Merge pull request #123 from zricethezav/update/whitelist-repo

whitelist repo update
gitleaks · Oct 23, 2018 · 87d916f · 87d916f
2 parents 9272e1e + 21b59fa
commit 87d916f
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+1.15.0
+----
+- Whitelist repos use regex now
+- Whitelist repo check before clone
+
 1.14.0
 ----
 - Entropy Range support in gitleaks config

diff --git a/github.go b/github.go
@@ -188,9 +188,9 @@ func cloneGithubRepo(githubRepo *github.Repository) (*RepoDescriptor, error) {
 	if opts.ExcludeForks && githubRepo.GetFork() {
 		return nil, fmt.Errorf("skipping %s, excluding forks", *githubRepo.Name)
 	}
-	for _, repoName := range whiteListRepos {
-		if repoName == *githubRepo.Name {
-			return nil, fmt.Errorf("skipping %s, whitelisted", repoName)
+	for _, re := range whiteListRepos {
+		if re.FindString(*githubRepo.Name) != "" {
+			return nil, fmt.Errorf("skipping %s, whitelisted", *githubRepo.Name)
 		}
 	}
 	log.Infof("cloning: %s", *githubRepo.Name)

diff --git a/gitleaks_test.go b/gitleaks_test.go
@@ -493,7 +493,7 @@ func TestAuditRepo(t *testing.T) {
 		whiteListFiles    []*regexp.Regexp
 		whiteListCommits  map[string]bool
 		whiteListBranches []string
-		whiteListRepos    []string
+		whiteListRepos    []*regexp.Regexp
 		whiteListRegexes  []*regexp.Regexp
 		configPath        string
 	}{
@@ -618,8 +618,8 @@ func TestAuditRepo(t *testing.T) {
 			repo:        leaksRepo,
 			description: "audit whitelist repo",
 			numLeaks:    0,
-			whiteListRepos: []string{
-				"gronit",
+			whiteListRepos: []*regexp.Regexp{
+				regexp.MustCompile("gronit"),
 			},
 		},
 		{

diff --git a/main.go b/main.go
@@ -137,7 +137,7 @@ type entropyRange struct {
 }
 
 const defaultGithubURL = "https://api.github.com/"
-const version = "1.14.0"
+const version = "1.15.0"
 const errExit = 2
 const leakExit = 1
 const defaultConfig = `
@@ -208,7 +208,7 @@ var (
 	whiteListFiles    []*regexp.Regexp
 	whiteListCommits  map[string]bool
 	whiteListBranches []string
-	whiteListRepos    []string
+	whiteListRepos    []*regexp.Regexp
 	entropyRanges     []entropyRange
 	fileDiffRegex     *regexp.Regexp
 	sshAuth           *ssh.PublicKeys
@@ -250,6 +250,10 @@ func main() {
 	now := time.Now()
 	leaks, err := run()
 	if err != nil {
+		if strings.Contains(err.Error(), "whitelisted") {
+			log.Info(err.Error())
+			os.Exit(0)
+		}
 		log.Error(err)
 		os.Exit(errExit)
 	}
@@ -359,6 +363,12 @@ func cloneRepo() (*RepoDescriptor, error) {
 		err  error
 		repo *git.Repository
 	)
+	// check if whitelist
+	for _, re := range whiteListRepos {
+		if re.FindString(opts.Repo) != "" {
+			return nil, fmt.Errorf("skipping %s, whitelisted", opts.Repo)
+		}
+	}
 	if opts.Disk {
 		log.Infof("cloning %s", opts.Repo)
 		cloneTarget := fmt.Sprintf("%s/%x", dir, md5.Sum([]byte(fmt.Sprintf("%s%s", opts.GithubUser, opts.Repo))))
@@ -409,9 +419,9 @@ func auditGitRepo(repo *RepoDescriptor) ([]Leak, error) {
 		err   error
 		leaks []Leak
 	)
-	for _, repoName := range whiteListRepos {
-		if repoName == repo.name {
-			return nil, fmt.Errorf("skipping %s, whitelisted", repoName)
+	for _, re := range whiteListRepos {
+		if re.FindString(repo.name) != "" {
+			return leaks, fmt.Errorf("skipping %s, whitelisted", repo.name)
 		}
 	}
 	ref, err := repo.repository.Head()
@@ -857,7 +867,6 @@ func loadToml() error {
 		}
 	}
 	whiteListBranches = config.Whitelist.Branches
-	whiteListRepos = config.Whitelist.Repos
 	whiteListCommits = make(map[string]bool)
 	for _, commit := range config.Whitelist.Commits {
 		whiteListCommits[commit] = true
@@ -868,6 +877,9 @@ func loadToml() error {
 	for _, regex := range config.Whitelist.Regexes {
 		whiteListRegexes = append(whiteListRegexes, regexp.MustCompile(regex))
 	}
+	for _, regex := range config.Whitelist.Repos {
+		whiteListRepos = append(whiteListRepos, regexp.MustCompile(regex))
+	}
 
 	return nil
 }