Skip to content

v8.1.0
Compare
Choose a tag to compare
@zricethezav zricethezav released this 03 Dec 02:07
· 283 commits to master since this release
v8.1.0
98d5648
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Changelog

(#734) This is the first big change since the release of v8.0.0 which I think has gone well? Anyways this release (v8.1.0) introduces the following changes:

  • Deduplicate generic secret findings in reports (provider specific rules takes precedence)
  • Add secretGroup to extract the actual secrets from the rules.
  • Removes entropyGroup, so yes you probably will have to update your config again
  • Renames Context to Match in reports
  • Added a bunch of ids to the default config (probably should make this a required field but that can wait)

More on:

  • Add secretGroup to extract the actual secrets from the rules.

Let's take the discord example in the default config:
discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"

The discord client secret rule, with secretGroup added, will extract 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ as the secret since ([a-z0-9=_\-]{32}) is regex group 3:

[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3

And the resulting report finding for this example secret would look something like:

 {
  "Description": "Discord client secret",
  "StartLine": 225,
  "EndLine": 225,
  "StartColumn": 2,
  "EndColumn": 59,
  "Match": "discord_client_secret = \"8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ\"",
  "Secret": "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ",
  "File": "README.md",
  "Commit": "f0b8d26c9988af725132c100dda5051586a3026e",
...
  "RuleID": "discord-client-secret"
 },

And a note on deduping/generic secrets (from the readme):

Let's continue with the example discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ".
This secret would match both the discord-client-secret rule and the generic-api-key rule in the default config.

[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3

[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
entropy = 3.7
secretGroup = 4

If gitleaks encountered discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ", only the discord rule would report a finding because the generic rule has the string generic somewhere in the rule's id. If a secret is encountered and both a generic and non-generic rule have discovered the same secret, the non-generic will be given precedence.

Assets 6
Loading