Gitleaks Collector
Detects hardcoded secrets using Gitleaks in two modes: auto-runs scans on every repo, and detects existing Gitleaks executions in CI pipelines to collect their report files. Results are written to the normalized .secrets Component JSON category.
gitleaks to your lunar-config.yml:uses: github://earthly/lunar-lib/collectors/gitleaks@v1.0.5
What This Integration Collects
This integration includes 2 collectors that gather metadata from your systems.
scan
Auto-runs Gitleaks against the repository source code. Parses the JSON report and writes normalized findings to .secrets with source metadata.
cicd
Detects Gitleaks execution in CI pipelines. Records command metadata to .native.gitleaks.cicd.cmds and collects the JSON report file if --report-path / -r can be parsed from the command. Collected reports are written to .secrets.cicd (normalized) and .native.gitleaks.cicd.report (raw).
How Collectors Fit into Lunar
Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.
Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.
Learn How Lunar Works →Example Collected Data
This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:
{
"secrets": {
"source": {
"tool": "gitleaks",
"version": "8.21.2",
"integration": "code"
},
"issues": [
{
"rule": "generic-api-key",
"file": "config/settings.py",
"line": 42,
"secret_type": "Generic API Key"
}
],
"cicd": [
{
"rule": "aws-access-key-id",
"file": "deploy.sh",
"line": 10,
"secret_type": "AWS Access Key ID"
}
],
"native": {
"gitleaks": {
"auto": {
"report": [
{
"RuleID": "generic-api-key",
"File": "config/settings.py",
"StartLine": 42,
"Commit": "abc1234",
"Description": "Generic API Key"
}
]
},
"cicd": {
"cmds": [
{"cmd": "gitleaks detect --report-path results.json --source .", "version": "8.21.2"}
],
"report": [
{
"RuleID": "aws-access-key-id",
"File": "deploy.sh",
"StartLine": 10,
"Commit": "def5678",
"Description": "AWS Access Key ID"
}
]
}
}
}
}
}Documentation
View on GitHubGitleaks Collector
Detects hardcoded secrets using Gitleaks — either by auto-running scans or by collecting results from existing Gitleaks CI executions.
Overview
This collector detects hardcoded secrets using Gitleaks in two modes: the scan sub-collector auto-runs Gitleaks on every repo, while the cicd sub-collector detects existing Gitleaks executions in CI and collects their report files. Results are normalized into the .secrets Component JSON category for the secrets policy.
Collected Data
This collector writes to the following Component JSON paths:
| Path | Type | Description |
|---|---|---|
.secrets.source |
object | Source metadata (tool, version, integration) |
.secrets.issues[] |
array | Normalized findings with rule, file, line, type (empty = clean) |
.secrets.cicd[] |
array | Normalized findings from CI report (when report file found) |
.secrets.native.gitleaks.auto |
object | Raw Gitleaks report (auto-scan) |
.secrets.native.gitleaks.cicd.cmds |
array | CI command metadata |
.secrets.native.gitleaks.cicd.report |
array | Raw CI report (when report file found) |
Collectors
This plugin provides the following collectors (use include to select a subset):
| Collector | Hook Type | Description |
|---|---|---|
scan |
code | Auto-runs Gitleaks against repository source code |
cicd |
ci-after-command | Detects Gitleaks CLI executions in CI and collects report file |
Installation
Add to your lunar-config.yml:
collectors:
- uses: github://earthly/lunar-lib/collectors/gitleaks@main
on: ["domain:your-domain"] # Or use tags
No configuration or secrets required. The scan sub-collector runs Gitleaks automatically using the gitleaks-main container image. The cicd sub-collector detects existing Gitleaks invocations in CI pipelines and collects their report files.
The scan collector uses --no-git mode to scan the working directory without requiring git history. Findings are limited to 50 per scan to avoid oversized Component JSON payloads.
The cicd collector parses --report-path / -r from the traced command to locate and collect the Gitleaks JSON report file, similar to the syft CI collector pattern.
Open Source
This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.
Common Use Cases
Explore guardrails that use data from Gitleaks Collector.
Ready to Automate Your Standards?
See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.
AI agent rules & prompt files
Post-mortem action items
Security & compliance policies
Testing & quality requirements