From 8be91eea5d8ce3fa586da720e25dd321f1482db6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Kowalczyk?= Date: Sun, 10 Jan 2021 15:34:31 +0100 Subject: [PATCH 01/13] Add exit code 1 on invalid usage, fixes #500 (#501) --- options/options.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/options/options.go b/options/options.go index e41423caa..02bd8ee84 100644 --- a/options/options.go +++ b/options/options.go @@ -69,7 +69,7 @@ func ParseOptions() (Options, error) { if flagsErr, ok := err.(*flags.Error); ok && flagsErr.Type != flags.ErrHelp { parser.WriteHelp(os.Stdout) } - os.Exit(0) + os.Exit(1) } if opts.Version { From c0a9580a650a82166fb01058fc4953ee53f94c94 Mon Sep 17 00:00:00 2001 From: seb-elttam <68209237+seb-elttam@users.noreply.github.com> Date: Fri, 22 Jan 2021 06:31:21 +1000 Subject: [PATCH 02/13] Fix dotgit regex again (#507) * fix dotgit regex again * Revert accidentally modified files Co-authored-by: Seb Elttam --- config/allowlist.go | 2 +- test_data/test_allow_list_docx_no_git.json | 32 +++++++++++++++++++ test_data/test_allow_list_file_no_git.json | 16 ++++++++++ test_data/test_configs/allowlist_docx.toml | 2 +- test_data/test_repos/test_repo_10/creds.git | 0 .../test_repo_10/somedir.git/secret.key | 1 + 6 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 test_data/test_repos/test_repo_10/creds.git create mode 100644 test_data/test_repos/test_repo_10/somedir.git/secret.key diff --git a/config/allowlist.go b/config/allowlist.go index daaed7dbb..8055a9bf4 100644 --- a/config/allowlist.go +++ b/config/allowlist.go @@ -6,7 +6,7 @@ import ( // used for ignoring .git directories when the --no-git flag is set // related issue: https://github.com/zricethezav/gitleaks/issues/486 -const dotGit = `\.git/` +const dotGit = `/\.git/` // AllowList is struct containing items that if encountered will allowlist // a commit/line of code that would be considered a leak. diff --git a/test_data/test_allow_list_docx_no_git.json b/test_data/test_allow_list_docx_no_git.json index 50e447137..6cd05d39d 100644 --- a/test_data/test_allow_list_docx_no_git.json +++ b/test_data/test_allow_list_docx_no_git.json @@ -46,5 +46,37 @@ "file": "../test_data/test_repos/test_repo_10/gitfile.txt", "date": "0001-01-01T00:00:00Z", "tags": "key, extensions" + }, + { + "line": "", + "lineNumber": 1, + "offender": "Filename or path offender: ../test_data/test_repos/test_repo_10/creds.git", + "commit": "", + "repo": "", + "repoURL": "", + "leakURL": "", + "rule": "Block dangerous filetypes", + "commitMessage": "", + "author": "", + "email": "", + "file": "../test_data/test_repos/test_repo_10/creds.git", + "date": "0001-01-01T00:00:00Z", + "tags": "key, extensions" + }, + { + "line": "", + "lineNumber": 1, + "offender": "Filename or path offender: ../test_data/test_repos/test_repo_10/somedir.git/secret.key", + "commit": "", + "repo": "", + "repoURL": "", + "leakURL": "", + "rule": "Block dangerous filetypes", + "commitMessage": "", + "author": "", + "email": "", + "file": "../test_data/test_repos/test_repo_10/somedir.git/secret.key", + "date": "0001-01-01T00:00:00Z", + "tags": "key, extensions" } ] diff --git a/test_data/test_allow_list_file_no_git.json b/test_data/test_allow_list_file_no_git.json index 200638be1..d019602e7 100644 --- a/test_data/test_allow_list_file_no_git.json +++ b/test_data/test_allow_list_file_no_git.json @@ -1,4 +1,20 @@ [ +{ + "line": "", + "lineNumber": 1, + "offender": "Filename or path offender: ../test_data/test_repos/test_repo_10/somedir.git/secret.key", + "commit": "", + "repo": "", + "repoURL": "", + "leakURL": "", + "rule": "Block dangerous filetypes", + "commitMessage": "", + "author": "", + "email": "", + "file": "../test_data/test_repos/test_repo_10/somedir.git/secret.key", + "date": "0001-01-01T00:00:00Z", + "tags": "key, extensions" + }, { "line": "", "lineNumber": 1, diff --git a/test_data/test_configs/allowlist_docx.toml b/test_data/test_configs/allowlist_docx.toml index e76bde28b..baeee4d33 100644 --- a/test_data/test_configs/allowlist_docx.toml +++ b/test_data/test_configs/allowlist_docx.toml @@ -1,6 +1,6 @@ [[rules]] description = "Block dangerous filetypes" - file = '''(.*?)(gitfile.txt|gitignore|pdf|doc|docx|zip|xls|tfplan|tfstate|tfvars|vault_pass|vagrant|pyc|key|cache)$''' + file = '''(.*?)(creds.git|gitfile.txt|gitignore|pdf|doc|docx|zip|xls|tfplan|tfstate|tfvars|vault_pass|vagrant|pyc|key|cache)$''' tags = ["key", "extensions"] [rules.allowlist] paths = ['''.docx'''] diff --git a/test_data/test_repos/test_repo_10/creds.git b/test_data/test_repos/test_repo_10/creds.git new file mode 100644 index 000000000..e69de29bb diff --git a/test_data/test_repos/test_repo_10/somedir.git/secret.key b/test_data/test_repos/test_repo_10/somedir.git/secret.key new file mode 100644 index 000000000..70b8a06c3 --- /dev/null +++ b/test_data/test_repos/test_repo_10/somedir.git/secret.key @@ -0,0 +1 @@ +hah From 901f932a89d71965877e2f527498a08c8496addb Mon Sep 17 00:00:00 2001 From: Zachary Rice Date: Fri, 22 Jan 2021 11:49:21 -0500 Subject: [PATCH 03/13] Add file type checking for unstaged commits (#512) --- scan/unstaged.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/scan/unstaged.go b/scan/unstaged.go index 94112f703..c7fc35bac 100644 --- a/scan/unstaged.go +++ b/scan/unstaged.go @@ -57,6 +57,28 @@ func (us *UnstagedScanner) Scan() (Report, error) { if err != nil { continue } + + // Check if file is allow listed + if us.cfg.Allowlist.FileAllowed(filepath.Base(fn)) || + us.cfg.Allowlist.PathAllowed(fn) { + continue + } + // Check individual file path ONLY rules + for _, rule := range us.cfg.Rules { + if rule.HasFileOrPathLeakOnly(fn) { + leak := NewLeak("", "Filename or path offender: "+ fn, defaultLineNumber) + leak.Repo = us.repoName + leak.File = fn + leak.RepoURL = us.opts.RepoURL + leak.LeakURL = leak.URL() + leak.Rule = rule.Description + leak.Tags = strings.Join(rule.Tags, ", ") + leak.Log(us.opts) + scannerReport.Leaks = append(scannerReport.Leaks, leak) + continue + } + } + if _, err := io.Copy(workTreeBuf, workTreeFile); err != nil { return scannerReport, err } From c8e15c731aa1e6a1fe554ffb202fa1655b3ee3f6 Mon Sep 17 00:00:00 2001 From: Kai Date: Tue, 26 Jan 2021 04:59:51 -0800 Subject: [PATCH 04/13] Always generate a report if --report is enabled (#508) --- scan/report.go | 1 - 1 file changed, 1 deletion(-) diff --git a/scan/report.go b/scan/report.go index 702c5b521..8d82a3f3e 100644 --- a/scan/report.go +++ b/scan/report.go @@ -27,7 +27,6 @@ func WriteReport(report Report, opts options.Options, cfg config.Config) error { logrus.Warn("leaks found: ", len(report.Leaks)) } else { logrus.Info("No leaks found") - return nil } if opts.Report == "" { From 981b636920fbb4923b948e8e70ba0e88b899fd19 Mon Sep 17 00:00:00 2001 From: Zachary Rice Date: Tue, 2 Feb 2021 17:27:24 -0500 Subject: [PATCH 05/13] gitter chat --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index c9bc9b4ad..88c13747f 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ gitleaks

Travis + Travis

From 3932ed6bafb78f3a6264d598570dc6ab63edcb0b Mon Sep 17 00:00:00 2001 From: Zachary Rice Date: Wed, 3 Feb 2021 13:48:59 -0500 Subject: [PATCH 06/13] --no-git should report relative path to --path (#519) --- scan/nogit.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/scan/nogit.go b/scan/nogit.go index ab0ffa295..41eace397 100644 --- a/scan/nogit.go +++ b/scan/nogit.go @@ -73,7 +73,12 @@ func (ngs *NoGitScanner) Scan() (Report, error) { for _, rule := range ngs.cfg.Rules { if rule.HasFileOrPathLeakOnly(p) { leak := NewLeak("", "Filename or path offender: "+p, defaultLineNumber) - leak.File = p + relPath, err := filepath.Rel(ngs.opts.Path, p) + if err != nil { + leak.File = p + } else { + leak.File = relPath + } leak.Rule = rule.Description leak.Tags = strings.Join(rule.Tags, ", ") @@ -115,7 +120,12 @@ func (ngs *NoGitScanner) Scan() (Report, error) { } leak := NewLeak(line, offender, defaultLineNumber) - leak.File = p + relPath, err := filepath.Rel(ngs.opts.Path, p) + if err != nil { + leak.File = p + } else { + leak.File = relPath + } leak.LineNumber = lineNumber leak.Rule = rule.Description leak.Tags = strings.Join(rule.Tags, ", ") From 0ce1249b9558559cab6f08ae9c6b962288044ec6 Mon Sep 17 00:00:00 2001 From: rui Date: Thu, 18 Feb 2021 09:14:10 -0500 Subject: [PATCH 07/13] chore(deps): bump go to v1.16 (#525) Signed-off-by: Rui Chen --- .travis.yml | 8 ++++---- go.mod | 2 +- go.sum | 11 ----------- 3 files changed, 5 insertions(+), 16 deletions(-) diff --git a/.travis.yml b/.travis.yml index 97a1b6f42..98b4785bd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,8 +1,8 @@ language: go go: -- 1.14.x + - 1.16.x services: -- docker + - docker script: -- make test -- make security-scan + - make test + - make security-scan diff --git a/go.mod b/go.mod index d599cff28..cc5ce8c1c 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/zricethezav/gitleaks/v7 -go 1.15 +go 1.16 replace github.com/go-git/go-git/v5 => github.com/zricethezav/go-git/v5 v5.2.2 diff --git a/go.sum b/go.sum index 40857e8c4..10dcfbd20 100644 --- a/go.sum +++ b/go.sum @@ -22,9 +22,6 @@ github.com/go-git/go-billy/v5 v5.0.0 h1:7NQHvd9FVid8VL4qVUMm8XifBK+2xCoZ2lSk0agR github.com/go-git/go-billy/v5 v5.0.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= github.com/go-git/go-git-fixtures/v4 v4.0.2-0.20200613231340-f56387b50c12 h1:PbKy9zOy4aAKrJ5pibIRpVO2BXnK1Tlcg+caKI7Ox5M= github.com/go-git/go-git-fixtures/v4 v4.0.2-0.20200613231340-f56387b50c12/go.mod h1:m+ICp2rF3jDhFgEZ/8yziagdT1C+ZpZcrJjappBCDSw= -github.com/go-git/go-git/v5 v5.2.0 h1:YPBLG/3UK1we1ohRkncLjaXWLW+HKp5QNM/jTli2JgI= -github.com/go-git/go-git/v5 v5.2.0/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= -github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= @@ -40,10 +37,8 @@ github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= @@ -66,8 +61,6 @@ github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJy github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70= github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= -github.com/zricethezav/go-git/v5 v5.2.1 h1:snaoKv8ksDSz7NfBRXsBr9Yr8IKEKWRWf1zdhFmcFvI= -github.com/zricethezav/go-git/v5 v5.2.1/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= github.com/zricethezav/go-git/v5 v5.2.2 h1:VOVijF5OpIiHvFZXX94AJezdJ0b0kTyRyVNZ4yaqCRU= github.com/zricethezav/go-git/v5 v5.2.2/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -82,7 +75,6 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527 h1:uYVVQ9WP/Ds2ROhcaGPeIdVq0RIXVLwsHlnvJ+cT1So= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -93,15 +85,12 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= -gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= From b52e8c9c7c73d6b22e5b08e62d5b9d0aa6bd4a0d Mon Sep 17 00:00:00 2001 From: Rahul sharma Date: Fri, 19 Feb 2021 23:35:25 +0530 Subject: [PATCH 08/13] Slack Webhook Match (#527) --- config/default.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/default.go b/config/default.go index 27c3dd03f..720876b26 100644 --- a/config/default.go +++ b/config/default.go @@ -108,7 +108,7 @@ title = "gitleaks config" [[rules]] description = "Slack Webhook" - regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}''' + regex = '''https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8,12}/[a-zA-Z0-9_]{24}''' tags = ["key", "slack"] [[rules]] From 4544156b448ee5152f7e4c1c3ad8eec7e5d3d5d6 Mon Sep 17 00:00:00 2001 From: erikaweir <40696764+erikaweir@users.noreply.github.com> Date: Fri, 19 Feb 2021 18:01:31 -0500 Subject: [PATCH 09/13] Copy edits to Readme.md (#529) * Update README.md * Update README.md * Update README.md --- README.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 88c13747f..955b3881f 100644 --- a/README.md +++ b/README.md @@ -6,21 +6,21 @@

-Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks aims to be the **easy-to-use, all-in-one solution** for finding secrets, past or present, in your code. +Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an **easy-to-use, all-in-one solution** for finding secrets, past or present, in your code. ### Features: - Scan for [commited](https://github.com/zricethezav/gitleaks#Scanning) secrets -- Scan for [unstaged](https://github.com/zricethezav/gitleaks#scan-unstaged-changes) secrets as part of shifting security left +- Scan for [unstaged](https://github.com/zricethezav/gitleaks#scan-unstaged-changes) secrets to shift security left - Scan [directories and files](https://github.com/zricethezav/gitleaks#scan-local-directory) -- Available [Github Action](https://github.com/marketplace/actions/gitleaks) +- Run [Gitleaks Action](https://github.com/marketplace/actions/gitleaks) in your CI/CD pipeline - [Custom rules](https://github.com/zricethezav/gitleaks#configuration) via toml configuration -- High performance using [go-git](https://github.com/go-git/go-git) +- Increased performance using [go-git](https://github.com/go-git/go-git) - JSON, SARIF, and CSV reporting - Private repo scans using key or password based authentication ### Installation -Gitleaks can be installed with Homebrew, Docker, and Go. Gitleaks is also available in binary form for many popular platforms and OS types from the [releases page](https://github.com/zricethezav/gitleaks/releases). +Gitleaks can be installed using Homebrew, Docker, or Go. Gitleaks is also available in binary form for many popular platforms and OS types on the [releases page](https://github.com/zricethezav/gitleaks/releases). ##### MacOS @@ -94,7 +94,7 @@ gitleaks --repo-url=https://github.com/my-insecure/repo -v #### Basic repo-url scan output to a report: -If we want the report in sarif or csv we can set the `-f/--format` option +If you want the report in sarif or csv you can set the `-f/--format` option ``` gitleaks --repo-url=https://github.com/my-insecure/repo -v --report=my-report.json ``` @@ -109,20 +109,20 @@ gitleaks --repo-url=https://github.com/my-insecure/repo --commit=commit-sha -v gitleaks --path=path/to/local/repo -v ``` -#### Scan repos contain in a parent directory: -If we had `repo1`, `repo2`, `repo3` all under `path/to/local`, gitleaks will discover and scan those repos. +#### Scan repos contained in a parent directory: +If you have `repo1`, `repo2`, `repo3` all under `path/to/local`, gitleaks will discover and scan those repos. ``` gitleaks --path=path/to/local/ -v ``` #### Scan local directory: -You might want to scan the current contents of a repo, ignoring git alltogether. You can use the `--no-git` option to do this. +If you want to scan the current contents of a repo, ignoring git alltogether. You can use the `--no-git` option to do this. ``` gitleaks --path=path/to/local/repo -v --no-git ``` #### Scan a file: -Or you might want to scan a single file using gitleaks rules. You can do this by specifying the file in `--path` and including the `--no-git` option. +Or if you want to scan a single file using gitleaks rules. You can do this by specifying the file in `--path` and including the `--no-git` option. ``` gitleaks --path=path/to/local/repo/main.go -v --no-git ``` @@ -136,8 +136,9 @@ gitleaks --path=path/to/local/repo -v --unstaged ### Configuration -Provide your own gitleaks configurations with `--config-path` or `--repo-config-path`. The difference between the two is `--config-path` loads a local gitleaks config whereas `--repo-config-path` will load a configuration present in the repo you want to scan. For example, `gitleaks --repo-config-path=".github/gitleaks.config"`. -The default configuration Gitleaks uses is located [here](https://github.com/zricethezav/gitleaks/blob/master/config/default.go). More configuration examples can be seen [here](https://github.com/zricethezav/gitleaks/tree/master/examples). Configuration files contain a few different toml tables which will be explained below. +Provide your own gitleaks configurations with `--config-path` or `--repo-config-path`. `--config-path` loads a local gitleaks configuration whereas `--repo-config-path` will load a configuration present just in the repo you want to scan. For example, `gitleaks --repo-config-path=".github/gitleaks.config"`. +The default configuration Gitleaks uses is located [here](https://github.com/zricethezav/gitleaks/blob/master/config/default.go). More configuration examples can be seen [here](https://github.com/zricethezav/gitleaks/tree/master/examples). Configuration files will contain a few different toml tables. Further explanation is provided below. + ### Rules summary The rules are written in [TOML](https://github.com/toml-lang/toml) as defined in [TomlLoader struct](https://github.com/zricethezav/gitleaks/blob/master/config/config.go#L57-L87), and can be summarized as: From a8dbc7f107fbb66eb6cc5fa74316a1ff8929508e Mon Sep 17 00:00:00 2001 From: Zachary Rice Date: Thu, 25 Feb 2021 16:33:24 -0500 Subject: [PATCH 10/13] Update README.md --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 955b3881f..ee3dec12e 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,12 @@

Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an **easy-to-use, all-in-one solution** for finding secrets, past or present, in your code. - + +### Introduction Video +

+ intro +

+ ### Features: - Scan for [commited](https://github.com/zricethezav/gitleaks#Scanning) secrets - Scan for [unstaged](https://github.com/zricethezav/gitleaks#scan-unstaged-changes) secrets to shift security left From b8eadbf28416d45dccfc22c7965125ff25b7f230 Mon Sep 17 00:00:00 2001 From: "Bartel, Matt" Date: Thu, 4 Mar 2021 09:26:10 -0600 Subject: [PATCH 11/13] Fix the diff generation for the unstaged checker. Previously it wouldn't always generate line-level diffs. --- go.mod | 2 + go.sum | 15 ++++-- scan/scan_test.go | 46 ++++++++++++++++--- scan/unstaged.go | 45 ++++-------------- ..._repo_one_aws_leak_uncommitted_modify.json | 19 ++++++++ 5 files changed, 82 insertions(+), 45 deletions(-) create mode 100644 test_data/test_local_repo_one_aws_leak_uncommitted_modify.json diff --git a/go.mod b/go.mod index d599cff28..0ebbec64d 100644 --- a/go.mod +++ b/go.mod @@ -6,12 +6,14 @@ replace github.com/go-git/go-git/v5 => github.com/zricethezav/go-git/v5 v5.2.2 require ( github.com/BurntSushi/toml v0.3.1 + github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 // indirect github.com/go-git/go-git/v5 v5.2.0 github.com/google/go-cmp v0.4.0 // indirect github.com/hako/durafmt v0.0.0-20191009132224-3f39dc1ed9f4 github.com/jessevdk/go-flags v1.4.0 github.com/sergi/go-diff v1.1.0 github.com/sirupsen/logrus v1.4.2 + golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 // indirect golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 gopkg.in/yaml.v2 v2.2.8 // indirect ) diff --git a/go.sum b/go.sum index 40857e8c4..53818a389 100644 --- a/go.sum +++ b/go.sum @@ -2,6 +2,8 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -22,8 +24,6 @@ github.com/go-git/go-billy/v5 v5.0.0 h1:7NQHvd9FVid8VL4qVUMm8XifBK+2xCoZ2lSk0agR github.com/go-git/go-billy/v5 v5.0.0/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= github.com/go-git/go-git-fixtures/v4 v4.0.2-0.20200613231340-f56387b50c12 h1:PbKy9zOy4aAKrJ5pibIRpVO2BXnK1Tlcg+caKI7Ox5M= github.com/go-git/go-git-fixtures/v4 v4.0.2-0.20200613231340-f56387b50c12/go.mod h1:m+ICp2rF3jDhFgEZ/8yziagdT1C+ZpZcrJjappBCDSw= -github.com/go-git/go-git/v5 v5.2.0 h1:YPBLG/3UK1we1ohRkncLjaXWLW+HKp5QNM/jTli2JgI= -github.com/go-git/go-git/v5 v5.2.0/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= @@ -66,17 +66,21 @@ github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJy github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70= github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= -github.com/zricethezav/go-git/v5 v5.2.1 h1:snaoKv8ksDSz7NfBRXsBr9Yr8IKEKWRWf1zdhFmcFvI= -github.com/zricethezav/go-git/v5 v5.2.1/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= github.com/zricethezav/go-git/v5 v5.2.2 h1:VOVijF5OpIiHvFZXX94AJezdJ0b0kTyRyVNZ4yaqCRU= github.com/zricethezav/go-git/v5 v5.2.2/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -90,6 +94,9 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7 h1:EBZoQjiKKPaLbPrbpssUfuHtwM6KV/vb4U85g/cigFY= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/scan/scan_test.go b/scan/scan_test.go index da0a43d2f..e6f41168d 100644 --- a/scan/scan_test.go +++ b/scan/scan_test.go @@ -559,10 +559,11 @@ func TestScanUncommited(t *testing.T) { emptyRepo bool wantEmpty bool fileToChange string - addition string + change string + replace bool }{ { - description: "test scan local one leak", + description: "test scan local one leak (addition)", opts: options.Options{ Path: "../test_data/test_repos/test_repo_1", Report: "../test_data/test_local_repo_one_aws_leak_uncommitted.json.got", @@ -571,7 +572,20 @@ func TestScanUncommited(t *testing.T) { }, wantPath: "../test_data/test_local_repo_one_aws_leak_uncommitted.json", fileToChange: "server.test.py", - addition: " aws_access_key_id='AKIAIO5FODNN7DXAMPLE'\n\n", + change: " aws_access_key_id='AKIAIO5FODNN7DXAMPLE'\n\n", + }, + { + description: "test scan local one leak (modification)", + opts: options.Options{ + Path: "../test_data/test_repos/test_repo_1", + Report: "../test_data/test_local_repo_one_aws_leak_uncommitted_modify.json.got", + Unstaged: true, + ReportFormat: "json", + }, + wantPath: "../test_data/test_local_repo_one_aws_leak_uncommitted_modify.json", + fileToChange: "server.test.py", + change: " aws_access_key_id='AKIAIO5FODNN7DXAMPLE'\n\n", + replace: true, }, { description: "test scan local no leak", @@ -582,7 +596,19 @@ func TestScanUncommited(t *testing.T) { }, wantEmpty: true, fileToChange: "server.test.py", - addition: "nothing bad", + change: "nothing bad", + }, + { + description: "test scan local no leak (modification)", + opts: options.Options{ + Path: "../test_data/test_repos/test_repo_1", + Unstaged: true, + ReportFormat: "json", + }, + wantEmpty: true, + fileToChange: "server.test.py", + change: "nothing bad", + replace: true, }, { description: "test scan repo with no commits", @@ -606,13 +632,21 @@ func TestScanUncommited(t *testing.T) { if err != nil { t.Error(err) } + + flags := os.O_WRONLY + if !test.replace { + flags |= os.O_APPEND + } else { + flags |= os.O_TRUNC + } + altered, err := os.OpenFile(fmt.Sprintf("%s/%s", test.opts.Path, test.fileToChange), - os.O_WRONLY|os.O_APPEND, 0644) + flags, 0644) if err != nil { t.Error(err) } - _, err = altered.WriteString(test.addition) + _, err = altered.WriteString(test.change) if err != nil { t.Error(err) } diff --git a/scan/unstaged.go b/scan/unstaged.go index bfaf7f578..954ba70cd 100644 --- a/scan/unstaged.go +++ b/scan/unstaged.go @@ -2,7 +2,6 @@ package scan import ( "bytes" - "fmt" "io" "os/exec" "path/filepath" @@ -12,9 +11,9 @@ import ( "github.com/zricethezav/gitleaks/v7/config" "github.com/zricethezav/gitleaks/v7/options" + "github.com/andreyvit/diff" "github.com/go-git/go-git/v5" "github.com/go-git/go-git/v5/plumbing" - "github.com/sergi/go-diff/diffmatchpatch" ) // UnstagedScanner is an unstaged scanner. This is the scanner used when you don't provide program arguments @@ -167,20 +166,18 @@ func (us *UnstagedScanner) Scan() (Report, error) { } } - dmp := diffmatchpatch.New() - diffs := dmp.DiffMain(prevFileContents, currFileContents, false) - prettyDiff := diffPrettyText(diffs) - - var diffContents string - for _, d := range diffs { - if d.Type == diffmatchpatch.DiffInsert { - diffContents += fmt.Sprintf("%s\n", d.Text) - } - } + diffLines := diff.LineDiffAsLines(prevFileContents, currFileContents) + prettyDiff := strings.Join(diffLines, "\n") lineLookup := make(map[string]bool) - for _, line := range strings.Split(diffContents, "\n") { + for _, diffLine := range diffLines { + // skip removals and equalities + if len(diffLine) < 1 || diffLine[0] != '+' { + continue + } + + line := diffLine[1:] for _, rule := range us.cfg.Rules { offender := rule.Inspect(line) if offender == "" { @@ -215,28 +212,6 @@ func (us *UnstagedScanner) Scan() (Report, error) { return scannerReport, err } -// DiffPrettyText converts a []Diff into a colored text report. -// TODO open PR for this -func diffPrettyText(diffs []diffmatchpatch.Diff) string { - var buff bytes.Buffer - for _, diff := range diffs { - text := diff.Text - - switch diff.Type { - case diffmatchpatch.DiffInsert: - _, _ = buff.WriteString("+") - _, _ = buff.WriteString(text) - case diffmatchpatch.DiffDelete: - _, _ = buff.WriteString("-") - _, _ = buff.WriteString(text) - case diffmatchpatch.DiffEqual: - _, _ = buff.WriteString(" ") - _, _ = buff.WriteString(text) - } - } - return buff.String() -} - // gitStatus returns the status of modified files in the worktree. It will attempt to execute 'git status' // and will fall back to git.Worktree.Status() if that fails. func (us *UnstagedScanner) gitStatus(wt *git.Worktree) (git.Status, error) { diff --git a/test_data/test_local_repo_one_aws_leak_uncommitted_modify.json b/test_data/test_local_repo_one_aws_leak_uncommitted_modify.json new file mode 100644 index 000000000..1d7783d10 --- /dev/null +++ b/test_data/test_local_repo_one_aws_leak_uncommitted_modify.json @@ -0,0 +1,19 @@ +[ + { + "line": " aws_access_key_id='AKIAIO5FODNN7DXAMPLE'", + "lineNumber": 1, + "offender": "AKIAIO5FODNN7DXAMPLE", + "commit": "0000000000000000000000000000000000000000", + "repo": "test_repo_1", + "repoURL": "", + "leakURL": "", + "rule": "AWS Access Key", + "commitMessage": "", + "author": "", + "email": "", + "file": "server.test.py", + "date": "1970-01-01T00:00:00Z", + "tags": "key, AWS" + } + ] + \ No newline at end of file From e500b319e5fa6519dc9a9d3ab75500c6633d0240 Mon Sep 17 00:00:00 2001 From: "Bartel, Matt" Date: Thu, 4 Mar 2021 12:09:41 -0600 Subject: [PATCH 12/13] go mod tidy --- go.mod | 4 +--- go.sum | 11 ----------- 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/go.mod b/go.mod index 1df234f20..e27145fde 100644 --- a/go.mod +++ b/go.mod @@ -6,14 +6,12 @@ replace github.com/go-git/go-git/v5 => github.com/zricethezav/go-git/v5 v5.2.2 require ( github.com/BurntSushi/toml v0.3.1 - github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 // indirect + github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 github.com/go-git/go-git/v5 v5.2.0 github.com/google/go-cmp v0.4.0 // indirect github.com/hako/durafmt v0.0.0-20191009132224-3f39dc1ed9f4 github.com/jessevdk/go-flags v1.4.0 - github.com/sergi/go-diff v1.1.0 github.com/sirupsen/logrus v1.4.2 - golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 // indirect golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 gopkg.in/yaml.v2 v2.2.8 // indirect ) diff --git a/go.sum b/go.sum index 106461312..5d3e3bb25 100644 --- a/go.sum +++ b/go.sum @@ -14,7 +14,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= -github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ= github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0= github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= @@ -67,17 +66,11 @@ github.com/zricethezav/go-git/v5 v5.2.2 h1:VOVijF5OpIiHvFZXX94AJezdJ0b0kTyRyVNZ4 github.com/zricethezav/go-git/v5 v5.2.2/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI= -golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= -golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -90,10 +83,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7 h1:EBZoQjiKKPaLbPrbpssUfuHtwM6KV/vb4U85g/cigFY= -golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From c57ed52f81a67ce52411a2163cb4bdd07bb6173f Mon Sep 17 00:00:00 2001 From: "Bartel, Matt" Date: Thu, 4 Mar 2021 12:29:14 -0600 Subject: [PATCH 13/13] prevent reports from being generated for tests that don't expect them linting --- go.mod | 1 + go.sum | 9 +++++++++ scan/scan_test.go | 5 ----- scan/unstaged.go | 2 +- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index e27145fde..da7e3d687 100644 --- a/go.mod +++ b/go.mod @@ -12,6 +12,7 @@ require ( github.com/hako/durafmt v0.0.0-20191009132224-3f39dc1ed9f4 github.com/jessevdk/go-flags v1.4.0 github.com/sirupsen/logrus v1.4.2 + golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 // indirect golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 gopkg.in/yaml.v2 v2.2.8 // indirect ) diff --git a/go.sum b/go.sum index 5d3e3bb25..182342de9 100644 --- a/go.sum +++ b/go.sum @@ -66,11 +66,17 @@ github.com/zricethezav/go-git/v5 v5.2.2 h1:VOVijF5OpIiHvFZXX94AJezdJ0b0kTyRyVNZ4 github.com/zricethezav/go-git/v5 v5.2.2/go.mod h1:kh02eMX+wdqqxgNMEyq8YgwlIOsDOa9homkUq1PoTMs= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -83,6 +89,9 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7 h1:EBZoQjiKKPaLbPrbpssUfuHtwM6KV/vb4U85g/cigFY= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/scan/scan_test.go b/scan/scan_test.go index e6f41168d..ce0e8dcfa 100644 --- a/scan/scan_test.go +++ b/scan/scan_test.go @@ -242,7 +242,6 @@ func TestScan(t *testing.T) { description: "test local repo four entropy alternative config", opts: options.Options{ Path: "../test_data/test_repos/test_repo_1", - Report: "../test_data/test_regex_allowlist.json.got", ConfigPath: "../test_data/test_configs/aws_key_aws_allowlisted.toml", ReportFormat: "json", }, @@ -467,24 +466,20 @@ func TestScan(t *testing.T) { description: "test local repo two allowlist Commit config", opts: options.Options{ Path: "../test_data/test_repos/test_repo_2", - Report: "../test_data/test_local_repo_two_allowlist_commits_files_at_commit.json.got", ConfigPath: "../test_data/test_configs/allowlist_commit.toml", ReportFormat: "json", FilesAtCommit: "17471a5fda722a9e423f1a0d3f0d267ea009d41c", }, - wantPath: "../test_data/test_local_repo_two_allowlist_commits_files_at_commit.json", wantEmpty: true, }, { description: "test local repo two global allowlist commit config", opts: options.Options{ Path: "../test_data/test_repos/test_repo_2", - Report: "../test_data/test_local_repo_two_global_allowlist_files_at_commit.json.got", ConfigPath: "../test_data/test_configs/allowlist_global_files.toml", ReportFormat: "json", FilesAtCommit: "17471a5fda722a9e423f1a0d3f0d267ea009d41c", }, - wantPath: "../test_data/test_local_repo_two_global_allowlist_files_at_commit.json", wantEmpty: true, }, } diff --git a/scan/unstaged.go b/scan/unstaged.go index 7c0f6c24d..990eba5d4 100644 --- a/scan/unstaged.go +++ b/scan/unstaged.go @@ -65,7 +65,7 @@ func (us *UnstagedScanner) Scan() (Report, error) { // Check individual file path ONLY rules for _, rule := range us.cfg.Rules { if rule.HasFileOrPathLeakOnly(fn) { - leak := NewLeak("", "Filename or path offender: "+ fn, defaultLineNumber) + leak := NewLeak("", "Filename or path offender: "+fn, defaultLineNumber) leak.Repo = us.repoName leak.File = fn leak.RepoURL = us.opts.RepoURL