Gemfile.lock is an auto-generated file for Ruby dependency management via bundler. It's the Ruby equivalent of package-lock.json in Node
Since it's an auto-generated file that we don't control the contents of, I don't think we need to scan it, at least for certain rules.
For example, without these changes I'm getting a lot of exceptions for the IPv4 addresses rule, but the contents aren't IP addresess, they're package versions such as:
parser (>= 3.2.2.3)
So this PR adds Gemfile.lock to be ignored for those rules, which I can confirm allowed me to commit my Gemfile.lock file locally with these changes.
security considerations
We are updating the ignore patterns for GitLeaks, so we should agree that we are not ignoring potentially dangerous changes in Gemfile.lock files. However, since this file is auto-generated and not edited manually, I don't think that such concerns apply here.
Changes proposed in this pull request:
Gemfile.lock
is an auto-generated file for Ruby dependency management viabundler
. It's the Ruby equivalent ofpackage-lock.json
in NodeSince it's an auto-generated file that we don't control the contents of, I don't think we need to scan it, at least for certain rules.
For example, without these changes I'm getting a lot of exceptions for the
IPv4 addresses
rule, but the contents aren't IP addresess, they're package versions such as:So this PR adds
Gemfile.lock
to be ignored for those rules, which I can confirm allowed me to commit myGemfile.lock
file locally with these changes.security considerations
We are updating the ignore patterns for GitLeaks, so we should agree that we are not ignoring potentially dangerous changes in
Gemfile.lock
files. However, since this file is auto-generated and not edited manually, I don't think that such concerns apply here.