Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(WIP) Create command to print config #1654

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented Nov 23, 2024

Description:

This creates a new command to show the effective config that Gitleaks actually uses, to help troubleshoot issues where

$ ./gitleaks config
title = 'Gitleaks development'

[extend]
  useDefault = true

[[rules]]
  id = '1password-service-account-token'
  description = 'Uncovered a possible 1Password service account token, potentially compromising access to secrets in vaults.'
  regex = 'ops_eyJ[a-zA-Z0-9 /]{250,}={0,3}'
  entropy = 4.0
  keywords = ['ops_']

...

[allowlist]
  condition = 'OR'
  paths = ['(^|/)cmd/generate/config/rules', 'gitleaks\.toml', '(?i)\.(bmp|gif|jpe?g|svg|tiff?)$', '\.(eot|[ot]tf|woff2?)$', '(.*?)(doc|docx|zip|xls|pdf|bin|socket|vsidx|v2|suo|wsuo|.dll|pdb|exe|gltf)$', 'go\.(mod|sum|work(\.sum)?)$', '(^|/)vendor/modules\.txt$', '(^|/)vendor/(github\.com|golang\.org/x|google\.golang\.org|gopkg\.in|istio\.io|k8s\.io|sigs\.k8s\.io)/.*$', '(^|/)gradlew(\.bat)?$', '(^|/)gradle\.lockfile$', '(^|/)mvnw(\.cmd)?$', '(^|/)\.mvn/wrapper/MavenWrapperDownloader\.java$', '(^|/)node_modules/.*?$', '(^|/)package-lock\.json$', '(^|/)yarn\.lock$', '(^|/)pnpm-lock\.yaml$', '(^|/)npm-shrinkwrap\.json$', '(^|/)bower_components/.*?$', '(^|/)(angular|jquery(-?ui)?|plotly|swagger-?ui)[a-zA-Z0-9.-]*(\.min)?\.js(\.map)?$', '(^|/)(Pipfile|poetry)\.lock$', '(?i)/?(v?env|virtualenv)/lib(64)?/. $', '(?i)(^|/)(lib(64)?/python[23](\.\d{1,2}) /|python/[23](\.\d{1,2}) /lib(64)?/). $', '(?i)(^|/)[a-z0-9_.] -[0-9.] \.dist-info/. $', '(^|/)vendor/(bundle|ruby)/.*?$', '\.gem$', 'verification-metadata.xml', 'Database.refactorlog']
  regexes = ['(?i)^true|false|null$', '^(?i:a |b |c |d |e |f |g |h |i |j |k |l |m |n |o |p |q |r |s |t |u |v |w |x |y |z |\* |\. )$', '^\$(\d |{\d })$', '^\$([A-Z_] |[a-z_] )$', '^\${([A-Z_] |[a-z_] )}$', '^\{\{[ \t]*[\w ().|] [ \t]*}}$', "^\\$\\{\\{[ \\t]*((env|github|secrets|vars)(\\.[A-Za-z]\\w ) [\\w \"'&./=|]*)[ \\t]*}}$", '^%([A-Z_] |[a-z_] )%$', '^%[ \-# 0]?[bcdeEfFgGoOpqstTUvxX]$', '^\{\d{0,2}}$', '^@([A-Z_] |[a-z_] )@$']

Questions

  • Show the command take a source config command like others, or take a single argument pointing to a config file?
  • Should empty fields be rendered or hidden? A common issue I've seen is people writing Files or Path which don't get picked up; explicit empty fields would make that obvious, but add a lot of noise.
  • Is the TOML it generates actually valid? Specifically, the quotation marks around regexes.

Checklist:

  • Does your PR pass tests?
  • Have you written new tests for your changes?
  • Have you lint your code locally prior to submission?

@rgmz rgmz force-pushed the feat/show-config branch 5 times, most recently from d94e6c9 to 75f66bb Compare November 23, 2024 20:20
@rgmz rgmz force-pushed the feat/show-config branch from 75f66bb to 98a6b18 Compare December 5, 2024 23:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant