gitleaks是一个密码扫描工具,属于SAST扫描,可以协助我们扫描文件、代码仓中的密码、秘钥串类内容,实现安全左移
https://github.com/gitleaks/gitleaks
安装二进制命令
基础安装后会发现产物大概10M大小
git clone https://github.com/gitleaks/gitleaks.git
go mod tidy
go build
为了以后更好的使用我们可以编译精简一下,这样仅剩2.7M了
git clone https://github.com/gitleaks/gitleaks.git
go mod tidy
go build -ldflags '-s -w'
upx -9q gitleaks
找一个代码路径测试一下发现有可能报错,这是git版本的问,centos默认安装的git版本是1.8.3.1,不具备git -C命令,我们需要升级一下大于1.8.5即可
[root@jenkins-bj-ali-ql1 devops-cicd-dev-bfmq-cloud]# gitleaks detect --report-path gitleaks-report.json
○
│╲
│ ○
○ ░
░ gitleaks
1:05PM ERR [git] Unknown option: -C
1:05PM ERR [git] usage: git [--version] [--help] [-c name=value]
...
升级git后再执行即可生成基线文件
[root@jenkins-bj-ali-ql1 ~]# yum -y remove git-*
[root@jenkins-bj-ali-ql1 ~]# yum -y install https://packages.endpointdev.com/rhel/7/os/x86_64/endpoint-[root@jenkins-bj-ali-ql1 ~]# repo.x86_64.rpm
[root@jenkins-bj-ali-ql1 ~]# yum -y install git
[root@jenkins-bj-ali-ql1 ~]# git version
[root@jenkins-bj-ali-ql1 ~]# git --version
git version 2.41.0
[root@jenkins-bj-ali-ql1 devops-cicd-dev-bfmq-cloud]# head gitleaks-report.json
[
{
"Description": "xxxx xxxx ID",
"StartLine": 26,
"EndLine": 26,
"StartColumn": 18,
"EndColumn": 42,
"Match": "xxxxxxxxxxxxx\"",
"Secret": "xxxxxxxxxxxxx\"",
"File": "xxxxxx path to file",
后续基于基线文件持续扫描即可
[root@jenkins-bj-ali-ql1 devops-cicd-dev-bfmq-cloud]# gitleaks detect --baseline-path gitleaks-report.json --report-path findings.json
○
│╲
│ ○
○ ░
░ gitleaks
1:54PM INF 256 commits scanned.
1:54PM INF scan completed in 298ms
1:54PM INF no leaks found
编写jenkins pipeline
为了后续其他sec持续使用,我先列出jenkins pipeline的整体伪代码
主要包含了3个传入参数:
- git地址:测试代码地址确定也可以忽略
- 项目语言类型:测试代码语言固定也可以忽略
- 是否调过安全:这个可以忽略,因为我们这次就是为了sec,不会跳过
一个最基本的pipeline流程
- git checkout:获取代码
- language Build:按语言类型进行编译
- language Package:按语言类型进行产物缝制
- product Push:制品推送
- cleanup:清理工作
import hudson.model.*;
@Library('pipeline-libs') _
def gotools = new go.tools()
pipeline {
agent any
parameters {
string(name: 'gitUrl', defaultValue: '')
string(name: 'projectType', defaultValue: '')
booleanParam(name: 'skipSec', defaultValue: true)
}
tools {
go 'go1.20.3'
}
options {
retry(0)
timeout(time:10, unit: 'MINUTES')
disableConcurrentBuilds()
buildDiscarder(logRotator(numToKeepStr: '5'))
}
stages {
stage('Set ENV') {
steps {
script {
do something...
}
}
}
stage('Git') {
steps {
git branch: "${branch}", credentialsId: '123456', url: "${gitUrl}"
}
}
stage('Build') {
steps {
script{
do Build...
}
}
}
stage('Package') {
steps {
script {
do Package...
}
}
}
stage('Push') {
steps {
script {
do Push...
}
}
}
}
post {
cleanup {
script {
do cleanup...
}
}
}
}
集成这次的秘密扫描过程
很明显gitleaks仅仅是个二进制命令,因此我们主要基于sh命令集成即可,主要处理一下初始化时生成baseline文件及git safe dir问题即可
- 秘密扫描明显是需要基于代码的,因此在git后
- 秘密扫描失败的话应当停止,而不是将不安全的制品上传,因此在build前
- 注意pipeline里修改了baseline file name
...
stage('Git') {
steps {
git branch: "${branch}", credentialsId: '123456', url: "${gitUrl}"
}
}
stage('Gitleaks') {
steps {
script {
def glstatus = 0
if (!fileExists("gitleaks-baseline.json")) {
// 初次扫描构建baseline文件,指定exit-code永远为0
glstatus = sh(script: "gitleaks detect --report-path gitleaks-baseline.json --exit-code 0", returnStatus: true)
} else {
glstatus = sh(script: "gitleaks detect --baseline-path gitleaks-baseline.json --report-path gitleaks-report.json", returnStatus: true)
}
if (glstatus != 0) {
sh "cat gitleaks-report.json"
error "Gitleaks security scan failed"
}
}
}
}
...