Protect and discover secrets using Gitleaks 🔑
MIT License
Bot releases are visible (Hide)
Published by zricethezav over 3 years ago
Published by zricethezav over 3 years ago
--no-git
was reporting abs paths in the file
field in reports when running inside Docker. The file
field should be relative to --path
for all scan types now.Published by zricethezav over 3 years ago
.git
folders https://github.com/zricethezav/gitleaks/pull/507
Published by zricethezav almost 4 years ago
-q/--quiet
flag for json only logging https://github.com/zricethezav/gitleaks/pull/491
.git
matching for --no-git
scans: https://github.com/zricethezav/gitleaks/issues/486. Thank you @ramimacPublished by zricethezav almost 4 years ago
--file-at-commit
suffered still suffered from #482. Big thanks to @ramimac for surfacing thisPublished by zricethezav almost 4 years ago
Published by zricethezav almost 4 years ago
Below are some results:
v7.1.0: gitleaks --repo=https://github.com/rails/rails --threads=12
INFO[0000] cloning... https://github.com/rails/rails
INFO[0134] scan time: 1 minute 51 seconds 828 milliseconds 144 microseconds
INFO[0134] commits scanned: 89801
WARN[0134] leaks found: 4
v7.0.2: gitleaks --repo=https://github.com/rails/rails --threads=12
INFO[0000] cloning... https://github.com/rails/rails
INFO[0239] scan time: 3 minutes 36 seconds 45 milliseconds 232 microseconds
INFO[0239] commits scanned: 89801
WARN[0239] leaks found: 4
--leaks-exit-code
flag:--leaks-exit-code= Exit code when leaks have been encountered (default: 1)
The default codes:
0 - no leaks found
1 - leaks or errors encountered
Published by zricethezav almost 4 years ago
Published by zricethezav almost 4 years ago
Published by zricethezav almost 4 years ago
A lot. v7.0.0 might piss some people off but hey, that's why v6.2.0 exists. I kinda hated the way Gitleaks
was structured which resulted in a creeping dread when even thinking about maintaining this project. So I did what
any good software engineer would do (the following is a joke) -- completely rewrote gitleaks (okay okay some of the utils and algos stayed the same). So you may be wondering, why did I do this? Well, I'm hoping this will
help the longevity of the project and make it easier to contribute now that the code follows a
factory pattern (see the scan package). Perhaps what folks will be most upset about is the removal of the hosts
option, no more
scanning groups, projects, owners, users, or PRs/MRs directly using gitlab/github's APIs. This is something I just don't want to maintain anymore so feel free to use gitleaks as a library and create your own github/gitlab gitleaks scanner or use this script. On a lighter note, v7.0.0 includes some new features.
--pretty
. Pretty printing leaks is now the default--timeout
option--repo-config
with --repo-config-path
. This will load a repo's config if available.--repo-path
and --owner-path
with -p
,--path
. Gitleaks will determine if --path
is a git repo or directory containing git repos. If supplied with a --no-git
option gitleaks will scan all the contents of --path. This could be a directory or file.--repo
with --repo-url
--disk
with --clone-path
. No more cloning to tmp dir--branch
or --depth
set are speedier as both --branch
and --depth
are set as clone options.--uncommited
with --unstaged
Published by zricethezav almost 4 years ago
reportGroup
field for rules in gitleaks configs. https://github.com/zricethezav/gitleaks/pull/456
Published by zricethezav about 4 years ago
Published by zricethezav about 4 years ago
Published by zricethezav about 4 years ago
Solution to #432 by adding a commits and commits-file option.
--commits=<comma separated list of commits>
--commits-file=path to file containing a list of commits separated by newlines
commits
or commits-file
should be used in favor of commit-to
and commit-from
as there is a reachability issue in that commit-from
is not guaranteed to reach commit-to
so you risk scanning many more commits than originally intended.
Published by zricethezav about 4 years ago
This release adds Oasis SARIF support with --report-format=sarif
which will write your report with a sarif schema. Note this is the first implementation of gitleaks+sarif so if anyone has any suggestions or wanted changes please open a PR.
Users can now include a regular expressions in a global allow list. This is potentially useful if your code is riddled with example credentials and secrets. Below is a sample config which demonstrates how this can be used:
[[rules]]
description = "AWS Manager ID"
regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[allowlist]
description = "global allowlists"
files = [
'''(.*?)(jpg|gif)$''',
'''(.*?)(doc|pdf|bin)$''',
'''(.*?)(gitleaks.toml)$'''
]
regexes = [
'''(.*?)gitleaks:allow'''
]
This example will consider the line aws_access_key_id='AKIAIO5FODNN7EXAMPLE' #example credential
a leak whereas aws_access_key_id='AKIAIO5FODNN7EXAMPLE' #gitleaks:allow"
would not be considered a leak as it has the comment #gitleaks:allow
which matches on the global allowlist
presented above.
This PR also includes some breaking changes to the configuration file hence the bump to v6.
[[rules]]
description = "a string describing one of many rule in this config"
regex = '''one-go-style-regex-for-this-rule'''
filenameregex = '''a-file-name-regex'''
filepathregex = '''a-file-path-regex'''
tags = ["tag","another tag"]
[[rules.entropies]] # note these are strings, not floats
Min = "3.5"
Max = "4.5"
Group = "1"
[[rules.allowlist]]
description = "a string"
file = '''one-file-name-regex'''
path = '''one-file-path-regex'''
regex = '''one-regex-within-the-already-matched-regex'''
[allowlist]
description = "a description string for only _ONE_ allowlist config"
commits = [ "commit-A", "commit-B"]
files = [ '''file-regex-a''', '''file-regex-b''']
paths = [ '''path-regex-a''', '''path-regex-b''']
repos = [ '''repo-regex-a''', '''repo-regex-b''']
[[rules]]
description = "a string describing one of many rule in this config"
regex = '''one-go-style-regex-for-this-rule'''
file = '''a-file-name-regex''' # this changed!
path = '''a-file-path-regex''' # this changed!
tags = ["tag","another tag"]
[[rules.entropies]] # note these are strings, not floats
Min = "3.5"
Max = "4.5"
Group = "1"
[rules.allowlist] # this changed! No longer an array of tables. It's just a table.
description = "a string"
files = ['''one-file-name-regex'''] # this changed!
paths = ['''one-file-path-regex'''] # this changed!
regexes = ['''one-regex-within-the-already-matched-regex'''] # this changed!
[allowlist]
description = "a description string for a global allowlist config"
commits = [ "commit-A", "commit-B"]
files = [ '''file-regex-a''', '''file-regex-b''']
paths = [ '''path-regex-a''', '''path-regex-b''']
repos = [ '''repo-regex-a''', '''repo-regex-b''']
regexes = ['''one-regex-within-the-already-matched-regex'''] # this added!
Published by zricethezav about 4 years ago
Published by zricethezav about 4 years ago
whitelist
to allowlist
. This is a breaking change. v5.0.0 custom configs will need to be updated.--include-deletion
option.currentCommit.Patch(parent)
rather than the correct parent.Patch(currentCommit)
. This had the side effect of reporting the wrong commit sometimes. In v5.0.0 this has been fixed.Published by zricethezav over 4 years ago
Published by zricethezav over 4 years ago
--commit-since=
Audit commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. https://github.com/zricethezav/gitleaks/pull/385
--commit-until=
Audit commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format. https://github.com/zricethezav/gitleaks/pull/385
Shoutout to @steeve85 for the PR
Published by zricethezav over 4 years ago
description = "AWS Manager ID"
regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[whitelist]
description = "whitelist repo"
repos = [
'''test_repo_1'''
]
go-git
and go-github
versions