitleaks.toml
Detailed results output with links to problematic code locations
JSON report artifacts for further analysis

Usage:

include:
  - remote: 'https://raw.githubusercontent.com/deckhouse/modules-gitlab-ci/refs/heads/main/templates/gitleaks.gitlab-ci.yml'

This template complements the existing Deckhouse CI template ecosystem, providing additional security for module development.

templates/gitleaks.gitlab-ci.yml

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

…s for cleanup stage Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

…pt for better clarity and organization. Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

* gitleaks template Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * path fix, added stage Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * added docker runner tag Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * tags fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * pipeline refactor for shell executor Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * gitleaks pipe refactor Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * Add empty before_script to gitleaks CI template Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * PATH fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * Add gitleaks cleanup stage to CI template Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * Update gitleaks CI template to include optional dependencies and rules for cleanup stage Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * updated error parsind and printing to stdout Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * stdout fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * output fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * stdout fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * fixed cleanup stage Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * cleanup fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * cleanup stage fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * depth fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * deleted cleanup stage Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * report fix Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * Refactor cleanup process in GitLab CI configuration to use after_script for better clarity and organization. Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * Remove redundant stages declaration from gitleaks template Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> * fix: add GitLab server host to gitleaks blob URLs Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com> --------- Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

KraMorK requested changes Oct 14, 2025

View reviewed changes

templates/gitleaks.gitlab-ci.yml Outdated Show resolved Hide resolved

rtrofimenkov-ssdlc added 22 commits October 14, 2025 17:23

gitleaks template

e82102c

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

path fix, added stage

a54fba5

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

added docker runner tag

cae3213

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

tags fix

5873642

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

pipeline refactor for shell executor

1757f8c

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

gitleaks pipe refactor

a5424e6

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Add empty before_script to gitleaks CI template

15c6f4e

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

PATH fix

5beb601

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Add gitleaks cleanup stage to CI template

3ab3279

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Update gitleaks CI template to include optional dependencies and rule…

756db32

…s for cleanup stage Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

updated error parsind and printing to stdout

b75394c

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

stdout fix

0682948

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

output fix

f258301

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

stdout fix

189b0c2

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

fixed cleanup stage

87fdbb4

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

cleanup fix

e926559

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

cleanup stage fix

a1aaba1

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

depth fix

c5f7a6d

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

deleted cleanup stage

42792b4

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

report fix

9e6abde

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Refactor cleanup process in GitLab CI configuration to use after_scri…

bf9395f

…pt for better clarity and organization. Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Remove redundant stages declaration from gitleaks template

db4be4a

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

rtrofimenkov-ssdlc force-pushed the feature/gitleaks branch from 1120d1d to db4be4a Compare October 14, 2025 12:27

KraMorK self-requested a review October 14, 2025 12:30

KraMorK approved these changes Oct 14, 2025

View reviewed changes

fix: add GitLab server host to gitleaks blob URLs

4e1f49e

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

KraMorK approved these changes Oct 14, 2025

View reviewed changes

himax1991 self-requested a review October 15, 2025 08:20

himax1991 approved these changes Oct 15, 2025

View reviewed changes

Taior approved these changes Oct 15, 2025

View reviewed changes

Nikolay1224 merged commit ce2b7c3 into main Oct 17, 2025
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Add GitLab CI template for secret scanning with Gitleaks #44

Add GitLab CI template for secret scanning with Gitleaks #44

Uh oh!

rtrofimenkov-ssdlc commented Oct 7, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Add GitLab CI template for secret scanning with Gitleaks #44

Add GitLab CI template for secret scanning with Gitleaks #44

Uh oh!

Conversation

rtrofimenkov-ssdlc commented Oct 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What's added:

Usage:

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

rtrofimenkov-ssdlc commented Oct 7, 2025 •

edited

Loading