Launching Our First Open Source Collaboration with Gitleaks
Updated March 5, 2024.
About
This content is brought to you by Jit - a platform that simplifies continuous security for developers, enabling dev teams to adopt a ‘minimal viable security’ mindset, and build secure cloud apps by design from day 0, progressing iteratively in a just-in-time manner.
This has been an exciting week for Jit and open source security, as we join forces with Gitleaks to help make open source security more sustainable and accessible than ever. This partnership was built on a foundation of a deep belief that best of breed open source security tools and projects require maintenance, community sponsorship, and support to keep thriving and evolving. We are actively building this DNA into our culture as a company, starting with the excellent Gitleaks project by Zachary Rice.
With the knowledge that open source harnesses the intelligence of the masses, and is built upon principles of diversity of thought, community, interoperability and inherent transparency, we wanted to lower the barrier of entry to adopting open source security tools for everyone. We believe security should be made easy for all developers to get started with, without requiring extensive expertise in the security domain. Once this happens, applications will be more secure by default, and eventually more compliant with industry security standards.
Open Source Security Orchestration
To this end, Jit has been working hard behind the scenes to build a product security-as-a-service platform that orchestrates the most popular, best of breed, open source security tools. These tools have been vetted and selected by a team of security research experts (we’ve previously written about some of our favorite open source security tools) and they are now available through the platform, more below. We handle the research and the curation of these tools so that developers who want to develop secure applications, don’t have to drown in the deluge of OSS security tools and methodologies, trying to figure out which is the right tool for the task at hand, and for their specific tech stack.
Our team has also made sure to integrate with tools that give maximum tech stack coverage, from a wide selection of programming languages, cloud providers (full AWS support available with more coming shortly), and soon a diversity of SCMs, and other related third-party integrations and applications to provide true minimal viable security for all stacks. If to date, security expertise was mostly the domain of the CISO andperceived as too complex for the typical IC developer; this move democratizes security for all developers, reducing the time investment and learning curve for researching, ramping up and integrating these tools into existing stacks, and beginning to see valuable, actionable output.
One well-known challenge often encountered after going through the work to adopt and integrate security tools, is getting a basic understanding of their output and what to do next. To help simplify this process, Jit has created a unified output experience by standardizing the tools’ security findings, making them more understandable, actionable, and the process of mitigating them more trackable.
Gitleaks
Gitleaks, with more than 9,000 stars on Github and 900+ forks, is considered by many to be one of the world’s best tools for repo and file secret scanning. By using regex and entropy, Gitleaks will flag any hard-coded secrets, API keys, tokens or any other private data that should not be committed to any repository. In addition to finding secrets currently in your code or repository, it can also scan historical commits and data to ensure these too are removed from previous commits or PRs.
Gitleaks is maintained by Zachary Rice, an individual contributor maintainer, who supports and maintains Gitleaks for some of the largest organizations who have adopted this tool as part of their stack.
To get started with a fully managed Gitleaks visit: https://www.jit.io/jit-open-source-gitleaks
By activating this control on Jit, you can integrate a secret scanner into your CI/CD automatically, and have it run for every new PR created on your repositories.
In the image above you can see an easy to read, actionable Gitleaks finding on Jit, created when a generic API was detected in a monitored Github repository.
(Learn more about Jit’s native integration and collaboration with Gitleaks - a natural partner for this journey).