Protect and discover secrets using Gitleaks 🔑
MIT License
Bot releases are hidden (Show)
Shout out to @coderabbit for their sponsorship!
Published by zricethezav 5 months ago
Published by zricethezav 9 months ago
detect
and sources
(#1297)Published by zricethezav 11 months ago
(*regexp.Regexp).MatchString
(#1283)Published by zricethezav about 1 year ago
Full Changelog: https://github.com/gitleaks/gitleaks/compare/v8.17.0...v8.18.0
Published by zricethezav over 1 year ago
REDACTED
to stopwords for generic-api-key
rule by @9999years in https://github.com/gitleaks/gitleaks/pull/1188
.gitleaksignore
fingerprint lacks SHA by @rgmz in https://github.com/gitleaks/gitleaks/pull/1156
--log-opts
values by @rgmz in https://github.com/gitleaks/gitleaks/pull/1160
Full Changelog: https://github.com/gitleaks/gitleaks/compare/v8.16.4...v8.17.0
Published by zricethezav over 1 year ago
Published by zricethezav over 1 year ago
Huuuuuge thank you to all the contributors especially @rgmz
@edwardwang888 @wparad @sadikkuzu @RafaelFigueiredo @fgreinacher @jasikpark @sergiomarotco
Published by zricethezav over 1 year ago
Thanks to @americanair for sponsoring this open source project!
Thanks to all the contributors this release: @fgreinacher @wparad @RafaelFigueiredo @sergiomarotco @jasikpark
Published by zricethezav over 1 year ago
Published by zricethezav over 1 year ago
Let's use the generic rule to demonstrate the new regexTarget
allowlist option
[[rules]]
description = "Generic API Key"
id = "generic-api-key"
regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
secretGroup = 1
entropy = 3.5
keywords = [
"key","api","token","secret","client","passwd","password","auth","access",
]
example.txt
will be our target and contain a single line with a fake secret:
var discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'
Running gitleaks on this file using the generic rule will return one finding:
gitleaks detect --source=example.txt --no-git -v --config=example.toml
○
│╲
│ ○
○ ░
░ gitleaks
Finding: discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'
Secret: 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ
RuleID: generic-api-key
Entropy: 4.413910
File: example.txt
Line: 1
Fingerprint: example.txt:generic-api-key:1
We can add a allowlist regexes
entry to include part of the secret. This will cause gitleaks to ignore the finding above.
Note that by default gitleaks uses the Secret to compare against allowlist regexes.
Adding the following allowlist to the generic rule will cause gitleaks to ignore the finding:
[rules.allowlist]
regexes = ["vV"]
But now say you don't want to use Secret
to compare against your allowlist regexes. Well, now you can use regexTarget
and set the value as either line
or match
to compare against the line or regex match:
[rules.allowlist]
regexTarget = "match"
regexes = ["discord"]
and
[rules.allowlist]
regexTarget = "line"
regexes = ["var"]
will both result in the finding being ignored because discord
is found in the generic rule regex match and var
is in the line where the finding was found.
In addition to rule allowlists, you can set regexTarget
in the global allowlist:
[allowlist]
regexTarget = "line"
regexes = ["var"]
Thanks @bplaxco for the review
Published by zricethezav over 1 year ago
Shouts outs to @sandyydk @raffis @lawndoc @sadikkuzu
Published by zricethezav over 1 year ago
Published by zricethezav almost 2 years ago
Published by zricethezav almost 2 years ago
bumping deps
Published by zricethezav almost 2 years ago
Actually publish this test
Published by zricethezav almost 2 years ago
This release is a pre-release test for adding additional labels to the docker image
Published by zricethezav almost 2 years ago
Published by zricethezav about 2 years ago
Thanks @RickyGrassmuck @sergiomarotco
Try --pipe
with anything...
git log -p | gitleaks detect --pipe
gitleaks --source . --no-git --follow-symlinks
Published by zricethezav about 2 years ago