renovate[bot]
commented
1 year ago Edited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠ Warning: custom changes will be lost.
sonarcloud[bot]
This PR contains the following updates:
v8.15.4->v8.16.0Release Notes
zricethezav/gitleaks
### [`v8.16.0`](https://togithub.com/zricethezav/gitleaks/releases/tag/v8.16.0) [Compare Source](https://togithub.com/zricethezav/gitleaks/compare/v8.15.4...v8.16.0) #### Changelog - [`4b5e8e1`](https://togithub.com/zricethezav/gitleaks/commit/4b5e8e1) Feat/allowlist regex target ([#1107](https://togithub.com/zricethezav/gitleaks/issues/1107)) ##### Allowlist Regex Targets Let's use the generic rule to demonstrate the new `regexTarget` allowlist option ```toml [[rules]] description = "Generic API Key" id = "generic-api-key" regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)''' secretGroup = 1 entropy = 3.5 keywords = [ "key","api","token","secret","client","passwd","password","auth","access", ] ``` `example.txt` will be our target and contain a single line with a fake secret: ```txt var discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' ``` Running gitleaks on this file using the generic rule will return one finding: gitleaks detect --source=example.txt --no-git -v --config=example.toml ○ │╲ │ ○ ○ ░ ░ gitleaks Finding: discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ' Secret: 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ RuleID: generic-api-key Entropy: 4.413910 File: example.txt Line: 1 Fingerprint: example.txt:generic-api-key:1 We can add a allowlist `regexes` entry to include part of the *secret*. This will cause gitleaks to ignore the finding above. Note that *by default* gitleaks uses the *Secret* to compare against allowlist regexes. Adding the following allowlist to the generic rule will cause gitleaks to ignore the finding: ```toml [rules.allowlist] regexes = ["vV"] ``` But now say you don't want to use `Secret` to compare against your allowlist regexes. Well, now you can use `regexTarget` and set the value as either `line` or `match` to compare against the line or regex match: ```toml [rules.allowlist] regexTarget = "match" regexes = ["discord"] ``` and ```toml [rules.allowlist] regexTarget = "line" regexes = ["var"] ``` will both result in the finding being ignored because `discord` is found in the generic rule regex *match* and `var` is in the *line* where the finding was found. In addition to rule allowlists, you can set `regexTarget` in the global allowlist: ```toml [allowlist] regexTarget = "line" regexes = ["var"] ``` Thanks [@bplaxco](https://togithub.com/bplaxco) for the reviewConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.