v8.16.0
版本发布时间: 2023-02-26 23:04:12
gitleaks/gitleaks最新发布版本:v8.18.2(2024-02-02 01:08:03)
Changelog
- 4b5e8e1 Feat/allowlist regex target (#1107)
Allowlist Regex Targets
Let's use the generic rule to demonstrate the new regexTarget allowlist option
[[rules]]
description = "Generic API Key"
id = "generic-api-key"
regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
secretGroup = 1
entropy = 3.5
keywords = [
"key","api","token","secret","client","passwd","password","auth","access",
]
example.txt will be our target and contain a single line with a fake secret:
var discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'
Running gitleaks on this file using the generic rule will return one finding:
gitleaks detect --source=example.txt --no-git -v --config=example.toml
○
│╲
│ ○
○ ░
░ gitleaks
Finding: discord_client_secret = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ'
Secret: 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ
RuleID: generic-api-key
Entropy: 4.413910
File: example.txt
Line: 1
Fingerprint: example.txt:generic-api-key:1
We can add a allowlist regexes entry to include part of the secret. This will cause gitleaks to ignore the finding above.
Note that by default gitleaks uses the Secret to compare against allowlist regexes.
Adding the following allowlist to the generic rule will cause gitleaks to ignore the finding:
[rules.allowlist]
regexes = ["vV"]
But now say you don't want to use Secret to compare against your allowlist regexes. Well, now you can use regexTarget and set the value as either line or match to compare against the line or regex match:
[rules.allowlist]
regexTarget = "match"
regexes = ["discord"]
and
[rules.allowlist]
regexTarget = "line"
regexes = ["var"]
will both result in the finding being ignored because discord is found in the generic rule regex match and var is in the line where the finding was found.
In addition to rule allowlists, you can set regexTarget in the global allowlist:
[allowlist]
regexTarget = "line"
regexes = ["var"]
Thanks @bplaxco for the review
1、 gitleaks_8.16.0_checksums.txt 1.17KB
2、 gitleaks_8.16.0_darwin_arm64.tar.gz 2.57MB
3、 gitleaks_8.16.0_darwin_x64.tar.gz 2.71MB
4、 gitleaks_8.16.0_linux_arm64.tar.gz 2.37MB
5、 gitleaks_8.16.0_linux_armv6.tar.gz 2.52MB
6、 gitleaks_8.16.0_linux_armv7.tar.gz 2.51MB
7、 gitleaks_8.16.0_linux_x32.tar.gz 2.54MB
8、 gitleaks_8.16.0_linux_x64.tar.gz 2.6MB
9、 gitleaks_8.16.0_windows_arm64.zip 2.4MB
10、 gitleaks_8.16.0_windows_armv6.zip 2.58MB
11、 gitleaks_8.16.0_windows_armv7.zip 2.57MB
12、 gitleaks_8.16.0_windows_x32.zip 2.63MB
13、 gitleaks_8.16.0_windows_x64.zip 2.63MB