Skip to content

feat: move rules from gitleaks: target feature branch#340

Merged
cx-diogo-rocha merged 65 commits intoAST-75295-custom-rulesfrom
AST-113275-move-rules-from-gitleaks
Nov 6, 2025
Merged

feat: move rules from gitleaks: target feature branch#340
cx-diogo-rocha merged 65 commits intoAST-75295-custom-rulesfrom
AST-113275-move-rules-from-gitleaks

Conversation

@cx-diogo-rocha
Copy link
Copy Markdown
Contributor

@cx-diogo-rocha cx-diogo-rocha commented Oct 23, 2025
edited
Loading

Closes #

Proposed Changes

  • Fully moved rules from gitleaks to our own, to package ruledefine
  • Validations that previously occurred, for every rule, every time 2ms ran, now run in unit tests
  • Created new rule struct, replacing our previous rule struct that wrapped gitleaks Rule.
  • The new Rule struct has all fields that are in practice used by gitleaks Rules; fields which are not used by default rules of gitleaks were not included.
  • Breaking change: - ruleID became a uuid4 that identifies a rule regardless of its name. The old ruleID became ruleName
    • ignores and selects with flags --ignore-rule and -rule still work with old ruleIDs.
  • Breaking change - ids of results have changed, now take into account the new uuid4 ruleID.
    • ignores with on -config file or in --ignore-result will not longer properly ignore those results because the id of results changed
  • Added new fields to results:
    • severity - for now High as default for every rule. Rules that can perform validation on their results (eg, github-pat) will bump the severity to Critical if the secret is Valid; and lower the severity to Medium if the secret is Invalid
    • ruleCategory - used to classify and groups rules
    • ruleName - the exact same as old ruleID

The purpose of these changes is to allow us to have more control over the rules, in preparation for:

  1. Allowing users to create their own rules in the open source tool. In the future the user will be able to define more fields than simply the regex (currently supported with --regex flag)
  2. Allowing query editing in Checkmarx One.

Changes to rules

  • clojars-api-token - reintroduced entropy to 2, like it is in gitleaks
  • github-app-token - reintroduced entropy to 3, like it is in gitleaks
  • plaid-client-id - updated entropy from 3 to 3.5, like it is in gitleaks
  • vault-service-token - updated regex according to latest version of gitleaks; reintroduced entropy to 3.5, like it is in gitleaks

Checklist

  • I covered my changes with tests.
  • I Updated the documentation that is affected by my changes:
    • Change in the CLI arguments
    • Change in the configuration file

I submit this contribution under the Apache-2.0 license.

@cx-diogo-rocha
Moving rules from gitleaks
17bbdab
@cx-diogo-rocha
Adding more rules, improved script
150e3ca
@cx-diogo-rocha
Adding more rules, improved script
ec237d1
@cx-diogo-rocha
Adding more rules, improved script again
ec80012
@cx-diogo-rocha
Added all rules
e7d20ff
@cx-diogo-rocha
Trying secret_scanning.yml to ignore *_test.go files
8c609b0
@cx-diogo-rocha
Removed secret_scanning file to not collide with main
40b1b09
@cx-diogo-rocha
Merge branch 'master' of https://github.com/Checkmarx/2ms into AST-11…
c1876c4 
…3275-move-rules-from-gitleaks
@cx-diogo-rocha
Ran go mod tidy
01e2c6e
@cx-diogo-rocha
Adapted previously moved rules. Created test to check rules match bet…
22829d6 
…ween old and new
@cx-diogo-rocha
Fixed inconsistencies in rules. Improved tests to check consistency o…
d20e51e 
…f rules
@cx-diogo-rocha
Starting to use new rules
66dd08f
@cx-diogo-rocha
Changed 2ms to run with new rules. Removed prints from rules tests. F…
a2d9568 
…ixed tests
@cx-diogo-rocha
Fixed linter issues
3da77af
@cx-diogo-rocha
Reverting accidental change on .golangci
081e44c
@cx-diogo-rocha
Updated tests. Created test for checking fields of rules
34ace3a
@cx-diogo-rocha
Fixing tests and linter issues
04e436b
@cx-diogo-rocha
Fixing linter and trivy issues
660cf60
@cx-diogo-rocha
Trying to fix trivy vuln
2034231
@cx-diogo-rocha
Fixing e2e tests
1dcdea3
@cx-diogo-rocha
Ran go mod tidy
3d1a82a
@cx-diogo-rocha
Ran update-2ms-ignore
f1162be
@cx-diogo-rocha
Merge branch 'master' into AST-113275-move-rules-from-gitleaks
6c9cf11
@cx-diogo-rocha
Cleaning up rules
59b9180
@cx-diogo-rocha
Merge remote-tracking branch 'origin/AST-113275-move-rules-from-gitle…
228331b 
…aks' into AST-113275-move-rules-from-gitleaks
@cx-diogo-rocha
Moved generate methods from gitleaks to 2ms
52c07c3
@cx-diogo-rocha
Removing unused method
8453007
@cx-diogo-rocha
Added secret and reverted wrong change on list-of-rules.md
3b5522b
@cx-diogo-rocha
Ran update-readme.sh
813c760
@cx-diogo-rocha
Refactored location of rules
7111359
@cx-diogo-rocha
Changing ruleID to ruleName, introducing ruleID as uuid. WIP
0d667d2
@cx-diogo-rocha
Fixing tests
a50ab25
@cx-diogo-rocha
Fixed scan_tests again after fixing validate and extradetails
ab67ce1
@cx-diogo-rocha
Fixed more tests
6e1c199
@cx-diogo-rocha
Fixing tests
e6d9c8c
@cx-diogo-rocha
Reverting changes to run e2e locally
6a859de
@cx-diogo-rocha
Fixing rules command. Testing broken test in pipeline
1345b94
@cx-diogo-rocha
Fixing test
157e042
@cx-diogo-rocha
COmmenting problematic test
0405d9e
@cx-diogo-rocha
Fixed issue with test
f8c8d42
@cx-diogo-rocha
Fixing linter issues
7ccfe33
@cx-diogo-rocha
Removing unused nolint
a0a0375
@cx-diogo-rocha
Updated 2ms ignores
e018d77
@cx-diogo-rocha
Adding ruleName property in results of sarif
655eff6
@cx-diogo-rocha
Changing rule names to Generic-Api-Key, to be consistent with checkma…
fd886e6 
…rx platform
@cx-diogo-rocha
Updated go mod
cd67ab2
@cx-diogo-rocha
Updated go version
e635d78
@cx-diogo-rocha
Fixed result message. Added new script to create remediation for ever…
88e246e 
…y rule
@cx-diogo-rocha
Moved scripts for rules to their own folders to avoid conflicts
a2fac57
@cx-diogo-rocha
Fixing linter and unit test issues
7bec522
@cx-diogo-rocha
Fixing another test
4ac8027
cx-leonardo-fontes
cx-leonardo-fontes reviewed Nov 3, 2025
View reviewed changes
Comment thread engine/rules/ruledefine/aws.go Outdated
cx-leonardo-fontes
cx-leonardo-fontes reviewed Nov 3, 2025
View reviewed changes
Comment thread engine/engine.go Outdated
@cx-diogo-rocha cx-diogo-rocha mentioned this pull request Nov 3, 2025
Closed
4 tasks
@cx-diogo-rocha
Correcting awsRegex and missing lower case comparison
552658f
@cx-diogo-rocha
Merge branch 'AST-75295-custom-rules' of https://github.com/Checkmarx…
449ddb5 
…/2ms into AST-113275-move-rules-from-gitleaks

# Conflicts:
#	.2ms.yml
#	engine/engine.go
#	engine/rules/ruledefine/generic_credential.go
#	go.mod
@cx-diogo-rocha
Fixing issues with merge with main
4ce1f51
@cx-diogo-rocha cx-diogo-rocha merged commit dd1fa79 into AST-75295-custom-rules Nov 6, 2025
11 checks passed
@cx-diogo-rocha cx-diogo-rocha deleted the AST-113275-move-rules-from-gitleaks branch November 6, 2025 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-leonardo-fontes cx-leonardo-fontes cx-leonardo-fontes approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cx-diogo-rocha @cx-leonardo-fontes