Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps:chore - update zricethezav/gitleaks Docker tag to v8.1.1 #846

Merged
merged 1 commit into from
Dec 6, 2021
Merged

deps:chore - update zricethezav/gitleaks Docker tag to v8.1.1 #846

merged 1 commit into from
Dec 6, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 4, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Type Update Change
zricethezav/gitleaks final minor v8.0.5 -> v8.1.1

Release Notes

zricethezav/gitleaks

v8.1.1

Compare Source

Changelog

84e285e ignore all gitleaks.tomls by default
928c6a6 Update pre-commit step to run gitleaks checks (#​729)
106897f fix: format dates in log in a portable way (#​735)

v8.1.0

Compare Source

Changelog

(#​734) This is the first big change since the release of v8.0.0 which I think has gone well? Anyways this release (v8.1.0) introduces the following changes:

  • Deduplicate generic secret findings in reports (provider specific rules takes precedence)
  • Add secretGroup to extract the actual secrets from the rules.
  • Removes entropyGroup, so yes you probably will have to update your config again
  • Renames Context to Match in reports
  • Added a bunch of ids to the default config (probably should make this a required field but that can wait)

More on:

  • Add secretGroup to extract the actual secrets from the rules.

Let's take the discord example in the default config:
discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"

The discord client secret rule, with secretGroup added, will extract 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ as the secret since ([a-z0-9=_\-]{32}) is regex group 3:

[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3

And the resulting report finding for this example secret would look something like:

 {
  "Description": "Discord client secret",
  "StartLine": 225,
  "EndLine": 225,
  "StartColumn": 2,
  "EndColumn": 59,
  "Match": "discord_client_secret = \"8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ\"",
  "Secret": "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ",
  "File": "README.md",
  "Commit": "f0b8d26c9988af725132c100dda5051586a3026e",
...
  "RuleID": "discord-client-secret"
 },

And a note on deduping/generic secrets (from the readme):

Let's continue with the example discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ".
This secret would match both the discord-client-secret rule and the generic-api-key rule in the default config.

[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3

[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
entropy = 3.7
secretGroup = 4

If gitleaks encountered discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ", only the discord rule would report a finding because the generic rule has the string generic somewhere in the rule's id. If a secret is encountered and both a generic and non-generic rule have discovered the same secret, the non-generic will be given precedence.

v8.0.7

Compare Source

Changelog

089639e bump go-gitdiff, fixes https://github.com/zricethezav/gitleaks/issues/724 (#​731)

v8.0.6

Compare Source

Changelog

9ae1def Little timing hack to avoid scans prematurely finishing when git errors are present (#​726)

Configuration

📅 Schedule: "every weekend" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate-bot
deps:chore - update zricethezav/gitleaks Docker tag to v8.1.1
71c4acc 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
@renovate renovate bot changed the title deps:chore - update zricethezav/gitleaks Docker tag to v8.1.0 deps:chore - update zricethezav/gitleaks Docker tag to v8.1.1 Dec 6, 2021
@renovate renovate bot force-pushed the renovate/zricethezav-gitleaks-8.x branch from 6f5690a to 71c4acc Compare December 6, 2021 17:37
@matheusalcantarazup matheusalcantarazup merged commit 4a0b3a8 into main Dec 6, 2021
@matheusalcantarazup matheusalcantarazup deleted the renovate/zricethezav-gitleaks-8.x branch December 6, 2021 19:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iancardosozup iancardosozup iancardosozup approved these changes

@matheusalcantarazup matheusalcantarazup matheusalcantarazup approved these changes

@lucasbrunozup lucasbrunozup Awaiting requested review from lucasbrunozup

@nathanmartinszup nathanmartinszup Awaiting requested review from nathanmartinszup

@wiliansilvazup wiliansilvazup Awaiting requested review from wiliansilvazup

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@matheusalcantarazup @iancardosozup @renovate-bot