DevSecOps Tutorial : How to implement Git-Secret Scanner in CI/CD Pipeline

DevSecOps Tutorial : How to implement Git-Secret Scanner in CI/CD Pipeline


I will brief the step by step how we can implement Static Analysis Security Test (SAST) in your CI/CD pipeline. Before we can proceed with the nitty-gritty of of the CI/CD pipeline steps, below is the pre-requisite of this tutorial:


CI Tool: An account of SaaS GitLab/GitLab on-premises and GitLab Runner. Your GitLab Runner must be docker-executor enable, you may setup it via this link.

Project / Source Code: We will use free/open-source django project via

Git-Secret Tool

In this tutorial we will implement SAST tool called Trufflehog, it's a git-secret SAST tool which searching deep into commit history and branches. This is effective at finding secrets accidentally committed.

Step 0 : Setup a GitLab Account and GitLab Runner

If you don't have GitLab account yet, please refer this URL to setup it 1st, because below steps actually after you go setup your GitLab.

Step 1: GitLab Repo setup & Clone django-nv source code

Once we clone the repo(as shared above and create new project in our GitLab), we need to update yml file below;


Step 2: Update your .gitlab-ci.yml file

 - build
 - test
 - integration
 - prod

  stage: build
    - echo "This is a build step"
    - echo "some tool output" > output.txt
    paths: [output.txt]

  stage: build
   - docker pull secfigo/bandit
   - docker run --user $(id -u):$(id -g) -v $(pwd):/src --rm secfigo/bandit bandit -r /src -f json -o /src/bandit-output.json
    paths: [bandit-output.json]
    # when: on_failure
    when: always
  allow_failure: true

   stage: build
    - docker pull secfigo/trufflehog
    - docker run --user $(id -u):$(id -g) -v $(pwd):/src --rm secfigo/trufflehog trufflehog file:///src
   allow_failure: true

  stage: test
    - docker pull hysnsec/safety
    - docker run -v $(pwd):/src --rm hysnsec/safety safety check -r requirements.txt --json > oast-results.json
    paths: [oast-results.json]
    when: always
  allow_failure: true

  stage: integration
    - echo "This is an integration step"
    - exit 1
  allow_failure: true # Even if the job fails, continue to the next stages

  stage: prod
    - echo "This is a deploy step"
  when: manual # Continuous Delivery

Step 3: Commit YML file and Run the CI/CD Pipeline

Once, we done editing our .gitlab-ci.yml file, we need to click "commit" button below to auto-deploy or run our git-secret test in CI/CD pipeline


Step 4: Run CI/CD Pipeline and See git-secret scanner result. We can see our CI/CD pipeline running in pipeline page;


Step 5: See Git-Secret Trufflehog Scanner Result ; to see our git-secret scanner result, we can click on sast-truffleog job and see our git-secret scanner result. The Trufflehog scanner shown result your CI/CD pipeline as blow;


As we see above, there is password leaked in file name user.json in our repository, it also give Reason why its risk and which Branch is affected.


We accomplished setup our Git-Secret Trufflehog in CI/CD pipeline. So far we had done below;

  1. We had setup and clone django-nv source code in GitLab.
  2. We updated .gitlab-ci.yml file with Docker Trufflehog SAST tool for git-secret scanner.
  3. We successfully found the leaked password in our code from sast-trufflehog jobs scanning.
  4. We have git-secret report in CI/CD pipeline log as our git-secret report for improve plan in our codes.

Next you should read

Dynamic Analysis Security Test (DAST).

Tutorial -> How to implement DAST in CI/CD Pipeline.

Share Tweet Send