--no-git scans .git directory, finds false positives

[paul-m]

Describe the bug

I want to scan the local files in my repo as a CI step.

With gitleaks 7 I could maybe use this:

% gitleaks --path . --config-path ./gitleaks.toml --no-git

However, since I just told gitleaks this is not a git repo, it starts scanning .git/, and finds false positives in the git commit SHAs.

The workaround is to delete .git as a first step, but this could be counter-productive, depending on needs.

To Reproduce

Within a git repo, issue this command:

% gitleaks --path . --config-path ./gitleaks.toml --no-git -v

The -v report will (might?) show you false-positive secrets that exist within the .git directory, such as:

{
	"line": "4bfc48ecc1abf2146e5180fb9e1fbc7b04bea803 add733dc5f1c0bb1a338986c74babe42727cbcb3 [...]",
	"lineNumber": 6,
	"offender": "fb9e1fbc7b04bea803 add733dc5f1c0bb1a338986c74babe42727",
	"commit": "0000000000000000000000000000000000000000",
	"repo": "",
	"repoURL": "",
	"leakURL": "",
	"rule": "Facebook Secret Key",
	"commitMessage": "",
	"author": "",
	"email": "",
	"file": ".git/logs/refs/remotes/origin/[some branch name]",
	"date": "1970-01-01T00:00:00Z",
	"tags": "key, Facebook"
}

Note that this is a false positive on a git commit SHA.

Expected behavior
gitleaks should probably ignore the .git directory when using --no-git, or should add another option like --no-git-ignore-git-directory. Hopefully with a better name than that.

Basic Info (please complete the following information):

• OS: Mac OS X
• Gitleaks Version: 7.0.1.

Additional context
Add any other context about the problem here.

cc @zricethezav

[zricethezav]

@paul-m Thanks for raising this issue. By default if --no-git is set then a global allowlist regex: .git$ is appended to the config. This will prevent .git dirs from being scanned.

Should be fixed in https://github.com/zricethezav/gitleaks/releases/tag/v7.0.2