Feat/allowlist regex target (gitleaks#1107)

* adding regexTarget entry in allowlist * update readme * add globalregextarget to check * update readme
AikidoSec · Feb 26, 2023 · 4b5e8e1 · 4b5e8e1
1 parent 343e693
commit 4b5e8e1
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 19 deletions.
diff --git a/README.md b/README.md
@@ -335,6 +335,10 @@ paths = [
   '''go\.mod''',
   '''go\.sum'''
 ]
+# note: (rule) regexTarget defaults to check the _Secret_ in the finding.
+# if regexTarget is not specified then _Secret_ will be used.
+# Acceptable values for regexTarget are "match" and "line"
+regexTarget = "match"
 regexes = [
   '''process''',
   '''getenv''',
@@ -357,6 +361,12 @@ paths = [
   '''gitleaks\.toml''',
   '''(.*?)(jpg|gif|doc)'''
 ]
+
+# note: (global) regexTarget defaults to check the _Secret_ in the finding.
+# if regexTarget is not specified then _Secret_ will be used.
+# Acceptable values for regexTarget are "match" and "line"
+regexTarget = "match"
+
 regexes = [
   '''219-09-9999''',
   '''078-05-1120''',

diff --git a/config/allowlist.go b/config/allowlist.go
@@ -14,6 +14,9 @@ type Allowlist struct {
 	// Regexes is slice of content regular expressions that are allowed to be ignored.
 	Regexes []*regexp.Regexp
 
+	// RegexTarget
+	RegexTarget string
+
 	// Paths is a slice of path regular expressions that are allowed to be ignored.
 	Paths []*regexp.Regexp
 

diff --git a/config/config.go b/config/config.go
@@ -36,17 +36,19 @@ type ViperConfig struct {
 		Tags        []string
 
 		Allowlist struct {
-			Regexes   []string
-			Paths     []string
-			Commits   []string
-			StopWords []string
+			RegexTarget string
+			Regexes     []string
+			Paths       []string
+			Commits     []string
+			StopWords   []string
 		}
 	}
 	Allowlist struct {
-		Regexes   []string
-		Paths     []string
-		Commits   []string
-		StopWords []string
+		RegexTarget string
+		Regexes     []string
+		Paths       []string
+		Commits     []string
+		StopWords   []string
 	}
 }
 
@@ -122,10 +124,11 @@ func (vc *ViperConfig) Translate() (Config, error) {
 			Tags:        r.Tags,
 			Keywords:    r.Keywords,
 			Allowlist: Allowlist{
-				Regexes:   allowlistRegexes,
-				Paths:     allowlistPaths,
-				Commits:   r.Allowlist.Commits,
-				StopWords: r.Allowlist.StopWords,
+				RegexTarget: r.Allowlist.RegexTarget,
+				Regexes:     allowlistRegexes,
+				Paths:       allowlistPaths,
+				Commits:     r.Allowlist.Commits,
+				StopWords:   r.Allowlist.StopWords,
 			},
 		}
 		orderedRules = append(orderedRules, r.RuleID)
@@ -148,10 +151,11 @@ func (vc *ViperConfig) Translate() (Config, error) {
 		Extend:      vc.Extend,
 		Rules:       rulesMap,
 		Allowlist: Allowlist{
-			Regexes:   allowlistRegexes,
-			Paths:     allowlistPaths,
-			Commits:   vc.Allowlist.Commits,
-			StopWords: vc.Allowlist.StopWords,
+			RegexTarget: vc.Allowlist.RegexTarget,
+			Regexes:     allowlistRegexes,
+			Paths:       allowlistPaths,
+			Commits:     vc.Allowlist.Commits,
+			StopWords:   vc.Allowlist.StopWords,
 		},
 		Keywords:     keywords,
 		orderedRules: orderedRules,

diff --git a/detect/detect.go b/detect/detect.go
@@ -284,9 +284,24 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find
 			continue
 		}
 
-		// check if the secret is in the allowlist
-		if rule.Allowlist.RegexAllowed(finding.Secret) ||
-			d.Config.Allowlist.RegexAllowed(finding.Secret) {
+		// check if the regexTarget is defined in the allowlist "regexes" entry
+		allowlistTarget := finding.Secret
+		switch rule.Allowlist.RegexTarget {
+		case "match":
+			allowlistTarget = finding.Match
+		case "line":
+			allowlistTarget = finding.Line
+		}
+
+		globalAllowlistTarget := finding.Secret
+		switch d.Config.Allowlist.RegexTarget {
+		case "match":
+			globalAllowlistTarget = finding.Match
+		case "line":
+			globalAllowlistTarget = finding.Line
+		}
+		if rule.Allowlist.RegexAllowed(allowlistTarget) ||
+			d.Config.Allowlist.RegexAllowed(globalAllowlistTarget) {
 			continue
 		}