What's New
SARIF support:
This release adds Oasis SARIF support with --report-format=sarif
which will write your report with a sarif schema. Note this is the first implementation of gitleaks+sarif so if anyone has any suggestions or wanted changes please open a PR.
Config update:
Users can now include a regular expressions in a global allow list. This is potentially useful if your code is riddled with example credentials and secrets. Below is a sample config which demonstrates how this can be used:
[[rules]]
description = "AWS Manager ID"
regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
tags = ["key", "AWS"]
[allowlist]
description = "global allowlists"
files = [
'''(.*?)(jpg|gif)$''',
'''(.*?)(doc|pdf|bin)$''',
'''(.*?)(gitleaks.toml)$'''
]
regexes = [
'''(.*?)gitleaks:allow'''
]
This example will consider the line aws_access_key_id='AKIAIO5FODNN7EXAMPLE' #example credential
a leak whereas aws_access_key_id='AKIAIO5FODNN7EXAMPLE' #gitleaks:allow"
would not be considered a leak as it has the comment #gitleaks:allow
which matches on the global allowlist
presented above.
Breaking Changes
This PR also includes some breaking changes to the configuration file hence the bump to v6.
v5 config:
[[rules]]
description = "a string describing one of many rule in this config"
regex = '''one-go-style-regex-for-this-rule'''
filenameregex = '''a-file-name-regex'''
filepathregex = '''a-file-path-regex'''
tags = ["tag","another tag"]
[[rules.entropies]] # note these are strings, not floats
Min = "3.5"
Max = "4.5"
Group = "1"
[[rules.allowlist]]
description = "a string"
file = '''one-file-name-regex'''
path = '''one-file-path-regex'''
regex = '''one-regex-within-the-already-matched-regex'''
[allowlist]
description = "a description string for only _ONE_ allowlist config"
commits = [ "commit-A", "commit-B"]
files = [ '''file-regex-a''', '''file-regex-b''']
paths = [ '''path-regex-a''', '''path-regex-b''']
repos = [ '''repo-regex-a''', '''repo-regex-b''']
v6 config:
[[rules]]
description = "a string describing one of many rule in this config"
regex = '''one-go-style-regex-for-this-rule'''
file = '''a-file-name-regex''' # this changed!
path = '''a-file-path-regex''' # this changed!
tags = ["tag","another tag"]
[[rules.entropies]] # note these are strings, not floats
Min = "3.5"
Max = "4.5"
Group = "1"
[rules.allowlist] # this changed! No longer an array of tables. It's just a table.
description = "a string"
files = ['''one-file-name-regex'''] # this changed!
paths = ['''one-file-path-regex'''] # this changed!
regexes = ['''one-regex-within-the-already-matched-regex'''] # this changed!
[allowlist]
description = "a description string for a global allowlist config"
commits = [ "commit-A", "commit-B"]
files = [ '''file-regex-a''', '''file-regex-b''']
paths = [ '''path-regex-a''', '''path-regex-b''']
repos = [ '''repo-regex-a''', '''repo-regex-b''']
regexes = ['''one-regex-within-the-already-matched-regex'''] # this added!