From 4b5e8e1829465f633334a914d05c903f537119d8 Mon Sep 17 00:00:00 2001 From: Zachary Rice Date: Sun, 26 Feb 2023 08:51:59 -0600 Subject: [PATCH] Feat/allowlist regex target (#1107) * adding regexTarget entry in allowlist * update readme * add globalregextarget to check * update readme --- README.md | 10 ++++++++++ config/allowlist.go | 3 +++ config/config.go | 36 ++++++++++++++++++++---------------- detect/detect.go | 21 ++++++++++++++++++--- 4 files changed, 51 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 0e9b70a8c..3e160c65e 100644 --- a/README.md +++ b/README.md @@ -335,6 +335,10 @@ paths = [ '''go\.mod''', '''go\.sum''' ] +# note: (rule) regexTarget defaults to check the _Secret_ in the finding. +# if regexTarget is not specified then _Secret_ will be used. +# Acceptable values for regexTarget are "match" and "line" +regexTarget = "match" regexes = [ '''process''', '''getenv''', @@ -357,6 +361,12 @@ paths = [ '''gitleaks\.toml''', '''(.*?)(jpg|gif|doc)''' ] + +# note: (global) regexTarget defaults to check the _Secret_ in the finding. +# if regexTarget is not specified then _Secret_ will be used. +# Acceptable values for regexTarget are "match" and "line" +regexTarget = "match" + regexes = [ '''219-09-9999''', '''078-05-1120''', diff --git a/config/allowlist.go b/config/allowlist.go index 014286363..6716be56f 100644 --- a/config/allowlist.go +++ b/config/allowlist.go @@ -14,6 +14,9 @@ type Allowlist struct { // Regexes is slice of content regular expressions that are allowed to be ignored. Regexes []*regexp.Regexp + // RegexTarget + RegexTarget string + // Paths is a slice of path regular expressions that are allowed to be ignored. Paths []*regexp.Regexp diff --git a/config/config.go b/config/config.go index acd887cef..a7980ecec 100644 --- a/config/config.go +++ b/config/config.go @@ -36,17 +36,19 @@ type ViperConfig struct { Tags []string Allowlist struct { - Regexes []string - Paths []string - Commits []string - StopWords []string + RegexTarget string + Regexes []string + Paths []string + Commits []string + StopWords []string } } Allowlist struct { - Regexes []string - Paths []string - Commits []string - StopWords []string + RegexTarget string + Regexes []string + Paths []string + Commits []string + StopWords []string } } @@ -122,10 +124,11 @@ func (vc *ViperConfig) Translate() (Config, error) { Tags: r.Tags, Keywords: r.Keywords, Allowlist: Allowlist{ - Regexes: allowlistRegexes, - Paths: allowlistPaths, - Commits: r.Allowlist.Commits, - StopWords: r.Allowlist.StopWords, + RegexTarget: r.Allowlist.RegexTarget, + Regexes: allowlistRegexes, + Paths: allowlistPaths, + Commits: r.Allowlist.Commits, + StopWords: r.Allowlist.StopWords, }, } orderedRules = append(orderedRules, r.RuleID) @@ -148,10 +151,11 @@ func (vc *ViperConfig) Translate() (Config, error) { Extend: vc.Extend, Rules: rulesMap, Allowlist: Allowlist{ - Regexes: allowlistRegexes, - Paths: allowlistPaths, - Commits: vc.Allowlist.Commits, - StopWords: vc.Allowlist.StopWords, + RegexTarget: vc.Allowlist.RegexTarget, + Regexes: allowlistRegexes, + Paths: allowlistPaths, + Commits: vc.Allowlist.Commits, + StopWords: vc.Allowlist.StopWords, }, Keywords: keywords, orderedRules: orderedRules, diff --git a/detect/detect.go b/detect/detect.go index 364f6d580..d27731687 100644 --- a/detect/detect.go +++ b/detect/detect.go @@ -284,9 +284,24 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find continue } - // check if the secret is in the allowlist - if rule.Allowlist.RegexAllowed(finding.Secret) || - d.Config.Allowlist.RegexAllowed(finding.Secret) { + // check if the regexTarget is defined in the allowlist "regexes" entry + allowlistTarget := finding.Secret + switch rule.Allowlist.RegexTarget { + case "match": + allowlistTarget = finding.Match + case "line": + allowlistTarget = finding.Line + } + + globalAllowlistTarget := finding.Secret + switch d.Config.Allowlist.RegexTarget { + case "match": + globalAllowlistTarget = finding.Match + case "line": + globalAllowlistTarget = finding.Line + } + if rule.Allowlist.RegexAllowed(allowlistTarget) || + d.Config.Allowlist.RegexAllowed(globalAllowlistTarget) { continue }