Skip to content

The Why

Scanning for credentials in CI/CD pipelines is interesting because secrets often end up in pipeline logs or build artifacts that traditional Git scanners won’t check. This means you can catch leaked secrets that are injected or generated at runtime, not just those committed to Git.

Once secrets are discovered, further exploitation often requires additional tooling. Pipeleak provides several helper commands to assist with this process.

Getting Started

  1. Visit the Pipeleak GitHub Releases page.
  2. Download the binary for your operating system and architecture (e.g., Linux, macOS, Windows).
  3. Etract the archive 
    1
    tar -xzf pipeleak-<version>-<os>-<arch>.tar.gz
  4. Make the binary executable: 
    1
    chmod +x pipeleak
  5. Run Pipeleak 
    1
    ./pipeleak --help
    This will show the available commands and options.

Basic Example

The most basic example to scan e.g. GitLab pipeline logs for secrets, check the docs for other platforms and more options.

1
pipeleak gl scan --token glpat-[redacted] --gitlab https://gitlab.com

Scanning Artifacts

In addition to logs, Pipeleak can also scan artifacts generated by pipelines.

Note that the scan commands must be configured to scan artifacts. This is usually disabled by default.

1
pipeleak gl scan --token glpat-[redacted] --gitlab https://gitlab.example.com -a

Result Confidence

The following confidence levels detected secrets are used by default: * low * medium * high * high-verified these are validated by the corresponding TruffleHog validator.

TruffleHog Verification is enabled by default! The verificators test the found secrets actively, which means that logins happen on the respective platforms. Disable it for Opsec when needed.

However if you want to add custom levels, you can define any value in the rules.yml file.

To scan only for a specific level, you can specify it via CLI flag e.g --confidence=high,medium. Define multiple by comma separating the values.

Note: high-verified cannot be removed, but verification can be disabled using --truffleHogVerification=false.

Customizing Scan Rules

When you run Pipeleak for the first time, it generates a rules.yml file based on this repository. You can customize your scan rules by modifying this file as needed.

Keybindings

In the scan mode you can change interactively between log levels by pressing t: Trace, d: Debug, i: Info, w: Warn, e: Error. Pressing s will output the current status.