Secret Scanning with Gitleaks I have built a deliberately vulnerable Flask app to use as a target for building a real DevSecOps pipeline. The repo is at https://github.com/pkkht/devsecops-demo. This part covers the first gate in the pipeline — secret scanning. Why secrets in code are such a big deal? The demo app already has secrets in it - intentionally added. We will use Gitleaks to catch the exposed secrets. What is Gitleaks Setting it up locally with pre-commit Step 1: Install pre-commit pre-commit is a framework for managing git hooks. It handles downloading and running Gitleaks automatically — you do not need to install Gitleaks separately. pip install pre-commit pre-commit --version pre-commit install The last command wires Gitleaks into your .git/hooks/pre-commit so it runs automatically on every git commit. Step 2: Create the config file .pre-commit-config.yaml in your repo root: Seeing it in action app.py with the secrets still in it: git add app.py git commit -m "add task manager app" First attempt — before the config file was in place: pre-commit requires a .pre-commit-config.yaml to be present. Once that is added, try again: The commit is blocked. Gitleaks downloads itself, scans the staged files, and reports two findings — the AWS access key and the secret key — with the exact file and line number. The commit never happens. This is the behaviour you want. A developer cannot accidentally push a secret In a real codebase, a finding like this means: remove the secret, rotate it, use an environment variable instead. But this is a demo repo — the secrets are intentional. We need a way to tell Gitleaks "I know about these, ignore them." .gitleaksignore is for. You add the fingerprints of known, The fingerprints come directly from the Gitleaks output and an additional line that you may wish to add — file:rule:line. "Detect hardcoded secrets... Passed" .gitleaksignore is useful for allowlisting known false Wiring it into GitHub Actions The pre-commit hook covers local commits. But what if someone bypasses it with --no-verify, or clones the repo without setting up pre-commit? The pipeline is the safety net. .github/workflows/secret-scan.yml: name: Secret Scanning on: push: branches: ["**"] pull_request: branches: ["**"] jobs: gitleaks: name: Gitleaks Secret Scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} fetch-depth: 0 is important — it tells GitHub Actions to check out the full git history, not just the latest commit. Gitleaks needs the full history to scan previous commits for secrets. GITHUB_TOKEN is automatically provided by GitHub on every workflow run — "No leaks detected" — the pipeline passes because the .gitleaksignore Two layers of secret scanning are now in place: Pre-commit hook — catches secrets at the developer's machine before commit GitHub Actions workflow — catches anything that slips through at push time The pipeline now has its first gate. Every push and pull request is automatically scanned for secrets.