Keyword (#825)

* wip keywords optimization * update readme * limit concurrency to 4 * update readme
gitleaks · Apr 5, 2022 · b0a958f · b0a958f
1 parent 237b03a
commit b0a958f
Show file tree

Hide file tree

Showing 6 changed files with 182 additions and 40 deletions.
diff --git a/README.md b/README.md
@@ -70,7 +70,7 @@ make build
          - id: gitleaks
    ```
    for a [native execution of GitLeaks](https://github.com/zricethezav/gitleaks/releases) or use the [`gitleaks-docker` pre-commit ID](https://github.com/zricethezav/gitleaks/blob/master/.pre-commit-hooks.yaml) for executing GitLeaks using the [official Docker images](#docker)
-   
+
 3. Install with `pre-commit install`
 4. Now you're all set!
 ```
@@ -227,6 +227,17 @@ secretGroup = 3
 # Float representing the minimum shannon entropy a regex group must have to be considered a secret.
 entropy = 3.5
 
+# Keywords are used for pre-regex check filtering. Rules that contain
+# keywords will perform a quick string compare check to make sure the
+# keyword(s) are in the content being scanned. Ideally these values should
+# either be part of the idenitifer or unique strings specific to the rule's regex
+# (introduced in v8.6.0)
+keywords = [
+    "auth",
+    "password",
+    "token",
+]
+
 # You can include an allowlist table for a single rule to reduce false positives or ignore commits
 # with known/rotated secrets
 [rules.allowlist]
@@ -252,8 +263,8 @@ paths = [
 	'''(.*?)(jpg|gif|doc)'''
 ]
 regexes = [
-    	'''219-09-9999''', 
-    	'''078-05-1120''', 
+    	'''219-09-9999''',
+    	'''078-05-1120''',
     	'''(9[0-9]{2}|666)-\d{2}-\d{4}''',
 ]
 ```

diff --git a/config/config.go b/config/config.go
@@ -20,6 +20,7 @@ type ViperConfig struct {
 		Entropy     float64
 		SecretGroup int
 		Regex       string
+		Keywords    []string
 		Path        string
 		Tags        []string
 
@@ -56,6 +57,10 @@ func (vc *ViperConfig) Translate() (Config, error) {
 			allowlistPaths = append(allowlistPaths, regexp.MustCompile(a))
 		}
 
+		if r.Keywords == nil {
+			r.Keywords = []string{}
+		}
+
 		if r.Tags == nil {
 			r.Tags = []string{}
 		}
@@ -80,6 +85,7 @@ func (vc *ViperConfig) Translate() (Config, error) {
 			SecretGroup: r.SecretGroup,
 			Entropy:     r.Entropy,
 			Tags:        r.Tags,
+			Keywords:    r.Keywords,
 			Allowlist: Allowlist{
 				Regexes: allowlistRegexes,
 				Paths:   allowlistPaths,

diff --git a/config/config_test.go b/config/config_test.go
@@ -25,6 +25,7 @@ func TestTranslate(t *testing.T) {
 						Description: "AWS Access Key",
 						Regex:       regexp.MustCompile("(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
 						Tags:        []string{"key", "AWS"},
+						Keywords:    []string{},
 						RuleID:      "aws-access-key",
 						Allowlist: Allowlist{
 							Regexes: []*regexp.Regexp{
@@ -43,6 +44,7 @@ func TestTranslate(t *testing.T) {
 						Description: "AWS Access Key",
 						Regex:       regexp.MustCompile("(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
 						Tags:        []string{"key", "AWS"},
+						Keywords:    []string{},
 						RuleID:      "aws-access-key",
 						Allowlist: Allowlist{
 							Commits: []string{"allowthiscommit"},
@@ -59,6 +61,7 @@ func TestTranslate(t *testing.T) {
 						Description: "AWS Access Key",
 						Regex:       regexp.MustCompile("(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
 						Tags:        []string{"key", "AWS"},
+						Keywords:    []string{},
 						RuleID:      "aws-access-key",
 						Allowlist: Allowlist{
 							Paths: []*regexp.Regexp{
@@ -81,6 +84,7 @@ func TestTranslate(t *testing.T) {
 						Entropy:     3.5,
 						SecretGroup: 3,
 						Tags:        []string{},
+						Keywords:    []string{},
 					},
 				},
 			},