« Blog Home

Using GitLab? Your users leave secrets in git repos much more than you thought

git leak burst pipeline

Your users leave secrets in git repos much more than you thought, and there’s a new way to resolve it

Imagine accidentally leaking sensitive information online more than a dozen times a minute! That’s the alarming rate at which secret keys are being exposed on public repositories according to GitHub. In just the first eight weeks of 2024, they’ve detected over 1 million leaked secrets. This highlights the critical need for better safeguards to prevent these accidental exposures (see here).

Given the urgency, GitHub recently announced that they will offer the feature for free on public repos, and they recently changed the default behavior to scan and prevent adding secrets (for private repo it is provided in the Enterprise edition only).

And what about GitLab?

GitLab offers scanning in two ways, however neither fully covers that situation at the moment:

The first way allows you to scan files content, however it works only after it has been pushed already…  (and in GitLab Ultimate edition only).
Note: in that case, completely removing the version out of the repo is very complex and not trivial at all.

The second way allows you to scan before you push, however it does not scan file content but file suffix only… (and available in GitLab Premium edition or higher).

In comparison, GitHub does allow you to scan files content even before you push.

That’s why we thought about an immediate resolution to GitLab where we can help you to gain full coverage!

Resolution:

You should scan for secrets even before your users commit changes to repo – and by scanning files content – and prevent it from being pushed to the central repo in GitLab.

Our team is trained to provide this as a professional service – we can develop that missing piece for you, as a tailor-made solution you can deploy across all GitLab users and repos you have.To get more information please contact us (details are below)

Do you have a Secrets Management tool in place?

If not – we can help here as well (we provide and support a variety of Secrets Management solutions).

ALM-Toolbox (https://almtoolbox.com) provides licenses and professional services (hands-on consulting) on top of git, GitLab and GitHub including complementary tools such as Jira, Kubernetes, Jenkins, Terraform, HashiCorp Vault, ArgoCD and more. Contact us: gitlab@almtoolbox.com or call us 866-503-1471