Bufix/1100 protect stagged files (#1121)

* create repo with stagged secrets

* add .gitleaksignore to testdata repo

* fix typo

* add gitleaksignore to detector on protect command

---------

Co-authored-by: Rafael Figueiredo <rfigueiredo@garoa.cloud>

cmd/protect.go

@@ -66,11 +66,16 @@ func runProtect(cmd *cobra.Command, args []string) {
 	if detector.Redact, err = cmd.Flags().GetBool("redact"); err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
-
 	if detector.MaxTargetMegaBytes, err = cmd.Flags().GetInt("max-target-megabytes"); err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
 
+	if fileExists(filepath.Join(source, ".gitleaksignore")) {
+		if err = detector.AddGitleaksIgnore(filepath.Join(source, ".gitleaksignore")); err != nil {
+			log.Fatal().Err(err).Msg("could not call AddGitleaksIgnore")
+		}
+	}
+
 	// get log options for git scan
 	logOpts, err := cmd.Flags().GetString("log-opts")
 	if err != nil {

detect/detect_test.go

@@ -485,6 +485,87 @@ func TestFromGit(t *testing.T) {
 		assert.ElementsMatch(t, tt.expectedFindings, findings)
 	}
 }
+func TestFromGitStaged(t *testing.T) {
+	tests := []struct {
+		cfgName          string
+		source           string
+		logOpts          string
+		expectedFindings []report.Finding
+	}{
+		{
+			source:  filepath.Join(repoBasePath, "staged"),
+			cfgName: "simple",
+			expectedFindings: []report.Finding{
+				{
+					Description: "AWS Access Key",
+					StartLine:   7,
+					EndLine:     7,
+					StartColumn: 18,
+					EndColumn:   37,
+					Line:        "\n\taws_token2 := \"AKIALALEMEL33243OLIA\" // this one is not",
+					Match:       "AKIALALEMEL33243OLIA",
+					Secret:      "AKIALALEMEL33243OLIA",
+					File:        "api/api.go",
+					SymlinkFile: "",
+					Commit:      "",
+					Entropy:     3.0841837,
+					Author:      "",
+					Email:       "",
+					Date:        "0001-01-01T00:00:00Z",
+					Message:     "",
+					Tags: []string{
+						"key",
+						"AWS",
+					},
+					RuleID:      "aws-access-key",
+					Fingerprint: "api/api.go:aws-access-key:7",
+				},
+			},
+		},
+	}
+
+	err := moveDotGit("dotGit", ".git")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		if err := moveDotGit(".git", "dotGit"); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	for _, tt := range tests {
+
+		viper.AddConfigPath(configPath)
+		viper.SetConfigName("simple")
+		viper.SetConfigType("toml")
+		err = viper.ReadInConfig()
+		if err != nil {
+			t.Error(err)
+		}
+
+		var vc config.ViperConfig
+		err = viper.Unmarshal(&vc)
+		if err != nil {
+			t.Error(err)
+		}
+		cfg, err := vc.Translate()
+		if err != nil {
+			t.Error(err)
+		}
+		detector := NewDetector(cfg)
+		detector.AddGitleaksIgnore(filepath.Join(tt.source, ".gitleaksignore"))
+		findings, err := detector.DetectGit(tt.source, tt.logOpts, ProtectStagedType)
+		if err != nil {
+			t.Error(err)
+		}
+
+		for _, f := range findings {
+			f.Match = "" // remove lines cause copying and pasting them has some wack formatting
+		}
+		assert.ElementsMatch(t, tt.expectedFindings, findings)
+	}
+}
 
 // TestFromFiles tests the FromFiles function
 func TestFromFiles(t *testing.T) {

testdata/repos/staged/.gitleaksignore

@@ -0,0 +1 @@
+api/api.go:aws-access-key:6

testdata/repos/staged/README.md

@@ -0,0 +1,2 @@
+# test
+This is a repo used for testing gitleaks

testdata/repos/staged/api/api.go

@@ -0,0 +1,10 @@
+package api
+
+import "fmt"
+
+func PrintHello() {
+	aws_token := "AKIALALEMEL33243OLIA"  // fingerprint of that secret is added to .gitleaksignore
+	aws_token2 := "AKIALALEMEL33243OLIA" // this one is not
+	fmt.Println(aws_token)
+	fmt.Println(aws_token2)
+}

testdata/repos/staged/dotGit/COMMIT_EDITMSG

@@ -0,0 +1 @@
+add .gitleaksignore file

testdata/repos/staged/dotGit/FETCH_HEAD

@@ -0,0 +1 @@
+2e1db472eeba53f06c4026ae4566ea022e36598e		branch 'main' of github.com:gitleaks/test

testdata/repos/staged/dotGit/HEAD

@@ -0,0 +1 @@
+ref: refs/heads/main

testdata/repos/staged/dotGit/ORIG_HEAD

@@ -0,0 +1 @@
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587

testdata/repos/staged/dotGit/config

@@ -0,0 +1,13 @@
+[core]
+	repositoryformatversion = 0
+	filemode = true
+	bare = false
+	logallrefupdates = true
+	ignorecase = true
+	precomposeunicode = true
+[remote "origin"]
+	url = git@github.com:gitleaks/test.git
+	fetch = +refs/heads/*:refs/remotes/origin/*
+[branch "main"]
+	remote = origin
+	merge = refs/heads/main

testdata/repos/staged/dotGit/description

@@ -0,0 +1 @@
+Unnamed repository; edit this file 'description' to name the repository.

testdata/repos/staged/dotGit/info/exclude

@@ -0,0 +1,6 @@
+# git ls-files --others --exclude-from=.git/info/exclude
+# Lines that start with '#' are comments.
+# For a project mostly in C, the following would be a good set of
+# exclude patterns (uncomment them if you want to use them):
+# *.[oa]
+# *~

testdata/repos/staged/dotGit/logs/HEAD

@@ -0,0 +1,14 @@
+0000000000000000000000000000000000000000 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 Zach Rice <zricer@protonmail.com> 1635896329 -0500	clone: from github.com:gitleaks/test.git
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 Zach Rice <zricer@protonmail.com> 1635896362 -0500	checkout: moving from main to remove-secrets
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 906335481df9a4b48906c90318b4fac76b67fe73 Zach Rice <zricer@protonmail.com> 1635896426 -0500	commit: load token via env var
+906335481df9a4b48906c90318b4fac76b67fe73 a122b33c6bad3ee54724f52f2caad385ab1982ab Zach Rice <zricer@protonmail.com> 1635896518 -0500	commit: add api package
+a122b33c6bad3ee54724f52f2caad385ab1982ab a122b33c6bad3ee54724f52f2caad385ab1982ab Zach Rice <zricer@protonmail.com> 1635896543 -0500	checkout: moving from remove-secrets to api-pkg
+a122b33c6bad3ee54724f52f2caad385ab1982ab 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 Zach Rice <zricer@protonmail.com> 1635896644 -0500	checkout: moving from api-pkg to main
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635896648 -0500	pull origin main: Fast-forward
+2e1db472eeba53f06c4026ae4566ea022e36598e 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635896716 -0500	checkout: moving from main to foo
+2e1db472eeba53f06c4026ae4566ea022e36598e 491504d5a31946ce75e22554cc34203d8e5ff3ca Zach Rice <zricer@protonmail.com> 1635896886 -0500	commit: adding foo package with secret
+491504d5a31946ce75e22554cc34203d8e5ff3ca f1b58b97808f8e744f6a23c693859df5b5968901 Zach Rice <zricer@protonmail.com> 1635896931 -0500	commit: removing secret from foo package
+f1b58b97808f8e744f6a23c693859df5b5968901 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635897009 -0500	checkout: moving from foo to main
+2e1db472eeba53f06c4026ae4566ea022e36598e f1b58b97808f8e744f6a23c693859df5b5968901 Zach Rice <zricer@protonmail.com> 1635897062 -0500	checkout: moving from main to foo
+f1b58b97808f8e744f6a23c693859df5b5968901 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635897508 -0500	checkout: moving from foo to main
+2e1db472eeba53f06c4026ae4566ea022e36598e bf3f24164d7256b4021575cbdb2f97b98e6f057e Rafael Figueiredo <rfigueiredo@garoa.cloud> 1679239434 -0300	commit: add .gitleaksignore file

testdata/repos/staged/dotGit/logs/refs/heads/api-pkg

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 a122b33c6bad3ee54724f52f2caad385ab1982ab Zach Rice <zricer@protonmail.com> 1635896543 -0500	branch: Created from HEAD

testdata/repos/staged/dotGit/logs/refs/heads/foo

@@ -0,0 +1,3 @@
+0000000000000000000000000000000000000000 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635896716 -0500	branch: Created from HEAD
+2e1db472eeba53f06c4026ae4566ea022e36598e 491504d5a31946ce75e22554cc34203d8e5ff3ca Zach Rice <zricer@protonmail.com> 1635896886 -0500	commit: adding foo package with secret
+491504d5a31946ce75e22554cc34203d8e5ff3ca f1b58b97808f8e744f6a23c693859df5b5968901 Zach Rice <zricer@protonmail.com> 1635896931 -0500	commit: removing secret from foo package

testdata/repos/staged/dotGit/logs/refs/heads/main

@@ -0,0 +1,3 @@
+0000000000000000000000000000000000000000 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 Zach Rice <zricer@protonmail.com> 1635896329 -0500	clone: from github.com:gitleaks/test.git
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635896648 -0500	pull origin main: Fast-forward
+2e1db472eeba53f06c4026ae4566ea022e36598e bf3f24164d7256b4021575cbdb2f97b98e6f057e Rafael Figueiredo <rfigueiredo@garoa.cloud> 1679239434 -0300	commit: add .gitleaksignore file

testdata/repos/staged/dotGit/logs/refs/heads/remove-secrets

@@ -0,0 +1,3 @@
+0000000000000000000000000000000000000000 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 Zach Rice <zricer@protonmail.com> 1635896362 -0500	branch: Created from HEAD
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 906335481df9a4b48906c90318b4fac76b67fe73 Zach Rice <zricer@protonmail.com> 1635896426 -0500	commit: load token via env var
+906335481df9a4b48906c90318b4fac76b67fe73 a122b33c6bad3ee54724f52f2caad385ab1982ab Zach Rice <zricer@protonmail.com> 1635896518 -0500	commit: add api package

testdata/repos/staged/dotGit/logs/refs/remotes/origin/HEAD

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 Zach Rice <zricer@protonmail.com> 1635896329 -0500	clone: from github.com:gitleaks/test.git

testdata/repos/staged/dotGit/logs/refs/remotes/origin/api-pkg

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 a122b33c6bad3ee54724f52f2caad385ab1982ab Zach Rice <zricer@protonmail.com> 1635896552 -0500	update by push

testdata/repos/staged/dotGit/logs/refs/remotes/origin/foo

@@ -0,0 +1 @@
+0000000000000000000000000000000000000000 f1b58b97808f8e744f6a23c693859df5b5968901 Zach Rice <zricer@protonmail.com> 1635896935 -0500	update by push

testdata/repos/staged/dotGit/logs/refs/remotes/origin/main

@@ -0,0 +1 @@
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 2e1db472eeba53f06c4026ae4566ea022e36598e Zach Rice <zricer@protonmail.com> 1635896648 -0500	pull origin main: fast-forward

testdata/repos/staged/dotGit/objects/02/d85657604c34e7b7fbb324a0c6c8b13c2c3760

@@ -0,0 +1 @@
+x
U�1�0`�ܯ8nJ��.���:*(8��\��ɕ$� �w3	Nox�{�$6�f1�~�wF'0�YbF���TB�
p���ND|�*]u�C�S�T ���kL�>a��#(�Jm����(��s��Դ�]���=���>���03

testdata/repos/staged/dotGit/objects/90/6335481df9a4b48906c90318b4fac76b67fe73

@@ -0,0 +1,3 @@
+x
��M
+�0F]�s
%��t
+"����I2�E۔�����>x�_��2w@;�z
㑈ءC�X��@���65�)���M�&���F:l'�F�THďFF�1��iP��Sm��4�cN�o;�ݷV{]�ߗT��`=��a���Z�����w���d�}f�u����
KK�

testdata/repos/staged/dotGit/objects/bf/3f24164d7256b4021575cbdb2f97b98e6f057e

@@ -0,0 +1,2 @@
+x
��An!s��X���ɲ|��
�5��X����
[�*uj�[d��1:@"1-�9q,1��ct%preB(6�l�w����)G�X ��
+K�lE�g�P's8��>��ӷ�F_u�Q;r�S/��jozH[��&Y�u�;O��M�;;�f�h�tX�ؠ?Ϻ�[����_]U

testdata/repos/staged/dotGit/packed-refs

@@ -0,0 +1,2 @@
+# pack-refs with: peeled fully-peeled sorted 
+1b6da43b82b22e4eaa10bcf8ee591e91abbfc587 refs/remotes/origin/main

testdata/repos/staged/dotGit/refs/heads/api-pkg

@@ -0,0 +1 @@
+a122b33c6bad3ee54724f52f2caad385ab1982ab

testdata/repos/staged/dotGit/refs/heads/foo

@@ -0,0 +1 @@
+f1b58b97808f8e744f6a23c693859df5b5968901

testdata/repos/staged/dotGit/refs/heads/main

@@ -0,0 +1 @@
+bf3f24164d7256b4021575cbdb2f97b98e6f057e

testdata/repos/staged/dotGit/refs/heads/remove-secrets

@@ -0,0 +1 @@
+a122b33c6bad3ee54724f52f2caad385ab1982ab

testdata/repos/staged/dotGit/refs/remotes/origin/HEAD

@@ -0,0 +1 @@
+ref: refs/remotes/origin/main

testdata/repos/staged/dotGit/refs/remotes/origin/api-pkg

@@ -0,0 +1 @@
+a122b33c6bad3ee54724f52f2caad385ab1982ab

testdata/repos/staged/dotGit/refs/remotes/origin/foo

@@ -0,0 +1 @@
+f1b58b97808f8e744f6a23c693859df5b5968901

testdata/repos/staged/dotGit/refs/remotes/origin/main

@@ -0,0 +1 @@
+2e1db472eeba53f06c4026ae4566ea022e36598e

testdata/repos/staged/main.go

@@ -0,0 +1,27 @@
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+func main() {
+
+	var a = "initial"
+	fmt.Println(a)
+
+	var b, c int = 1, 2
+	fmt.Println(b, c)
+
+	var d = true
+	fmt.Println(d)
+
+	var e int
+	fmt.Println(e)
+
+	// load secret via env
+	awsToken := os.Getenv("AWS_TOKEN")
+
+	f := "apple"
+	fmt.Println(f)
+}