Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Get Secret Scan - list of files scanned

Sachin Kaushik
Sachin Kaushik November 14, 2024

Hi, I have a pipe for secret scanning like this :

- step: name: Secret Scanning script:

  - pipe: atlassian/git-secrets-scan:0.4.3

    variables:

      FILES: "**/*.json ."

 

I am expecting it to scan my appSettings.json file for exposed secrets, which is placed in my project directory, but it does not. Is there a way I can check what all files it scanned? And does it generate a default report that I can use later in my step?

Answer
Watch
Like Be the first to like this
493 views

2 answers

0 votes
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 18, 2024

Hi @Sachin Kaushik . Thanks for your feedback.
This pipe is based on gitleaks tool.
I also tested your case with using gitleaks:

appSettings.json

{
  "ConnectionStrings": {
    "TestConn": "Data Source=my-test-db;Password=AKIAKEGEYJSDOHQYTEST;Initial Catalog=MyCat;Integrated Security=False;MultiSubnetFailover=true"
  }
}

And gitleaks found a secret inside a file.


│╲
│ ○
○ ░
░ gitleaks

10:57AM INF scan completed in 1.17ms
10:57AM WRN leaks found: 1

But here was used AWS pattern, that presented in gitleaks default config.

In case the tool does not scan your secret, you could extend gitleaks config with a required pattern and use it in pipe:

script:
  - pipe: atlassian/git-secrets-scan:3.0.0
    variables:
      DEBUG: "true"
      GITLEAKS_COMMAND: "dir"
      GITLEAKS_EXTRA_ARGS: 
        - "./path_to_directory_or_file"
        - "--config=my-gitleaks-config.toml"

Regards, Igor

View More Comments
Sachin Kaushik
Sachin Kaushik November 18, 2024

Thanks for looking further into this, Igor! I was hoping that it would detect the text "password" in the JSON file and flag a violation, whatever format the password string might be. Looking at the default gitleaks config, I wonder why it did not fall under rule id = "generic-api-key" (line 535).

Like
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 18, 2024

@Sachin Kaushik  you could try https://regex101.com/ and see
that selected pattern is not match with content of the appSettings.json.

Also, i think, you could ask here about your case.

Regards, Igor

Like
Reply
0 votes
Igor Stoyanov
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 15, 2024

Hi @Sachin Kaushik. Thanks for your question.

First of all try to update git-secrets-scan pipe to the latest version, so the reports feature will be enabled in this pipe.

I suggest to try basic example so your full repository will be scanned by the tool.

script:
  - pipe: atlassian/git-secrets-scan:3.0.0

In case you want some specific folder to be scanned you could try this example:

script:
  - pipe: atlassian/git-secrets-scan:3.0.0
    variables:
      GITLEAKS_COMMAND: "dir"
      GITLEAKS_EXTRA_ARGS: "./path_to_directory_or_file"

Regards, Igor

View More Comments
Sachin Kaushik
Sachin Kaushik November 15, 2024
Thanks for your response, Igor!
I had tried your suggestion before, it did not detect "password" exposed in my appSettings.json file. The report it generated seemed empty. Here is what I have now:
-  step:
      name: Secret Scanning
      script:
      - pipe: atlassian/git-secrets-scan:3.0.0
      - ls -al
      - cat gitleaks-report.json
  
My repository just has a sample console app, having a default Program.cs file and I added an appSettings.json file with the following connection string in it:
"ConnectionStrings": {
  "TestConn": "Data Source=my-test-db;Password=test1234;Initial Catalog=MyCat;Integrated Security=False;MultiSubnetFailover=true"
}   
Here is what the log says:
.
.
.
Digest: sha256:097215cfecb2cf34a34189240ebb5c96d7884e8a9d0b738e83af9717a8f7db8a
Status: Downloaded newer image for bitbucketpipelines/git-secrets-scan:3.0.0
[34mINFO: Extend gitleaks command to create reports... [0m
[34mINFO: [0m
[34mINFO: Generating CodeInsights reports... [0m
[32m✔ Pipe has finished successfully. [0m
+ ls -al
total 48
drwxrwxrwx 5 root   root   4096 Nov 15 12:54 .
drwxr-xr-x 8 root   root   4096 Nov 15 12:54 ..
drwxr-xr-x 3 165536 165536 4096 Nov 15 12:54 .bitbucket
drwxrwxrwx 8 root   root   4096 Nov 15 12:54 .git
-rw-rw-rw- 1 root   root    689 Nov 15 12:54 .gitignore
drwxrwxrwx 3 root   root   4096 Nov 15 12:54 TestConsoleApp
-rw-rw-rw- 1 root   root   1468 Nov 15 12:54 TestConsoleApp.sln
-rw-rw-rw- 1 root   root   3671 Nov 15 12:54 bitbucket-pipelines.yml
-rw-rw-rw- 1 root   root   1733 Nov 15 12:54 create-jira-ticket-bitbucket.sh
-rw-rw-rw- 1 root   root   1077 Nov 15 12:54 create-jira-ticket.sh
-rw-r--r-- 1 165536 165536    3 Nov 15 12:54 gitleaks-report.json
-rw-rw-rw- 1 root   root      9 Nov 15 12:54 readme.txt
+ cat gitleaks-report.json
[]
Searching for files matching artifact pattern .bitbucket/pipelines/generated/pipeline/pipes/**
Searching for test report files in directories named [test-results, failsafe-reports, test-reports, TestResults, surefire-reports] down to a depth of 4
Finished scanning for test reports. Found 0 test report files.
Merged test suites, total number tests is 0, with 0 failures and 0 errors.
I see that it did generate the report (gitleaks-report.json), but cat command did not show anything.
  
Could you please point me towards what I am missing or what I am doing wrong? Thanks.
Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.