Pipeleak is a tool designed to scan GitLab job output logs and artifacts for potential secrets.
To begin using Pipeleak, download the latest binary from the Releases page.
Run the following command to scan your GitLab instance:
pipeleak scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.comIn addition to logs, Pipeleak can also scan artifacts generated by your pipelines.
pipeleak scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com -a -c Pro tip:
Note: Dotenv artifacts are not accessible through the GitLab API. To scan these, you need to manually provide your session cookie after logging in via a web browser. The session cookie name is
_gitlab_session. The cookie should be valid for two weeks.
pipeleak scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com -v -a -c [value-of-valid-_gitlab_session]Filter the scanned projects by using the --search flag and provide a search query string.
Filter the scanned projects by using the --owned flag to only process projects owned by you.
Filter the scanned projects by using the --member flag to only process projects you are a member of.
Limit the scanned nr of jobs by using the --job-limit flag.
shodan command: use the Shodan command to identify gitlab instances that might allow for anyone to register. this command assumes a JSON file from a Shodan export. example query: product:"GitLab Self-Managed"
runners command: Identify all (shared) runners which are available globally or through a group where the user has at least developer access.
register command: Best effort automation to register a new user on an instance.
When you run Pipeleak for the first time, it generates a rules.yml file based on this repository. You can customize your scan rules by modifying this file as needed.