chore(deps): update dependency zricethezav/gitleaks to v8.27.2 (!1063) · Merge requests · GitLab.com / GitLab Infrastructure Team / common-ci-tasks

Sometimes secrets are packaged within archive files like zip files or tarballs, making them difficult to discover. Now you can tell gitleaks to automatically extract and scan the contents of archives. The flag --max-archive-depth enables this feature for both dir and git scan types. The default value of "0" means this feature is disabled by default.

Recursive scanning is supported since archives can also contain other archives. The --max-archive-depth flag sets the recursion limit. Recursion stops when there are no new archives to extract, so setting a very high max depth just sets the potential to go that deep. It will only go as deep as it needs to.

The findings for secrets located within an archive will include the path to the file inside the archive. Inner paths are separated with !.

Example finding (shortened for brevity):

Finding:     DB_PASSWORD=8ae31cacf141669ddfb5da
...
File:        testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod
Line:        4
Commit:      6e6ee6596d337bb656496425fb98644eb62b4a82
...
Fingerprint: 6e6ee6596d337bb656496425fb98644eb62b4a82:testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod:generic-api-key:4
Link:        https://github.com/leaktk/gitleaks/blob/6e6ee6596d337bb656496425fb98644eb62b4a82/testdata/archives/nested.tar.gz

This means a secret was detected on line 4 of files/.env.prod. which is in archives/files.tar which is in testdata/archives/nested.tar.gz.

Currently supported formats:

The compression and archive formats supported by mholt's archives package are supported.

`v8.26.0`

Compare Source

Changelog

78eebac Percent/URL Decoding Support (#1831)
6f967ca fix(kubernetes): remove slow element from pat (#1848)
88f56d3 feat: identify slow file (#1479)
9609928 rm 1password detect test since we test it in cfg gen
23cb69f feat(rules): Add 1Password secret key detection (#1834)

Calling this one @bplaxco's release as he introduced a really clever method for mixed decoding without sacrificing too much performance. As I stated in his MR, I think he's either a wizard or some time traveling AI. Dude is wicked smaht

Anyways, Gitleaks now supports the following decoders: hex, percent(url enconding), and b64. It's relatively straight forward to add a new decoder so if you're motivated, community contributions are welcomed!

Here's an example:

~/code/gitleaks-org/gitleaks (master) cat decode.txt
text below
aGVsbG8sIHdvcmxkIQ%3D%3D%0A
text above
~/code/gitleaks-org/gitleaks (master) ./gitleaks dir decode.txt --max-decode-depth=2 --log-level=debug

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

4:08PM DBG using stdlib regex engine
4:08PM DBG unable to load gitleaks config from decode.txt/.gitleaks.toml since --source=decode.txt is a file, using default config
4:08PM DBG found .gitleaksignore file: .gitleaksignore
4:08PM DBG segment found: original=[29,38] pos=[29,38]: "%3D%3D%0A" -> "==\n"
4:08PM DBG segment found: original=[11,38] pos=[11,31]: "aGVsbG8sIHdvcmxkIQ==" -> "hello, world!"
4:08PM INF scanned ~50 bytes (50 bytes) in 1.5ms
4:08PM INF no leaks found

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

chore(deps): update dependency zricethezav/gitleaks to v8.27.2

Release Notes

v8.27.2

Changelog

v8.27.1

Changelog

v8.27.0

Changelog

Archive Scanning

v8.26.0

Changelog

Configuration

Merge request reports

`v8.27.2`

`v8.27.1`

`v8.27.0`

`v8.26.0`