From 57f9bc83d169bea363f2990a4de334b54efc3d7d Mon Sep 17 00:00:00 2001 From: Zachary Rice Date: Sat, 19 Mar 2022 09:31:38 -0500 Subject: [PATCH] Stop words (#808) * use regex for stopwords * fix up regex * rm stopwords --- config/gitleaks.toml | 19 +++++++++++++++- detect/detect.go | 12 +++++----- detect/detect_test.go | 8 +++++++ detect/utils.go | 1 + testdata/config/generic_with_py_path.toml | 27 +++++++++++++++++++++++ 5 files changed, 60 insertions(+), 7 deletions(-) diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 3047e5c59..e033f573a 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -536,7 +536,24 @@ secretGroup = 4 [allowlist] description = "global allow lists" -regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}'''] +regexes = [ + '''219-09-9999''', + '''078-05-1120''', + '''(9[0-9]{2}|666)-\d{2}-\d{4}''', + '''process''', + '''getenv''', + '''\.env''', + '''env\(''', + '''env\.''', + '''setting''', + '''load''', + '''token''', + '''password''', + '''secret''', + '''api\_key''', + '''apikey''', + '''api\-key''', + ] paths = [ '''gitleaks.toml''', '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''', diff --git a/detect/detect.go b/detect/detect.go index 896be7ebe..4f2d69c4c 100644 --- a/detect/detect.go +++ b/detect/detect.go @@ -170,12 +170,6 @@ func (d *Detector) detectRule(fragment Fragment, rule *config.Rule) []report.Fin Tags: rule.Tags, } - // check if the secret is in the allowlist - if rule.Allowlist.RegexAllowed(finding.Secret) || - d.Config.Allowlist.RegexAllowed(finding.Secret) { - continue - } - // extract secret from secret group if set if rule.SecretGroup != 0 { groups := rule.Regex.FindStringSubmatch(secret) @@ -187,6 +181,12 @@ func (d *Detector) detectRule(fragment Fragment, rule *config.Rule) []report.Fin finding.Secret = secret } + // check if the secret is in the allowlist + if rule.Allowlist.RegexAllowed(finding.Secret) || + d.Config.Allowlist.RegexAllowed(finding.Secret) { + continue + } + // check entropy entropy := shannonEntropy(finding.Secret) finding.Entropy = float32(entropy) diff --git a/detect/detect_test.go b/detect/detect_test.go index 0b3a0d3c9..02253e101 100644 --- a/detect/detect_test.go +++ b/detect/detect_test.go @@ -185,6 +185,14 @@ func TestDetect(t *testing.T) { }, expectedFindings: []report.Finding{}, }, + { + cfgName: "generic_with_py_path", + fragment: Fragment{ + Raw: `const Discord_Public_Key = "load2523fb86ed64c836a979cf8465fbd436378c653c1db38f9ae87bc62a6fd5"`, + FilePath: "tmp.py", + }, + expectedFindings: []report.Finding{}, + }, } for _, tt := range tests { diff --git a/detect/utils.go b/detect/utils.go index 9e4f3e566..1420c614f 100644 --- a/detect/utils.go +++ b/detect/utils.go @@ -79,6 +79,7 @@ func filter(findings []report.Finding, redact bool) []report.Finding { } } } + if redact { f.Redact() } diff --git a/testdata/config/generic_with_py_path.toml b/testdata/config/generic_with_py_path.toml index 86e47890a..a528893e9 100644 --- a/testdata/config/generic_with_py_path.toml +++ b/testdata/config/generic_with_py_path.toml @@ -7,3 +7,30 @@ regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\| path = '''.py''' entropy = 3.7 secretGroup = 4 + +[allowlist] +description = "global allow lists" +regexes = [ + '''219-09-9999''', + '''078-05-1120''', + '''(9[0-9]{2}|666)-\d{2}-\d{4}''', + '''process''', + '''getenv''', + '''\.env''', + '''env\(''', + '''env\.''', + '''setting''', + '''load''', + '''token''', + '''password''', + '''secret''', + '''api\_key''', + '''apikey''', + '''api\-key''', + ] +paths = [ + '''gitleaks.toml''', + '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''', + '''(go.mod|go.sum)$''' +] +