diff --git a/CHANGELOG.md b/CHANGELOG.md index 3635a346a..5da5f2bc1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ CHANGELOG ========= +1.15.0 +---- +- Whitelist repos use regex now +- Whitelist repo check before clone + 1.14.0 ---- - Entropy Range support in gitleaks config diff --git a/github.go b/github.go index 1b6598fb9..1066d3317 100644 --- a/github.go +++ b/github.go @@ -188,9 +188,9 @@ func cloneGithubRepo(githubRepo *github.Repository) (*RepoDescriptor, error) { if opts.ExcludeForks && githubRepo.GetFork() { return nil, fmt.Errorf("skipping %s, excluding forks", *githubRepo.Name) } - for _, repoName := range whiteListRepos { - if repoName == *githubRepo.Name { - return nil, fmt.Errorf("skipping %s, whitelisted", repoName) + for _, re := range whiteListRepos { + if re.FindString(*githubRepo.Name) != "" { + return nil, fmt.Errorf("skipping %s, whitelisted", *githubRepo.Name) } } log.Infof("cloning: %s", *githubRepo.Name) diff --git a/gitleaks_test.go b/gitleaks_test.go index 856081821..862ee9d86 100644 --- a/gitleaks_test.go +++ b/gitleaks_test.go @@ -493,7 +493,7 @@ func TestAuditRepo(t *testing.T) { whiteListFiles []*regexp.Regexp whiteListCommits map[string]bool whiteListBranches []string - whiteListRepos []string + whiteListRepos []*regexp.Regexp whiteListRegexes []*regexp.Regexp configPath string }{ @@ -618,8 +618,8 @@ func TestAuditRepo(t *testing.T) { repo: leaksRepo, description: "audit whitelist repo", numLeaks: 0, - whiteListRepos: []string{ - "gronit", + whiteListRepos: []*regexp.Regexp{ + regexp.MustCompile("gronit"), }, }, { diff --git a/main.go b/main.go index 11a1bfef5..b166a87b0 100644 --- a/main.go +++ b/main.go @@ -137,7 +137,7 @@ type entropyRange struct { } const defaultGithubURL = "https://api.github.com/" -const version = "1.14.0" +const version = "1.15.0" const errExit = 2 const leakExit = 1 const defaultConfig = ` @@ -208,7 +208,7 @@ var ( whiteListFiles []*regexp.Regexp whiteListCommits map[string]bool whiteListBranches []string - whiteListRepos []string + whiteListRepos []*regexp.Regexp entropyRanges []entropyRange fileDiffRegex *regexp.Regexp sshAuth *ssh.PublicKeys @@ -250,6 +250,10 @@ func main() { now := time.Now() leaks, err := run() if err != nil { + if strings.Contains(err.Error(), "whitelisted") { + log.Info(err.Error()) + os.Exit(0) + } log.Error(err) os.Exit(errExit) } @@ -359,6 +363,12 @@ func cloneRepo() (*RepoDescriptor, error) { err error repo *git.Repository ) + // check if whitelist + for _, re := range whiteListRepos { + if re.FindString(opts.Repo) != "" { + return nil, fmt.Errorf("skipping %s, whitelisted", opts.Repo) + } + } if opts.Disk { log.Infof("cloning %s", opts.Repo) cloneTarget := fmt.Sprintf("%s/%x", dir, md5.Sum([]byte(fmt.Sprintf("%s%s", opts.GithubUser, opts.Repo)))) @@ -409,9 +419,9 @@ func auditGitRepo(repo *RepoDescriptor) ([]Leak, error) { err error leaks []Leak ) - for _, repoName := range whiteListRepos { - if repoName == repo.name { - return nil, fmt.Errorf("skipping %s, whitelisted", repoName) + for _, re := range whiteListRepos { + if re.FindString(repo.name) != "" { + return leaks, fmt.Errorf("skipping %s, whitelisted", repo.name) } } ref, err := repo.repository.Head() @@ -857,7 +867,6 @@ func loadToml() error { } } whiteListBranches = config.Whitelist.Branches - whiteListRepos = config.Whitelist.Repos whiteListCommits = make(map[string]bool) for _, commit := range config.Whitelist.Commits { whiteListCommits[commit] = true @@ -868,6 +877,9 @@ func loadToml() error { for _, regex := range config.Whitelist.Regexes { whiteListRegexes = append(whiteListRegexes, regexp.MustCompile(regex)) } + for _, regex := range config.Whitelist.Repos { + whiteListRepos = append(whiteListRepos, regexp.MustCompile(regex)) + } return nil }