ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
https://discord.gg/DCNxzaeUpd
Apache License 2.0
804 stars 111 forks source link

Use correct gitleaks args in tricks documentation #338

Closed calebcartwright closed 3 years ago

calebcartwright commented 3 years ago

I'm not sure if gitleaks ever had a report-format option, but it definitely doesn't any more. I ran into this because I needed to use a custom configuration with gitleaks to incorporate some additional regexes, and as I understand it, the only way to do that is with a .sastscanrc file. I started by just copying and extending the snippet from this TRICKS page and didn't realize the bad arg to gitleaks was the root cause of the issue I was seeing.

The bad arg causes gitleaks to error but the behavior I saw with scan was a false pass that seemed to succeed but without finding secrets that I knew gitleaks should have been finding.

Ultimately a pebkac issue :smile: but I think it'd be helpful to remove the invalid opt from the documentation to hopefully prevent the same from happening to anyone else.

Finally, thanks for a wonderful tool! Took some time to figure out this issue but I've really been enjoying things now that I've got it working.

prabhu commented 3 years ago

@calebcartwright Note that the docs for scan exists in a separate repo - https://github.com/ShiftLeftSecurity/scan-docs . Only this repo is deployed to https://slscan.io/en/latest/

calebcartwright commented 3 years ago

@calebcartwright Note that the docs for scan exists in a separate repo - https://github.com/ShiftLeftSecurity/scan-docs . Only this repo is deployed to https://slscan.io/en/latest/

Thanks @prabhu :+1: I actually couldn't find anything in the main docs site that helped me realize it was possible to customize the gitleaks rules with the rc file, just happened to stumble upon it here in this repo!

prabhu commented 3 years ago

@calebcartwright Good feedback. Will add some sections to the docs and readme about the customizability aspects. Thanks for reporting!