Gemfile.lock is an auto-generated file for Ruby dependency management via bundler. It's the Ruby equivalent of package-lock.json in Node
Since it's an auto-generated file that we don't control the contents of, I don't think we need to scan it, at least for certain rules.
For example, without these changes I'm getting a lot of exceptions for the IPv4 addresses rule, but the contents aren't IP addresess, they're package versions such as:
parser (>= 3.2.2.3)
So this PR adds Gemfile.lock to be ignored for those rules, which I can confirm allowed me to commit my Gemfile.lock file locally with these changes.
security considerations
We are updating the ignore patterns for GitLeaks, so we should agree that we are not ignoring potentially dangerous changes in Gemfile.lock files. However, since this file is auto-generated and not edited manually, I don't think that such concerns apply here.
Changes proposed in this pull request:
Gemfile.lockis an auto-generated file for Ruby dependency management viabundler. It's the Ruby equivalent ofpackage-lock.jsonin NodeSince it's an auto-generated file that we don't control the contents of, I don't think we need to scan it, at least for certain rules.
For example, without these changes I'm getting a lot of exceptions for the
IPv4 addressesrule, but the contents aren't IP addresess, they're package versions such as:So this PR adds
Gemfile.lockto be ignored for those rules, which I can confirm allowed me to commit myGemfile.lockfile locally with these changes.security considerations
We are updating the ignore patterns for GitLeaks, so we should agree that we are not ignoring potentially dangerous changes in
Gemfile.lockfiles. However, since this file is auto-generated and not edited manually, I don't think that such concerns apply here.