Support custom gitleaks configs for Secret Detection
Attempts to exclude a path from the processing of gitleaks and TruffleHog are ignored or not possible.
In the case of NodeJS the node_modules directory should be ignored, but is processed regardless of exclude rules added.
When a custom
gitleaks.toml file is provided to our
secrets analyzer it is ignored as we do not provide a mechanism to load custom configuration. In certain cases it can be beneficial to allow users to customize the detector and providing method of specifying the configuration would be useful.
We should support passing a
GITLEAKS_CONFIG_PATH to the analyzer, allowing users to provide their own configuration and override the built-in one.
Steps to reproduce
The following gitleaks.toml file does not allow the exclusion of a path such as node_modules;
[whitelist] files = [ "node_modules" ]
Looking at the secrets Dockerfile a pre-baked gitleaks.toml is provided.
How to add to this without building our own analyzer?
TruffleHog doesn't appear to have a way of passing a similar configuration to the analyzer.
What is the current bug behavior?
Still processes an excluded path by ignoring project-provided
What is the expected correct behavior?
Ignore the excluded path by using project-provided
Relevant logs and/or screenshots
2019/04/26 02:36:30 [secrets] Detect project using plugin 2019/04/26 02:36:30 [secrets] Project is compatible 2019/04/26 02:36:30 [secrets] Starting analyzer... latest: Pulling from gitlab-org/security-products/analyzers/secrets bdf0201b3a05: Pulling fs layer 2b95ad226aea: Pulling fs layer 5b39a804479c: Pulling fs layer df2fe20a49c1: Pulling fs layer df2fe20a49c1: Waiting bdf0201b3a05: Verifying Checksum bdf0201b3a05: Download complete bdf0201b3a05: Pull complete 5b39a804479c: Verifying Checksum 5b39a804479c: Download complete 2b95ad226aea: Verifying Checksum 2b95ad226aea: Download complete df2fe20a49c1: Verifying Checksum df2fe20a49c1: Download complete 2b95ad226aea: Pull complete 5b39a804479c: Pull complete df2fe20a49c1: Pull complete Digest: sha256:f66cf0d899ed3666abdd3da7341adc7e6f5f552dbf992cf4fd8ef5b0ed59c0be Status: Downloaded newer image for registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:latest
Output of checks
This is from the Ultimate version of GitLab (ie not GitLab.com).
Results of GitLab environment info
Results of GitLab application Check
See logs above for a date of the latest application used.