gitleaks

Changelog

36779df stricter ionic regex for less fps (#757)
3d3d801 fixing eof location bug (#756)
0f2ffee Adding Tines sponsorship to readme
f4d37a2 fix regexp for aws_key and slack_webhook (#754)

Big thanks to @tines for sponsoring me! If you would like your badge and call-to-action in the Sponsorships section, check out https://github.com/sponsors/zricethezav!

Big thanks to @w0rmr1d3r for helping me maintain gitleaks over the summer while I was moving

Changelog

631d8dc bump go-gitdiff
192b962 do not fail on git rename warning (#750)
b814171 add pre-commit instructions (#749)

Changelog

3fedf6f remove writing default config (#746)
3fedf6f introduce GITLEAKS_CONFIG (#746)

  -c, --config string          config file path
                               order of precedence:
                               1. --config/-c
                               2. env var GITLEAKS_CONFIG
                               3. (--source/-s)/.gitleaks.toml
                               If none of the three options are used, then gitleaks will use the default config

Changelog

6f6ebd4 fix off by one line number for --no-git
6f6ebd4 more arch/os support in releases

Changelog

ce42947 fix de-duplication issue (#742)

Changelog

84e285e ignore all gitleaks.tomls by default
928c6a6 Update pre-commit step to run gitleaks checks (#729)
106897f fix: format dates in log in a portable way (#735)

Changelog

(#734) This is the first big change since the release of v8.0.0 which I think has gone well? Anyways this release (v8.1.0) introduces the following changes:

• Deduplicate generic secret findings in reports (provider specific rules takes precedence)
• Add secretGroup to extract the actual secrets from the rules.
• Removes entropyGroup, so yes you probably will have to update your config again
• Renames Context to Match in reports
• Added a bunch of ids to the default config (probably should make this a required field but that can wait)

More on:

• Add secretGroup to extract the actual secrets from the rules.

Let's take the discord example in the default config:
discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"

The discord client secret rule, with secretGroup added, will extract 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ as the secret since ([a-z0-9=_\-]{32}) is regex group 3:

[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3

And the resulting report finding for this example secret would look something like:

 {
  "Description": "Discord client secret",
  "StartLine": 225,
  "EndLine": 225,
  "StartColumn": 2,
  "EndColumn": 59,
  "Match": "discord_client_secret = \"8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ\"",
  "Secret": "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ",
  "File": "README.md",
  "Commit": "f0b8d26c9988af725132c100dda5051586a3026e",
...
  "RuleID": "discord-client-secret"
 },

And a note on deduping/generic secrets (from the readme):

Let's continue with the example discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ".
This secret would match both the discord-client-secret rule and the generic-api-key rule in the default config.

[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3

[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
entropy = 3.7
secretGroup = 4

If gitleaks encountered discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ", only the discord rule would report a finding because the generic rule has the string generic somewhere in the rule's id. If a secret is encountered and both a generic and non-generic rule have discovered the same secret, the non-generic will be given precedence.

Changelog

089639e bump go-gitdiff, fixes https://github.com/zricethezav/gitleaks/issues/724 (#731)

Changelog

9ae1def Little timing hack to avoid scans prematurely finishing when git errors are present (#726)

Changelog

5e51da6 use exit code 126 on 'unknown-flag' errors (#723)
1724591 remove generic api key from default gitleaks config (#719)

Changelog

80d2976 add global regex check (#717) @emmahsax
f498b1d Commit debug log (#716) @JoostVoskuil
8eabfd6 Update sarif.go (#713) @JoostVoskuil

Changelog

4acd7a3 adding logic to ignore gitleaks config during scans (#710) -- Fixes https://github.com/zricethezav/gitleaks/issues/708, thanks @adamdecaf for discovering this bug

Changelog

a37822d remove --show-pulls from git log

Changelog

1c6b28a remove --simplify-merge from git log (#707)

Gitleaks v8.0.0 introduces some breaking changes and feature removals. My vision for gitleaks is for the project to
follow the unix philosophy -- do one thing and one thing well.
That one thing is detecting secrets efficiently.

Sorry if this causes any inconveniences. You can always fork older versions of Gitleaks.

What's changed

• Swapped go-git for shelling out git log -p and git diff commands when scanning/protecting git repos
  • See comparison metrics/chart 🌎 🍃
  • Memory Usage from running gitleaks on the gitleaks repo: 54MB -> 8.5MB
  • Simplified call stack
  • Faster scans
• ghrc support
• Added detect, protect, help, and version commands to reduce number of options
• Support for multiline regular expressions in rules
• Added StartLine, EndLine, StartColumn, EndColumn to report findings
• Added RuleID to report findings
• CLI powered by spf13/cobra
• Removed repo-config support
  • This can be scripted
• Default config path added (--source/-s)/.gitleaks.toml, see usage for more details
• Removed cloning support
  • I do not want gitleaks to be responsible for cloning repositories
• Removed files at commit support
  • This can be accomplished by git checkout
• Removed all commit options
  • All commit options can be supported by the --log-opts argument. --log-opts accepts any git log options.
• All log messages sent to stderr
• Finding output (enabled with -v/--verbose) sent to stdout.
  • This can be paired with jq to do additional filtering
• Added 60+ rules to best maintain parity with https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning#about-secret-scanning-for-private-repositories
  • https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
• Updated Config

If you find any bugs or issues related to this release please open an issue or PR with the tag v8.

If Gitleaks has brought you commercial success please consider supporting me via Github sponsors, like Typeform. Typeform recently donated $1000 and wrote a very nice blog post about preventing secret leaks at scale.

What's New

• Reorganizing tests to make it easier to test specific features

What's fixed

• Object not found error would halt scan, see related gitlab issue #633
• (git-symlink-new-repo): fix handling symbolic links in new git repo #621

What's New

• dropped travis-ci for github actions
• use embedpkg to load default gitleaks config https://github.com/zricethezav/gitleaks/pull/616
• use gitleaks user instead of root in Dockerfile https://github.com/zricethezav/gitleaks/pull/615 credit: @derekmurawsky
• add ruleid to sarif report https://github.com/zricethezav/gitleaks/pull/613 credit: @rotem-cider

What's Fixed

• update alpine https://github.com/zricethezav/gitleaks/pull/615 credit: @derekmurawsky
• scan symlinks https://github.com/zricethezav/gitleaks/pull/612 credit: @Ido-DY
• fix premature exit for nogit scans, limit goroutines #619
• noisey twitter rules #614 credit: @ivankalitaonefootball

What's new

• Include offenderEntropy in the report https://github.com/zricethezav/gitleaks/pull/549 ty @bplaxco
• Pre-commit support https://github.com/zricethezav/gitleaks#as-a-pre-commit-hook ty @pab1it0

What's fixed

• There was a bug where the filepath in the global allowlist was not respected when scanning unstaged changes. https://github.com/zricethezav/gitleaks/issues/553

What's New

• Updated Github rules that match their new token format

[[rules]]
    description = "Github Personal Access Token"
    regex = '''ghp_[0-9a-zA-Z]{36}'''
    tags = ["key", "Github"]
[[rules]]
    description = "Github OAuth Access Token"
    regex = '''gho_[0-9a-zA-Z]{36}'''
    tags = ["key", "Github"]
[[rules]]
    description = "Github App Token"
    regex = '''(ghu|ghs)_[0-9a-zA-Z]{36}'''
    tags = ["key", "Github"]
[[rules]]
    description = "Github Refresh Token"
    regex = '''ghr_[0-9a-zA-Z]{76}'''
    tags = ["key", "Github"]

• Added a PyPI rule

[[rules]]
    description = "PyPI upload token"
    regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'''
    tags = ["key", "pypi"]