Support custom gitleaks configs for Secret Detection
Summary
Attempts to exclude a path from the processing of gitleaks and TruffleHog are ignored or not possible.
In the case of NodeJS the node_modules directory should be ignored, but is processed regardless of exclude rules added.
When a custom gitleaks.toml file is provided to our secrets analyzer it is ignored as we do not provide a mechanism to load custom configuration. In certain cases it can be beneficial to allow users to customize the detector and providing method of specifying the configuration would be useful.
We should support passing a GITLEAKS_CONFIG_PATH to the analyzer, allowing users to provide their own configuration and override the built-in one.
Steps to reproduce
The following gitleaks.toml file does not allow the exclusion of a path such as node_modules;
[whitelist]
files = [
"node_modules"
]Looking at the secrets Dockerfile a pre-baked gitleaks.toml is provided.
How to add to this without building our own analyzer?
TruffleHog doesn't appear to have a way of passing a similar configuration to the analyzer.
What is the current bug behavior?
Still processes an excluded path by ignoring project-provided gitleaks.toml
What is the expected correct behavior?
Ignore the excluded path by using project-provided gitleaks.toml
Relevant logs and/or screenshots
2019/04/26 02:36:30 [secrets] Detect project using plugin
2019/04/26 02:36:30 [secrets] Project is compatible
2019/04/26 02:36:30 [secrets] Starting analyzer...
latest: Pulling from gitlab-org/security-products/analyzers/secrets
bdf0201b3a05: Pulling fs layer
2b95ad226aea: Pulling fs layer
5b39a804479c: Pulling fs layer
df2fe20a49c1: Pulling fs layer
df2fe20a49c1: Waiting
bdf0201b3a05: Verifying Checksum
bdf0201b3a05: Download complete
bdf0201b3a05: Pull complete
5b39a804479c: Verifying Checksum
5b39a804479c: Download complete
2b95ad226aea: Verifying Checksum
2b95ad226aea: Download complete
df2fe20a49c1: Verifying Checksum
df2fe20a49c1: Download complete
2b95ad226aea: Pull complete
5b39a804479c: Pull complete
df2fe20a49c1: Pull complete
Digest: sha256:f66cf0d899ed3666abdd3da7341adc7e6f5f552dbf992cf4fd8ef5b0ed59c0be
Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:latestOutput of checks
This is from the Ultimate version of GitLab (ie not GitLab.com).
Results of GitLab environment info
v11.9.8-ee
Results of GitLab application Check
See logs above for a date of the latest application used.
registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:latestPossible fixes
None.