Protect and discover secrets using Gitleaks 🔑
MIT License
Bot releases are hidden (Show)
Published by zricethezav almost 3 years ago
36779df stricter ionic regex for less fps (#757)
3d3d801 fixing eof location bug (#756)
0f2ffee Adding Tines sponsorship to readme
f4d37a2 fix regexp for aws_key and slack_webhook (#754)
Big thanks to @tines for sponsoring me! If you would like your badge and call-to-action in the Sponsorships section, check out https://github.com/sponsors/zricethezav!
Big thanks to @w0rmr1d3r for helping me maintain gitleaks over the summer while I was moving
Published by zricethezav almost 3 years ago
631d8dc bump go-gitdiff
192b962 do not fail on git rename warning (#750)
b814171 add pre-commit instructions (#749)
Published by zricethezav almost 3 years ago
3fedf6f remove writing default config (#746)
3fedf6f introduce GITLEAKS_CONFIG (#746)
-c, --config string config file path
order of precedence:
1. --config/-c
2. env var GITLEAKS_CONFIG
3. (--source/-s)/.gitleaks.toml
If none of the three options are used, then gitleaks will use the default config
Published by zricethezav almost 3 years ago
6f6ebd4 fix off by one line number for --no-git
6f6ebd4 more arch/os support in releases
Published by zricethezav almost 3 years ago
ce42947 fix de-duplication issue (#742)
Published by zricethezav almost 3 years ago
84e285e ignore all gitleaks.toml
s by default
928c6a6 Update pre-commit step to run gitleaks checks (#729)
106897f fix: format dates in log in a portable way (#735)
Published by zricethezav almost 3 years ago
(#734) This is the first big change since the release of v8.0.0 which I think has gone well? Anyways this release (v8.1.0) introduces the following changes:
secretGroup
to extract the actual secrets from the rules.entropyGroup
, so yes you probably will have to update your config againContext
to Match
in reportsids
to the default config (probably should make this a required field but that can wait)More on:
- Add
secretGroup
to extract the actual secrets from the rules.
Let's take the discord example in the default config:
discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
The discord client secret rule, with secretGroup
added, will extract 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ
as the secret since ([a-z0-9=_\-]{32})
is regex group 3:
[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3
And the resulting report finding for this example secret would look something like:
{
"Description": "Discord client secret",
"StartLine": 225,
"EndLine": 225,
"StartColumn": 2,
"EndColumn": 59,
"Match": "discord_client_secret = \"8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ\"",
"Secret": "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ",
"File": "README.md",
"Commit": "f0b8d26c9988af725132c100dda5051586a3026e",
...
"RuleID": "discord-client-secret"
},
And a note on deduping/generic secrets (from the readme):
Let's continue with the example discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
.
This secret would match both the discord-client-secret
rule and the generic-api-key
rule in the default config.
[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
entropy = 3.7
secretGroup = 4
If gitleaks encountered discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
, only the discord
rule would report a finding because the generic rule has the string generic
somewhere in the rule's id
. If a secret is encountered and both a generic
and non-generic rule have discovered the same secret, the non-generic will be given precedence.
Published by zricethezav almost 3 years ago
089639e bump go-gitdiff, fixes https://github.com/zricethezav/gitleaks/issues/724 (#731)
Published by zricethezav almost 3 years ago
9ae1def Little timing hack to avoid scans prematurely finishing when git errors are present (#726)
Published by zricethezav almost 3 years ago
5e51da6 use exit code 126 on 'unknown-flag' errors (#723)
1724591 remove generic api key from default gitleaks config (#719)
Published by zricethezav almost 3 years ago
80d2976 add global regex check (#717) @emmahsax
f498b1d Commit debug log (#716) @JoostVoskuil
8eabfd6 Update sarif.go (#713) @JoostVoskuil
Published by zricethezav almost 3 years ago
4acd7a3 adding logic to ignore gitleaks config during scans (#710) -- Fixes https://github.com/zricethezav/gitleaks/issues/708, thanks @adamdecaf for discovering this bug
Published by zricethezav almost 3 years ago
a37822d remove --show-pulls from git log
Published by zricethezav almost 3 years ago
1c6b28a remove --simplify-merge from git log (#707)
Published by zricethezav almost 3 years ago
Gitleaks v8.0.0 introduces some breaking changes and feature removals. My vision for gitleaks is for the project to
follow the unix philosophy -- do one thing and one thing well.
That one thing is detecting secrets efficiently.
Sorry if this causes any inconveniences. You can always fork older versions of Gitleaks.
go-git
for shelling out git log -p
and git diff
commands when scanning/protecting git repos
detect
, protect
, help
, and version
commands to reduce number of optionsStartLine
, EndLine
, StartColumn
, EndColumn
to report findingsRuleID
to report findingsspf13/cobra
repo-config
support
(--source/-s)/.gitleaks.toml
, see usage for more detailsfiles at commit
support
git checkout
commit
options
--log-opts
argument. --log-opts
accepts any git log
options.-v
/--verbose
) sent to stdout.
jq
to do additional filteringIf you find any bugs or issues related to this release please open an issue or PR with the tag v8
.
If Gitleaks has brought you commercial success please consider supporting me via Github sponsors, like Typeform. Typeform recently donated $1000 and wrote a very nice blog post about preventing secret leaks at scale.
Published by zricethezav about 3 years ago
Published by zricethezav about 3 years ago
embed
pkg to load default gitleaks config https://github.com/zricethezav/gitleaks/pull/616
gitleaks
user instead of root
in Dockerfile https://github.com/zricethezav/gitleaks/pull/615 credit: @derekmurawskyruleid
to sarif report https://github.com/zricethezav/gitleaks/pull/613 credit: @rotem-ciderPublished by zricethezav over 3 years ago
offenderEntropy
in the report https://github.com/zricethezav/gitleaks/pull/549 ty @bplaxcoPublished by zricethezav over 3 years ago
Published by zricethezav over 3 years ago
[[rules]]
description = "Github Personal Access Token"
regex = '''ghp_[0-9a-zA-Z]{36}'''
tags = ["key", "Github"]
[[rules]]
description = "Github OAuth Access Token"
regex = '''gho_[0-9a-zA-Z]{36}'''
tags = ["key", "Github"]
[[rules]]
description = "Github App Token"
regex = '''(ghu|ghs)_[0-9a-zA-Z]{36}'''
tags = ["key", "Github"]
[[rules]]
description = "Github Refresh Token"
regex = '''ghr_[0-9a-zA-Z]{76}'''
tags = ["key", "Github"]
[[rules]]
description = "PyPI upload token"
regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9-_]{50,1000}'''
tags = ["key", "pypi"]