New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade gitleaks from v7.6.1 to v8.3.0 #830
Conversation
Oh my. This is going to be a larger operation if we include it. Let's discuss what to do about this once we have our team together again. |
What will have to be done here:
|
Signed-off-by: secureCodeBoxBot <securecodebox@iteratec.com>
08a65bf
to
a8db880
Compare
Signed-off-by: GitHub Actions <securecodebox@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: GitHub Actions <securecodebox@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: GitHub Actions <securecodebox@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Before Gitleaks 8.0, the parser used to construct a direct URL to each detected commit based on the parameter used to clone the repo. Since it can no longer clone repos, this is no longer feasible. However, this commit adds the capability to pull the repo information from a scan annotation and use that. It does not actually enforce that the provided repository URL matches the one that was cloned in the init container - it blindly trusts whatever data it is given. Signed-off-by: Max Maass <max.maass@iteratec.com>
This improves consistency with the scope limiter annotations, which use descriptors of a similar form. Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: GitHub Actions <securecodebox@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
This is now ready to review. Please also review with an eye towards secureCodeBox/documentation#160 so that we may be able to close that as well. |
The git clone should use the --mirror option to ensure the full repository is cloned. Otherwise the data may be incomplete. See https://wwws.nightwatchcybersecurity.com/2022/02/11/gitbleed/ Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
Signed-off-by: Max Maass <max.maass@iteratec.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A lot of nice work! Only a few comments/questions from my side. :)
Signed-off-by: Max Maass <max.maass@iteratec.com>
This PR upgrades gitleaks from v7.6.1 to v8.3.0. This includes a number of breaking changes, see the release notes by Gitleaks, particularly that for v8.0.0.
SCB-specific changes
Gitleaks no longer supports cloning natively. To clone a repository, use an init container as described in the updated documentation.
Findings no longer contain direct link to commit. Since Gitleaks no longer clones, it also does not include repository information in its output. We thus removed the
attributes.repo
key from the finding, and theattributes.commit
no longer contains a link to the repo by default, only the SHA of the commit. To add the link to the repo, you need to add a scan annotation calledmetadata.scan.securecodebox.io/git-repo-url
and point it at the URL of the repository (e.g.https://github.com/secureCodeBox/secureCodeBox
). Further details can be found in the documentation.Scanning only commits from a specific timeframe now works natively. There is no longer a need to use our fork of gitleaks. See the description in the documentation. Closes #790.
We removed the default cascading rules. There is no longer the possibility to write a generic cascading rule that covers all possible ways of authenticating. You can find an example cascading rule that downloads a repository from GitHub here, use it as a basis and change the used scanner to Gitleaks with your chosen parameters.
We removed the default rulesets. The ScanType no longer ships with a set of default rules, as they were outdated and it is better to rely on the rulesets maintained by the Gitleaks team. Use the ruleset built into the scanner or provide your own using a ConfigMap.
Severity of the findings now more explicitly based on result tags. All findings are now classified as medium severity by default. When defining your own Gitleaks rulesets, you can set the tags "LOW" or "HIGH" to override the severity for findings matching a particular rule.
We now use the official Docker image. Before, we used a custom version of the image to work around some limitations of Gitleaks (i.e., being unable to control the return code, and the system not creating a report file if no findings were found). Both of these limitations have been addressed, so we now use the official Docker image of Gitleaks directly. This will be changed automatically when you update the Helm install (you do not need to make any manual changes) but it will lead to a new image being installed on your cluster.