Stop words (#808)

* use regex for stopwords * fix up regex * rm stopwords
gitleaks · Mar 19, 2022 · 57f9bc8 · 57f9bc8
1 parent 6e72472
commit 57f9bc8
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 7 deletions.
diff --git a/config/gitleaks.toml b/config/gitleaks.toml
@@ -536,7 +536,24 @@ secretGroup = 4
 
 [allowlist]
 description = "global allow lists"
-regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''']
+regexes = [
+    '''219-09-9999''', 
+    '''078-05-1120''', 
+    '''(9[0-9]{2}|666)-\d{2}-\d{4}''',
+    '''process''',
+	'''getenv''',
+	'''\.env''',
+	'''env\(''',
+	'''env\.''',
+	'''setting''',
+	'''load''',
+	'''token''',
+	'''password''',
+	'''secret''',
+	'''api\_key''',
+	'''apikey''',
+	'''api\-key''',
+    ]
 paths = [
     '''gitleaks.toml''',
     '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',

diff --git a/detect/detect.go b/detect/detect.go
@@ -170,12 +170,6 @@ func (d *Detector) detectRule(fragment Fragment, rule *config.Rule) []report.Fin
 			Tags:        rule.Tags,
 		}
 
-		// check if the secret is in the allowlist
-		if rule.Allowlist.RegexAllowed(finding.Secret) ||
-			d.Config.Allowlist.RegexAllowed(finding.Secret) {
-			continue
-		}
-
 		// extract secret from secret group if set
 		if rule.SecretGroup != 0 {
 			groups := rule.Regex.FindStringSubmatch(secret)
@@ -187,6 +181,12 @@ func (d *Detector) detectRule(fragment Fragment, rule *config.Rule) []report.Fin
 			finding.Secret = secret
 		}
 
+		// check if the secret is in the allowlist
+		if rule.Allowlist.RegexAllowed(finding.Secret) ||
+			d.Config.Allowlist.RegexAllowed(finding.Secret) {
+			continue
+		}
+
 		// check entropy
 		entropy := shannonEntropy(finding.Secret)
 		finding.Entropy = float32(entropy)

diff --git a/detect/detect_test.go b/detect/detect_test.go
@@ -185,6 +185,14 @@ func TestDetect(t *testing.T) {
 			},
 			expectedFindings: []report.Finding{},
 		},
+		{
+			cfgName: "generic_with_py_path",
+			fragment: Fragment{
+				Raw:      `const Discord_Public_Key = "load2523fb86ed64c836a979cf8465fbd436378c653c1db38f9ae87bc62a6fd5"`,
+				FilePath: "tmp.py",
+			},
+			expectedFindings: []report.Finding{},
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/detect/utils.go b/detect/utils.go
@@ -79,6 +79,7 @@ func filter(findings []report.Finding, redact bool) []report.Finding {
 				}
 			}
 		}
+
 		if redact {
 			f.Redact()
 		}

diff --git a/testdata/config/generic_with_py_path.toml b/testdata/config/generic_with_py_path.toml
@@ -7,3 +7,30 @@ regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|
 path = '''.py'''
 entropy = 3.7
 secretGroup = 4
+
+[allowlist]
+description = "global allow lists"
+regexes = [
+    '''219-09-9999''', 
+    '''078-05-1120''', 
+    '''(9[0-9]{2}|666)-\d{2}-\d{4}''',
+    '''process''',
+	'''getenv''',
+	'''\.env''',
+	'''env\(''',
+	'''env\.''',
+	'''setting''',
+	'''load''',
+	'''token''',
+	'''password''',
+	'''secret''',
+	'''api\_key''',
+	'''apikey''',
+	'''api\-key''',
+    ]
+paths = [
+    '''gitleaks.toml''',
+    '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
+    '''(go.mod|go.sum)$'''
+]
+