{"id":22724454,"url":"https://github.com/compasssecurity/pipeleak","last_synced_at":"2025-07-13T08:08:39.643Z","repository":{"id":267413974,"uuid":"836151286","full_name":"CompassSecurity/pipeleak","owner":"CompassSecurity","description":"Pipeleak is a tool designed to scan CI/CD logs and artifacts for secrets","archived":false,"fork":false,"pushed_at":"2025-07-02T05:57:59.000Z","size":843,"stargazers_count":13,"open_issues_count":11,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-02T06:39:36.302Z","etag":null,"topics":["github","gitlab","secrets"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CompassSecurity.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-07-31T08:56:38.000Z","updated_at":"2025-07-02T05:57:56.000Z","dependencies_parsed_at":"2025-01-30T16:29:08.254Z","dependency_job_id":"df722ea0-df6a-4dda-835c-9931d19e0f96","html_url":"https://github.com/CompassSecurity/pipeleak","commit_stats":null,"previous_names":["compasssecurity/pipeleak"],"tags_count":47,"template":false,"template_full_name":null,"purl":"pkg:github/CompassSecurity/pipeleak","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fpipeleak","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fpipeleak/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fpipeleak/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fpipeleak/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CompassSecurity","download_url":"https://codeload.github.com/CompassSecurity/pipeleak/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fpipeleak/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265108514,"owners_count":23712466,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","gitlab","secrets"],"created_at":"2024-12-10T15:06:37.254Z","updated_at":"2025-07-13T08:08:39.623Z","avatar_url":"https://github.com/CompassSecurity.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg height=\"200\" src=\"https://github.com/CompassSecurity/pipeleak/blob/main/docs/logo.png?raw=true\"\u003e\n\u003c/p\u003e\n\n![GitHub Release](https://img.shields.io/github/v/release/CompassSecurity/pipeleak)\n![GitHub commits since latest release](https://img.shields.io/github/commits-since/CompassSecurity/pipeleak/latest)\n\n# Pipeleak\n\nPipeleak is a tool designed to scan CI/CD logs and artifacts for secrets.\n\nIt supports the following platforms:\n* GitLab\n* GitHub\n* BitBucket\n* Azure DevOps\n\n## Getting Started\n\nTo begin using Pipeleak, download the latest binary from the [Releases](https://github.com/CompassSecurity/pipeleak/releases) page.\n\n### General Usage\n\nRun the following command to scan your e.g. GitLab instance:\n\n```bash\npipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com\n```\n\n### Scanning Artifacts\n\nIn addition to logs, Pipeleak can also scan artifacts generated by your pipelines.\n\nNote: Scanning artifacts uses a lot of memory!\n```bash\npipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com -a \n```\n### Confidence\n\nThe following confidence levels for scans are used by default:\n* `low`\n* `medium`\n* `high`\n* `high-verified` these are validated by the corresponding TruffleHog validator.\n\nHowever if you want to add custom ones, you can define any value in the `rules.yml` file\nTo scan only for a specific level, you can specify it via CLI flag e.g `--confidence=high,medium`. Define multiple by comma separating the values.\n\nNote: `high-verified` cannot be removed, but verification can be disabled using `--truffleHogVerification=false`.\n\n### Customizing Scan Rules\n\nWhen you run Pipeleak for the first time, it generates a `rules.yml` file based on [this repository](https://github.com/mazen160/secrets-patterns-db/blob/master/db/rules-stable.yml). You can customize your scan rules by modifying this file as needed.\n\n### Keybindings\n\nIn the `scan` mode you can change interactively between log levels by pressing `t`: Trace, `d`: Debug, `i`: Info, `w`: Warn, `e`: Error. Pressing `s` will output the current queue status.\n\n# Platform Specific Hints\n\n## GitLab\n\n### Dotenv\n\n[Dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv) are not accessible through the GitLab API. To scan these, you need to manually provide your session cookie after logging in via a web browser. The session cookie name is `_gitlab_session`. The cookie should be valid for [two weeks](https://gitlab.com/gitlab-org/gitlab/-/issues/395038).\n\n```bash\npipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com -v -a -c [value-of-valid-_gitlab_session]\n```\n\n### Memory Usage\n\nAs the scanner processes a lot of resoures (especially when using  `--artifacts`) memory, CPU and disk usage can become hard to manage. \nYou can tweak `--threads`, `--max-artifact-size` and `--job-limit` to obtain a customized performance and achieve stable processing.\n\n### Additional Features\n\n`shodan` command: use the Shodan command to identify gitlab instances that might allow for anyone to register. this command assumes a JSON file from a Shodan export. example query: `product:\"GitLab Self-Managed\"`\n\n`runners` command: Identify (shared) runners which are available globally or through a group where the user has at least developer access. Create projects with a default exploitation `.gitlab-ci.yml` file.\n\n`register` command: Best effort automation to register a new user on an instance.\n\n`vuln` command: Check the installed version for CVEs in the NIST Vulnerability database\n\n`variables` command: Enumerate configured project/group/instance variables\n\n`secureFiles` command: Enumerate secure files\n\n`enum` command: Enumerate user permissions and accesss\n\n`renovate enum` command: Enumerate Renovate configurations including [Autodiscovery](https://blog.compass-security.com/2025/05/renovate-keeping-your-updates-secure/) configuration. Use `-v` to print CI/CD config.\n\n`renovate autodiscovery` command: Exploit vulnerable Renovate autodisovery configurations. Creates a PoC repo.\n\n`renovate privesc` command: Inject a malicious CI/CD Job into the protected default branch abusing Renovate Bot's access and [Auto-Merge](https://blog.compass-security.com/2025/05/renovate-keeping-your-updates-secure/).\n\n`cicd yaml` command: Fetch full CI/CD Yaml configuration (compiles all references)\n\n### GitLab Proxy Support\n\n\u003e **Note:** Proxying is currently supported only for GitLab commands.\n\nSince Go binaries aren't compatible with Proxychains, you can set a proxy using the HTTP_PROXY environment variable.\n\nFor HTTP proxy (e.g., Burp Suite):\n```bash\nHTTP_PROXY=http://127.0.0.1:8080 pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com\n```\n\nFor SOCKS5 proxy:\n```bash\nHTTP_PROXY=socks5://127.0.0.1:8080 pipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com\n```\n\n## GitHub\n\nScan owned repositories including their artifacts\n```bash\npipeleak gh scan --token github_pat_xxxxxxxxxxx --artifacts --owned\n```\n\nScan repositories of an organization\n```bash\npipeleak gh scan --token github_pat_xxxxxxxxxxx --artifacts --maxWorkflows 10 --org apache\n```\n\nScan public repositories\n```bash\npipeleak gh scan --token github_pat_xxxxxxxxxxx --artifacts --maxWorkflows 10 --public\n```\n\nScan by search term\n```bash\npipeleak gh scan --token github_pat_xxxxxxxxxxx --artifacts --maxWorkflows 10 --search iac\n```\n\nScan repositories of a user\n```bash\npipeleak gh scan --token github_pat_xxxxxxxxxxx --artifacts --user firefart\n```\n\n## BitBucket\n\n\u003e To scan artifacts internal APIs are called. Thus you need to extract the session cookie value `cloud.session.token` from https://bitbucket.org using your browser and supply it in the -c flag.\n\nScan your owned repositories and their artifacts\n```bash\npipeleak bb scan -t xxxxxxxxxxx -c eyJxxxxxxxxxxx -u auser --owned --artifacts\n```\n\nScan a workspace (find public ones here: https://bitbucket.org/repo/all/) without artifacts\n```bash\npipeleak bb scan --token xxxxxxxxxxx --username auser --workspace bitbucketpipelines\n```\n\nScan all public repositories without their artifacts\n\u003e If using `after`, the API becomes quite unreliable 👀\n```bash\npipeleak bb scan --token xxxxxxxxxxx --username auser --public --maxPipelines 5 --after 2025-03-01T15:00:00+00:00\n```\n\n## Azure DevOps\n\nScan all pipelines the current user has access to\n```bash\npipeleak ad scan --token xxxxxxxxxxx --username auser --artifacts\n```\n\nScan all pipelines of an organization\n```bash\npipeleak ad scan --token xxxxxxxxxxx --username auser --artifacts --organization myOrganization\n```\n\nScan all pipelines of a project e.g. https://dev.azure.com/PowerShell/PowerShell\n```bash\npipeleak ad scan --token xxxxxxxxxxx --username auser --artifacts --organization powershell --project PowerShell\n```\n\n### Authentication\nCreate your PAT here: https://dev.azure.com/{yourproject}/_usersSettings/tokens\n\n\u003e In the top right corner you can choose the scope (Global, Project etc.). \n\u003e Global in that case means per tenant. If you have access to multiple tentants you need to run a scan per tenant.\n\u003e Get you username from an HTTPS git clone url from the UI.\n\n\n# ELK Integration\n\nTo easily analyze the results you can [redirect the pipeleak](https://github.com/deviantony/docker-elk?tab=readme-ov-file#injecting-data) output using `nc` into Logstash.\n\nSetup a local ELK stack using https://github.com/deviantony/docker-elk. \n\nThen you can start a scan:\n```bash\npipeleak gl scan --token glpat-xxxxxxxxxxx --gitlab https://gitlab.com  --json | nc -q0 localhost 50000\n```\n\nUsing Kibana you can filter for interesting messages, based on the JSON attributes of the output.\n\ne.g. `message.level=warn and message.confidence=verified` to find verified results.\n\n![Kiabana Search](docs/kibana.png)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompasssecurity%2Fpipeleak","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompasssecurity%2Fpipeleak","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompasssecurity%2Fpipeleak/lists"}