fix(detect): extra secret from group before checking allowlist (#1152)

gitleaks · Apr 19, 2023 · 51ca0f8 · 51ca0f8
1 parent 81cf308
commit 51ca0f8
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/detect/detect.go b/detect/detect.go
@@ -292,6 +292,17 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find
 			continue
 		}
 
+		// extract secret from secret group if set
+		if rule.SecretGroup != 0 {
+			groups := rule.Regex.FindStringSubmatch(secret)
+			if len(groups) <= rule.SecretGroup || len(groups) == 0 {
+				// Config validation should prevent this
+				continue
+			}
+			secret = groups[rule.SecretGroup]
+			finding.Secret = secret
+		}
+
 		// check if the regexTarget is defined in the allowlist "regexes" entry
 		allowlistTarget := finding.Secret
 		switch rule.Allowlist.RegexTarget {
@@ -313,17 +324,6 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find
 			continue
 		}
 
-		// extract secret from secret group if set
-		if rule.SecretGroup != 0 {
-			groups := rule.Regex.FindStringSubmatch(secret)
-			if len(groups) <= rule.SecretGroup || len(groups) == 0 {
-				// Config validation should prevent this
-				continue
-			}
-			secret = groups[rule.SecretGroup]
-			finding.Secret = secret
-		}
-
 		// check if the secret is in the list of stopwords
 		if rule.Allowlist.ContainsStopWord(finding.Secret) ||
 			d.Config.Allowlist.ContainsStopWord(finding.Secret) {