GitLeaks: A Security Boost for the Gitleaks Open Source Project

GitLeaks: A Security Boost for the Gitleaks Open Source Project
User story quote

Gitleaks, built by Zachary Rice, and maintained today together with Andrew Weiner is the foremost open source secret detection tool adopted by developers.  Started as a hobby project in 2018, it started to gain adoption and its first thousand users when security influencers discovered it, and began to recommend it publicly.

From its 1000-userbase in 2018, based solely on public and project-related insights (as Gitleaks does not collect telemetry data), it has grown to millions of users worldwide.  Gitleaks has more than 7M+ all-time Docker pulls, 2M+ Github downloads, 11.5K+ Github stars, it is used in 2600+ public repos, and has a consistently rising graph of adoption. This is a great post on the Gitleaks project stats and its growth over the years.

As developers, it was important for the Gitleaks team to build a security tool that developers would love, and put a strong emphasis on ease of use and adoption.  This developer experience, alongside their steadfast maintenance of the project––as individual contributors with little monetary support, made this into the go-to secret detection tool of choice for many developers.  Maintaining the momentum around the project is no simple undertaking: releasing features, bug fixes, and being responsive in a timely manner, all the while trying to foster a community, has proven a struggle for individual contributor open source maintainers––Gitleaks among them.

Jit, in their quest to build the first of its kind open and pluggable DevSecOps platform, understood that supporting excellent open source projects and the work done by ICs was their first priority, and this is how the relationship with the Gitleaks team evolved.  By supporting the maintenance work on this widely adopted project, it was now possible to sustain this important project for the entire ecosystem and lower the barrier to security for many organizations.

Meanwhile, Zach and Andrew selected Jit as the DevSecOps platform for the Gitleaks project. Jit provides Gitleaks additional layers of security on top of secret detection such as GoSec for SAST. This gives them peace of mind that they are not introducing any security vulnerabilities into their own project.

Gitleaks has been using Jit regularly since v.8.8.5, and in the words of Zachary Rice:

“Jit is a net-new security blanket for the Gitleaks project, and has been a great addition to our security stack.”

The most valuable benefit Gitleaks gained by using Jit is the well-researched suite of tools with their wide coverage–– freeing them up from having to research which tools to use to scan their repos, saving them quite a bit of work.  In this way, they did not have to spend a lot of cycles on which tools to use, how to configure them and get them properly set up, and how to integrate them into their CI/CD pipeline. This enabled them to allocate their time to their main priority: making Gitleaks the best secret scanning tool it could be.

Instantly achieve continuous product security, from day 0