Checkmarx · cx-leonardo-fontes · Jan 15, 2026 · Jan 13, 2026 · Jan 13, 2026 · Jan 13, 2026
diff --git a/.2ms.yml b/.2ms.yml
@@ -2871,3 +2871,119 @@ ignore-result:
 - f0544e7e9e25a6223cd10c37a445bfd4a4641337 # test data from defaultPlusAllCustomRules.json
 - f93dd5ab91efe7b70381afe3d4ebd1b26e628ac9 # test data from defaultPlusNonOverrideRules.json
 - ff81ccd6553feaf5fbbf573eac2a0042d05aaee4 # test data from defaultPlusNonOverrideRules.json
+- 291db30c1fc925cf1db50da134b81bb53fcdfa9c # unit test from baseline_test.go
+- 37053e96e52dcbe9d7a622cd3034cea95396a904 # unit test from detect_test.go
+- 3d5c482ed8e7b2f642c4af0918dbb17bbad37fb5 # unit test from detect_test.go
+- 54f91dd27b35bdce536ada4ac2d25e1830936eb3 # unit test from detect_test.go
+- 58dad9441a96a0e2bde490df8012c310a754366d # unit test from detect_test.go
+- 65e203cba5dc1dd46c0a05f7d7d29f13cd5a754b # unit test from detect_test.go
+- 6deb6b4b6091d938e043751eff3c63f44f507047 # unit test from detect_test.go
+- 742452318b80286d255e8f59b083130e0469361a # unit test from detect_test.go
+- 763f9229cda90ec9d629db3d9510deec6106a50b # unit test from detect_test.go
+- aa67b81207d129d2100805119835365106660dff # unit test from detect_test.go
+- ad99aa7582689ab373979a458399b5ab74a48b28 # unit test from detect_test.go
+- ae25f7e23754c15f9d7889ed0de737ec6691b6c1 # unit test from detect_test.go
+- b8c48605e841ba5bc32988f59fb884475b8d5690 # unit test from detect_test.go
+- c9266e05aba8dc5005cafc1d4a844ba52be7a33c # unit test from detect_test.go
+- ca95e2536135c3d7ec3a7b1436519a008cea6ba5 # unit test from detect_test.go
+- cf6b654c0b2f060d957409da90d86e6d349a50d5 # unit test from detect_test.go
+- da1aaad0a6b7d539002003fd8f58c82cfaa72b15 # unit test from detect_test.go
+- e2503154339a5267cbe90ed14a325b06c6ebd844 # unit test from detect_test.go
+- e6db34f91797a0aa9cc7460c749577e7be7bc7ee # unit test from reader_test.go
+- e8bb1f5f551f019754e029ad16dbd24ffad57655 # unit test from detect_test.go
+- ebad3473b3803319f6b5587b77d0aaab458feb28 # unit test from detect_test.go
+- f2d5884f42efeee708ece148627c2b95eefc316f # unit test from detect_test.go
+- 0191ca76eb902ced14c15f96338aef02e0057c8b # unit test from detect_test.go
+- 03ddf82cc545e43572460fa7327e5a29667f4d9f # unit test from detect_test.go
+- 045a994e1030fff96dcb84b28e30d70b3ac95fd6 # unit test from detect_test.go
+- 058d5ef7732f0bc4b72e9a9a6791bdd8b2cff6d9 # unit test from engine_test.go
+- 064ea8914e82065aebbb6625d7eb8afab44474de # unit test from detect_test.go
+- 08443422de367c9ac03d302b0f1105fd83237542 # unit test from e2e_test.go
+- 084a5972aadeceed7774244c7cdf9dadab7cb65f # unit test from detect_test.go
+- 08608fa8499ad6e42f04a4bfddd9f4f528a735f0 # unit test from detect_test.go
+- 09c64bdb8a8293f680106f8573a6dc3b859e6107 # unit test from detect_test.go
+- 0ba26d72ec2adcc03762aedf9adb41d72c843204 # unit test from e2e_test.go
+- 0fc99fe8faa117e2d6c9dbbadd7edb6050866b61 # unit test from detect_test.go
+- 120d2028133fe0a99e37e4406d6e39de19064acd # unit test from detect_test.go
+- 13a25db3ecbb44fc4ebb8d7c743650b9f033b3cf # unit test from detect_test.go
+- 1f491ddef575b4e99da0c0c30d1053292660e7f7 # unit test from detect_test.go
+- 242966474821312cf4ba23cb189822bc9a197246 # unit test from detect_test.go
+- 2b1cbfbf336cfbf5e461255bfe76d1e38a4a743b # unit test from e2e_test.go
+- 2d62a78fe31d4c464b8c79fc585890f0483cfeec # unit test from baseline_test.go
+- 2e47a67fd27d0fd4d75019e6e439c381cde961d0 # unit test from detect_test.go
+- 2f16bf21f6d80c0d41e47cb0172468e43729dd66 # unit test from detect_test.go
+- 31036836f52133fe54daa2e69ac12d9ba2b3b04a # unit test from e2e_test.go
+- 316f88a3e44ddb85aabc0e948a3ea8a671b5edf5 # unit test from reader_test.go
+- 3287a84c6e8fe79033feee27d9141e8a5124f825 # unit test from detect_test.go
+- 34818a0709801a2869d996ede681f6c0fe7fea91 # unit test from e2e_test.go
+- 350322ac0bdfb65e2a61786dbae5963f2bb9a527 # unit test from detect_test.go
+- 3692e7882628467155bd939da7d56e5ee73d3e15 # unit test from detect_test.go
+- 39957ecf370b6f1132121973e44b921200462c4e # unit test from reader_test.go
+- 3a6b1739d3f3398ab84e710ba73b487c1df23376 # unit test from detect_test.go
+- 3f71840afabd8ac630599d13fd1c8b398c1f5549 # unit test from engine_test.go
+- 40936165ebf8cbb38f2a7546f57fa0cd87006dc0 # unit test from detect_test.go
+- 40b32a8039a1a10a99a577d7ef6f583be0507227 # unit test from e2e_test.go
+- 42a7aa1b64619c519f8b01586c548bf64a9e8c2d # unit test from engine_test.go
+- 435ecfdc46e31ef78ac0409ae0ddcf0527dfc791 # unit test from detect_test.go
+- 4523e7286b5b3ba00190a208da8ed687e22563ff # unit test from detect_test.go
+- 4efd98988b2d95698bd233dc2e24c0c4774fd13c # unit test from detect_test.go
+- 5047fbb5feea035a81a4f72f1c6358593afa0911 # unit test from detect_test.go
+- 506fc171430a769bc7e5ef6ebfc6de1a2b42f9d0 # unit test from detect_test.go
+- 52d8d8bc3b4025ebcc4cd9fa9cafb1d2448eff07 # unit test from detect_test.go
+- 5a8b1c9b53fbd7a22adc42f108613c13f56dc8d0 # unit test from detect_test.go
+- 5c0e99a770f0b06094247b2d93022c25f2fbb84b # unit test from detect_test.go
+- 644d8f390bcad42029ddb02ef2860fe1c0e2c854 # unit test from detect_test.go
+- 6a022529429d2852fcfe03d4cd7109bf17e383c5 # unit test from e2e_test.go
+- 6bfadced69c08247f1861c5dd85a994d0c5e696d # unit test from detect_test.go
+- 6dfe345e835c8fe9b67415512e7768665bee014d # unit test from detect_test.go
+- 7232818438eb1f2a6fe608f34f1c31e7673fa2c1 # unit test from engine_test.go
+- 738ac32fba8b18f3d77c73124828ac5e50ecc103 # unit test from detect_test.go
+- 837c6b7f1e9b6fe22fc5337bb001b80b6d0158c8 # unit test from engine_test.go
+- 8414e74dc0cbef4a2f75d3c74e9c4c5406f39a4d # unit test from baseline_test.go
+- 85aea11d741219bd83c4ee1907e7c8a0d65e3e54 # unit test from detect_test.go
+- 87d545317c6064d2a733a3431f339d43c27ade7a # unit test from detect_test.go
+- 88c83cc8c1d4793d16b98482682fbd39ff9430dd # unit test from detect_test.go
+- 8a79dfcf5127c3eda963791799dd9bf700024305 # unit test from baseline_test.go
+- 8fe8eb66b9f59d95ea071664b43d17a7d86f4780 # unit test from detect_test.go
+- 92564cf63061405552373a9017b49ae7de3d0d0e # unit test from detect_test.go
+- 94d83bd98215b61a5477db138ac4605d8274075e # unit test from detect_test.go
+- 94e3c8734f89bcef49a4fdbb9c7f4ce1eb6f0bab # unit test from engine_test.go
+- 95602b44ee80fe9bbe9007e1a030c31cf4ac8f1a # unit test from detect_test.go
+- 967d1117bf89447855642e1a13c50b161c8e746a # unit test from detect_test.go
+- 970e4c538f13d14062157e54635c925d20a2b866 # unit test from e2e_test.go
+- 973d837f7a0a53534ce79a098dfa29f7ebde938f # unit test from detect_test.go
+- 97ce950e4f01b40ab80fc7fccc96c31688210edf # unit test from detect_test.go
+- 99183dd451fe2b2c49cab3ae8de1ed06e6f0da2e # unit test from detect_test.go
+- 9f8ef66d0619971d4124c9d0d87b680bec8eeb0d # unit test from detect_test.go
+- a14018d7b39d3b4af8d1038d65deae1bcc196db3 # unit test from detect_test.go
+- a6be8491e518a4551610780b8fe0bb662c7031d5 # unit test from detect_test.go
+- ae423a7a77b65c64ee1f6cb684ae9b1e8045e55b # unit test from detect_test.go
+- b072a72876b789b9750bdec283d03414eae1c16d # unit test from detect_test.go
+- b45c94986a95512946a8f1260405afbb7a9bfb99 # unit test from engine_test.go
+- bc1701a2a0fe0a077f64ecc0d76724efc4341ea8 # unit test from detect_test.go
+- bcdf7068c28fab7bc4fd737c3197df180f2fb07b # unit test from detect_test.go
+- c1e1deec29124eeab7be6a18a5babfbd0bb72059 # unit test from e2e_test.go
+- c2350c25bccece41e4cf2295d107e6609f3e616a # unit test from detect_test.go
+- cb0436f127d092d30aaab160d7fa8136462b959f # unit test from reader_test.go
+- ce24444cc20bd1f602555d83bb1b237dc48892ac # unit test from detect_test.go
+- ce35535feeceb177978f3f2292a9e45a4d59b94e # unit test from engine_test.go
+- d586e56c65c55341bf52ec85a1c714e4447d29a1 # unit test from detect_test.go
+- d6c1757c1515725af7a19f9c482a8c0611ae008f # unit test from detect_test.go
+- dc42bae4cb2ef7cd40753c6468983ea9ac8c3b64 # unit test from engine_test.go
+- dcdaac30b51248d43d84949e3df528d3fbf3f9cd # unit test from detect_test.go
+- e89ddc535cf5d049e313fdcec347adbba3136e88 # unit test from detect_test.go
+- e8a1871a16818bcfe448877955c3c631f0e1d033 # unit test from detect_test.go
+- e9c06b68353c0301394dfa5afc432361b4dbd07a # unit test from detect_test.go
+- ea0ef53c2528281124cdf3c54ad08c5d308829dc # unit test from engine_test.go
+- f480fa35114d69065f5e8d921a99bf4b79aab633 # unit test from detect_test.go
+- f8ad50fd98cae17bfe5ca72ba61ff3a5633af7c7 # unit test from detect_test.go
+- f8df8140da50183a21805c2bde7d8628c9e67250 # unit test from detect_test.go
+- fd8aec977582f220d0c416be5c3ad0a77a5e4e88 # unit test from detect_test.go
+- 1fe065327471fe5245572e5406b3647d27887d58 # test/development data from generic_credential.go
+- 41cca7cb54b14f9a6343f51a56dee951a3249a16 # test/development data from generic_credential.go
+- 5d3c644b96a41c68a4bf3c6ecca6359557bb5c90 # test/development data from generic_credential.go
+- 6c09a8e8d52d37152e38a4f64c96db16abd964ab # test/development data from generic_credential.go
+- 7ccee5d40367960f69709da28dcf197c7c5c06f8 # test/development data from generic_credential.go
+- ba40bd0cfa331c71899179dbb35b2a6eb452a482 # secret found in ruleids.go
+- eeaf67842fc9be3123b8e2aea470608c2f362033 # test/development data from generic_credential.go
+- 25960f13ce160dba4f08f210370fccdca6cb51eb # FP, id not credential
diff --git a/.github/workflows/cx-one-scan.yaml b/.github/workflows/cx-one-scan.yaml
@@ -6,7 +6,6 @@ on:
   push:
     branches:
       - master
-      - AST-75295-custom-rules
   schedule:
     - cron: '00 7 * * *'
 

diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -2,9 +2,6 @@ name: PR Validation
 
 on:
   pull_request:
-    branches:
-      - master
-      - AST-75295-custom-rules
   merge_group:
 
 jobs:

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -4,11 +4,7 @@ on:
   push:
     branches:
       - master
-      - AST-75295-custom-rules
   pull_request:
-    branches:
-      - master
-      - AST-75295-custom-rules
   merge_group:
   schedule:
     - cron: "0 0 * * *"

diff --git a/.github/workflows/trivy-vulnerability-scan.yaml b/.github/workflows/trivy-vulnerability-scan.yaml
@@ -3,9 +3,6 @@ on:
   push:
   workflow_dispatch:
   pull_request:
-    branches:
-      - master
-      - AST-75295-custom-rules
   schedule:
     - cron: '5 6 * * *'  # Runs every day at 06:05 UTC
 

diff --git a/.github/workflows/validate-readme.yml b/.github/workflows/validate-readme.yml
@@ -2,9 +2,6 @@ name: Validate README
 
 on:
   pull_request:
-    branches:
-      - master
-      - AST-75295-custom-rules
   merge_group:
 
 jobs:

diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ Scan recent Git history instead:
 - Unified scanning for local directories, Git history, Slack, Discord, Confluence Cloud, and Paligo — each exposed as a dedicated subcommand.
 - Hundreds of tuned detection rules curated by Checkmarx on top of gitleaks, enriched with CVSS-based scoring in every finding.
 - Optional live secret validation (`--validate`) to confirm whether discovered credentials are still active.
-- Flexible filtering and noise reduction: `--rule`, `--ignore-rule`, `--add-special-rule`, `--ignore-result`, `--regex`, `--allowed-values`, and `--max-target-megabytes`.
+- Flexible filtering and noise reduction: `--rule`, `--ignore-rule`, `--add-special-rule`, `--ignore-result`, `--regex`, `--allowed-values`, `--max-target-megabytes`, `--max-findings`, `--max-rule-matches-per-fragment`, and `--max-secret-size`.
 - Rich reporting for developers and pipelines with JSON, YAML, and SARIF outputs, multiple `--report-path` destinations, and CI-aware exit handling via `--ignore-on-exit`.
 - Automation ready: configuration files, `2MS_*` environment variables, Docker images, and GitHub Actions templates.
 - Extensible plugin architecture — contributions for new data sources are welcome.
@@ -244,15 +244,18 @@ Global flags work with every subcommand. Combine them with configuration files a
 
 ### Global Flags
 
-| Flag | Type | Default | Description |
-|------|------|---------|-------------|
-| `--config` | string | | Path to a YAML or JSON configuration file. |
-| `--log-level` | string | `info` | Logging level: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, or `none`. |
-| `--stdout-format` | string | `yaml` | `yaml`, `json`, or `sarif` output on stdout. |
-| `--report-path` | string slice | | Write findings to one or more files; format is inferred from the extension. |
-| `--ignore-on-exit` | enum | `none` | Control exit codes: `all`, `results`, `errors`, or `none`. |
-| `--max-target-megabytes` | int | `0` | Skip files larger than the threshold (0 disables the check). |
-| `--validate` | bool | `false` | Enrich results by verifying secrets when supported. |
+| Flag                              | Type         | Default | Description                                                                                                     |
+|-----------------------------------|--------------|---------|-----------------------------------------------------------------------------------------------------------------|
+| `--config`                        | string       |         | Path to a YAML or JSON configuration file.                                                                      |
+| `--log-level`                     | string       | `info`  | Logging level: `trace`, `debug`, `info`, `warn`, `error`, `fatal`, or `none`.                                   |
+| `--stdout-format`                 | string       | `yaml`  | `yaml`, `json`, or `sarif` output on stdout.                                                                    |
+| `--report-path`                   | string slice |         | Write findings to one or more files; format is inferred from the extension.                                     |
+| `--ignore-on-exit`                | enum         | `none`  | Control exit codes: `all`, `results`, `errors`, or `none`.                                                      |
+| `--max-target-megabytes`          | int          | `0`     | Skip files larger than the threshold (0 disables the check).                                                    |
+| `--max-findings`                  | int          | `0`     | Caps the total number of results. Scan stops early if limit is reached. Omit or set to 0 to disable.            |
+| `--max-rule-matches-per-fragment` | int          | `0`     | Caps the number of results per rule per fragment (e.g., file, chunked file, page). Omit or set to 0 to disable. |
+| `--max-secret-size`               | int          | `0`     | Secrets larger than this size (in bytes) will be ignored. Omit or set to 0 to disable this check.               |
+| `--validate`                      | bool         | `false` | Enrich results by verifying secrets when supported.                                                             |
 
 ### Configuration Files & Environment Variables
 

diff --git a/cmd/config.go b/cmd/config.go
@@ -132,6 +132,18 @@ func setupFlags(rootCmd *cobra.Command) {
 		IntVar(&engineConfigVar.MaxTargetMegabytes, maxTargetMegabytesFlagName, 0,
 			"files larger than this will be skipped.\nOmit or set to 0 to disable this check.")
 
+	rootCmd.PersistentFlags().
+		Uint64Var(&engineConfigVar.MaxFindings, maxFindingsFlagName, 0,
+			"caps the total number of results. Scan stops early if limit is reached.\nOmit or set to 0 to disable this check.")
+
+	rootCmd.PersistentFlags().
+		Uint64Var(&engineConfigVar.MaxRuleMatchesPerFragment, maxRuleMatchesPerFragmentFlagName, 0,
+			"caps the number of results per rule per fragment (e.g., file, chunked file, page).\nOmit or set to 0 to disable this check.")
+
+	rootCmd.PersistentFlags().
+		Uint64Var(&engineConfigVar.MaxSecretSize, maxSecretSizeFlagName, 0,
+			"secrets larger than this size (in bytes) will be ignored.\nOmit or set to 0 to disable this check.")
+
 	rootCmd.PersistentFlags().
 		BoolVar(&validateVar, validate, false, "trigger additional validation to check if discovered secrets are valid or invalid")
 

diff --git a/cmd/main.go b/cmd/main.go
@@ -19,19 +19,22 @@ const (
 	outputFormatRegexpPattern = `^(ya?ml|json|sarif)$`
 	configFileFlag            = "config"
 
-	logLevelFlagName           = "log-level"
-	reportPathFlagName         = "report-path"
-	stdoutFormatFlagName       = "stdout-format"
-	customRegexRuleFlagName    = "regex"
-	ruleFlagName               = "rule"
-	ignoreRuleFlagName         = "ignore-rule"
-	ignoreFlagName             = "ignore-result"
-	allowedValuesFlagName      = "allowed-values"
-	specialRulesFlagName       = "add-special-rule"
-	ignoreOnExitFlagName       = "ignore-on-exit"
-	maxTargetMegabytesFlagName = "max-target-megabytes"
-	validate                   = "validate"
-	customRulesFileFlagName    = "custom-rules-path"
+	logLevelFlagName                  = "log-level"
+	reportPathFlagName                = "report-path"
+	stdoutFormatFlagName              = "stdout-format"
+	customRegexRuleFlagName           = "regex"
+	ruleFlagName                      = "rule"
+	ignoreRuleFlagName                = "ignore-rule"
+	ignoreFlagName                    = "ignore-result"
+	allowedValuesFlagName             = "allowed-values"
+	specialRulesFlagName              = "add-special-rule"
+	ignoreOnExitFlagName              = "ignore-on-exit"
+	maxTargetMegabytesFlagName        = "max-target-megabytes"
+	maxFindingsFlagName               = "max-findings"
+	maxRuleMatchesPerFragmentFlagName = "max-rule-matches-per-fragment"
+	maxSecretSizeFlagName             = "max-secret-size"
+	validate                          = "validate"
+	customRulesFileFlagName           = "custom-rules-path"
 )
 
 var (

diff --git a/engine/constants/ruleids.go b/engine/constants/ruleids.go
@@ -0,0 +1,4 @@
+package constants
+
+// GenericCredentialRuleID is the rule ID for generic credential detection.
+const GenericCredentialRuleID = "01ab7659-d25a-4a1c-9f98-dee9d0cf2e70" //nolint:gosec // This is a rule ID, not a credential
diff --git a/engine/detect/baseline.go b/engine/detect/baseline.go
@@ -0,0 +1,82 @@
+package detect
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/zricethezav/gitleaks/v8/report"
+)
+
+//nolint:gocyclo // TODO: refactor this function to reduce cyclomatic complexity
+func IsNew(finding *report.Finding, redact uint, baseline []report.Finding) bool {
+	// Explicitly testing each property as it gives significantly better performance in comparison to cmp.Equal(). Drawback is that
+	// the code requires maintenance if/when the Finding struct changes
+	for i := range baseline {
+		b := &baseline[i]
+		if finding.RuleID == b.RuleID &&
+			finding.Description == b.Description &&
+			finding.StartLine == b.StartLine &&
+			finding.EndLine == b.EndLine &&
+			finding.StartColumn == b.StartColumn &&
+			finding.EndColumn == b.EndColumn &&
+			(redact > 0 || (finding.Match == b.Match && finding.Secret == b.Secret)) &&
+			finding.File == b.File &&
+			finding.Commit == b.Commit &&
+			finding.Author == b.Author &&
+			finding.Email == b.Email &&
+			finding.Date == b.Date &&
+			finding.Message == b.Message &&
+			// Omit checking finding.Fingerprint - if the format of the fingerprint changes, the users will see unexpected behavior
+			finding.Entropy == b.Entropy {
+			return false
+		}
+	}
+	return true
+}
+
+func LoadBaseline(baselinePath string) ([]report.Finding, error) {
+	bytes, err := os.ReadFile(baselinePath)
+	if err != nil {
+		return nil, fmt.Errorf("could not open %s", baselinePath)
+	}
+
+	var previousFindings []report.Finding
+	err = json.Unmarshal(bytes, &previousFindings)
+	if err != nil {
+		return nil, fmt.Errorf("the format of the file %s is not supported", baselinePath)
+	}
+
+	return previousFindings, nil
+}
+
+func (d *Detector) AddBaseline(baselinePath, source string) error {
+	if baselinePath != "" {
+		absoluteSource, err := filepath.Abs(source)
+		if err != nil {
+			return err
+		}
+
+		absoluteBaseline, err := filepath.Abs(baselinePath)
+		if err != nil {
+			return err
+		}
+
+		relativeBaseline, err := filepath.Rel(absoluteSource, absoluteBaseline)
+		if err != nil {
+			return err
+		}
+
+		baseline, err := LoadBaseline(baselinePath)
+		if err != nil {
+			return err
+		}
+
+		d.baseline = baseline
+		baselinePath = relativeBaseline
+	}
+
+	d.baselinePath = baselinePath
+	return nil
+}