v8.1.0
Changelog
(#734) This is the first big change since the release of v8.0.0 which I think has gone well? Anyways this release (v8.1.0) introduces the following changes:
- Deduplicate generic secret findings in reports (provider specific rules takes precedence)
- Add
secretGroup
to extract the actual secrets from the rules. - Removes
entropyGroup
, so yes you probably will have to update your config again - Renames
Context
toMatch
in reports - Added a bunch of
ids
to the default config (probably should make this a required field but that can wait)
More on:
- Add
secretGroup
to extract the actual secrets from the rules.
Let's take the discord example in the default config:
discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
The discord client secret rule, with secretGroup
added, will extract 8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ
as the secret since ([a-z0-9=_\-]{32})
is regex group 3:
[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3
And the resulting report finding for this example secret would look something like:
{
"Description": "Discord client secret",
"StartLine": 225,
"EndLine": 225,
"StartColumn": 2,
"EndColumn": 59,
"Match": "discord_client_secret = \"8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ\"",
"Secret": "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ",
"File": "README.md",
"Commit": "f0b8d26c9988af725132c100dda5051586a3026e",
...
"RuleID": "discord-client-secret"
},
And a note on deduping/generic secrets (from the readme):
Let's continue with the example discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
.
This secret would match both the discord-client-secret
rule and the generic-api-key
rule in the default config.
[[rules]]
id = "discord-client-secret"
description = "Discord client secret"
regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
secretGroup = 3
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
entropy = 3.7
secretGroup = 4
If gitleaks encountered discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
, only the discord
rule would report a finding because the generic rule has the string generic
somewhere in the rule's id
. If a secret is encountered and both a generic
and non-generic rule have discovered the same secret, the non-generic will be given precedence.