chore(deps): update pre-commit hook zricethezav/gitleaks to v8.16.0 - autoclosed
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
zricethezav/gitleaks | repository | minor |
v8.15.3 -> v8.16.0
|
Note: The pre-commit
manager in Renovate is not supported by the pre-commit
maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.
Release Notes
zricethezav/gitleaks
v8.16.0
Changelog
Allowlist Regex Targets
Let's use the generic rule to demonstrate the new regexTarget
allowlist option
[[rules]]
description = "Generic API Key"
id = "generic-api-key"
regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
secretGroup = 1
entropy = 3.5
keywords = [
"key","api","token","secret","client","passwd","password","auth","access",
]
example.txt
will be our target and contain a single line with a fake secret:
var discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'
Running gitleaks on this file using the generic rule will return one finding:
gitleaks detect --source=example.txt --no-git -v --config=example.toml
○
│╲
│ ○
○ ░
░ gitleaks
Finding: discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'
Secret: 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ
RuleID: generic-api-key
Entropy: 4.413910
File: example.txt
Line: 1
Fingerprint: example.txt:generic-api-key:1
We can add a allowlist regexes
entry to include part of the secret. This will cause gitleaks to ignore the finding above.
Note that by default gitleaks uses the Secret to compare against allowlist regexes.
Adding the following allowlist to the generic rule will cause gitleaks to ignore the finding:
[rules.allowlist]
regexes = ["vV"]
But now say you don't want to use Secret
to compare against your allowlist regexes. Well, now you can use regexTarget
and set the value as either line
or match
to compare against the line or regex match:
[rules.allowlist]
regexTarget = "match"
regexes = ["discord"]
and
[rules.allowlist]
regexTarget = "line"
regexes = ["var"]
will both result in the finding being ignored because discord
is found in the generic rule regex match and var
is in the line where the finding was found.
In addition to rule allowlists, you can set regexTarget
in the global allowlist:
[allowlist]
regexTarget = "line"
regexes = ["var"]
Thanks @bplaxco for the review
v8.15.4
Changelog
-
343e693
ignore package-lock.json (#1076) -
0060ab6
Fix typos in README.md and CONTRIBUTING.md (#1090) -
0259088
fix: ignore baseline if path was not relative in source (#1101) -
088f8b8
Fix H in GitHub and update pre-commit rev tag in README (#1087)
Shouts outs to @sandyydk @raffis @lawndoc @sadikkuzu
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.