Add --gitleaks-ignore-path so that it will use the same path as source

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Today, GitLab's secrets analyzer does not support using --gitleaks-ignore-path flag to specify the path to .gitleaksignore file.

Proposal

Add --gitleaks-ignore-path argument to the options we pass to gitleaks binary so that it will use the same path as source. This will ensure that the .gitleaksignore file gets picked up when it's in the same path as --source.

Considerations

1. Historically, GitLab has been conservative with supporting CLI flags other than what's specified in defaultOptions.

2. According to gitleaks documentation: .gitleaksignore (and consequently the --gitleaks-ignore-path flag) is an experimental feature. Consider supporting this feature once it's in general availability.

3. The --gitleaks-ignore-path flag already has its default set to . which according to the dot definition points to the same directory in unix-based operating systems, so the default should be the same as the current working directory.

Investigation

The code responsible for loading up .gitleaksignore file in the latest version of gitleaks that we use at the time of writing this (i.e. v8.22.1) already falls back to looking up for the file in --source if --gitleaks-ignore-path is not defined:

• It starts by looking up whatever file path is specified in --gitleaks-ignore-path.
• If not found, it looks up the .gitleaksignore file at the path passed in --gitleaks-ignore-path.
• If not found, it looks up the .gitleaksignore file at the path of the --source.

This however does not seem to be working for customers when they have their scanning target directory at a different place than the path we pass to --source (which is / because no workdir is set for the final Docker image).

Workaround

A workaround suggested by @ahmed.hemdan is to use ANALYZER_TARGET_DIR environment variable to set the scanning target directory.

To test that this workflow works as expected, we created a repository where:

• The ANALYZER_TARGET_DIR environment variable is used to set the source directory being scanned.
• The .gitleaksignore file is stored at the root of the scanned directory (i.e. ANALYZER_TARGET_DIR).

The POC confirms:

• The .gitleaksignore file is picked up correctly when ANALYZER_TARGET_DIR is used.
• The .gitleaksignore file is ignoring the secret specified from being reported.
• Scanning takes place in the folder specified (notice the --source flag).

Note: for this to work, the CI configuration needs to point to the correct artifact path.

Additional context

• This ask originated from add --gitleaks-ignore-path so that it will use ... (gitlab-org/security-products/analyzers/secrets!334 - closed).
• The merge request was created by @zchua-gtlb (GitLab) for a customer request from @anthony.poschen.telstra.