Megalinter 8.6.0 Sanitize - gitleaks external dependency #5283
Description
I've noticed running Megalinter 8.6.0 enabling only REPOSITORY_GITLEAKS or TRIVY_SBOM froze execution (>1h) during a one shot run.
Using the same configuration in Megalinter 8.5.0 did not freeze execution.
Running Megalinter 8.6.0 with debug logs enabled I observed logs of the form as the last log entries before the freeze happened:
+----MATCHING LINTERS-----+----------+----------------+------------+
| Descriptor | Linter | Criteria | Matching files | Format/Fix |
+------------+------------+----------+----------------+------------+
| REPOSITORY | trivy-sbom | | project | no |
+------------+------------+----------+----------------+------------+
[Pre][REPOSITORY] No commands declared in user configuration
[trivy-sbom] command: ['trivy', 'fs', '--format', 'cyclonedx', '.']
[trivy-sbom] CWD: /code
Starting new HTTPS connection (1): raw.githubusercontent.com:443
https://raw.githubusercontent.com:443 "GET /gitleaks/gitleaks/refs/heads/master/config/gitleaks.toml HTTP/1.1" 200 20522
Invalid regex pattern after fix: (?i)[\w.-]{0,50}?(?:gocardless)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}(live_(?i)[a-z0-9\-_=]{40})(?:[\x60'"\s;]|\\[nr]|$). Error: global flags not at the start of the expression at position 114
Invalid regex pattern after fix: (?i)\b(pscale_pw_(?i)[\w=\.-]{32,64})(?:[\x60'"\s;]|\\[nr]|$). Error: global flags not at the start of the expression at position 17
It seems like #5266 introduced a dependency to a default gitleaks configuration on the master branch.
https://github.com/oxsecurity/megalinter/blob/v8.6.0/megalinter/logger.py#L165
Since the master branch is a moving target, errors in the gitleaks configuration might be the reason for the freeze.
Is there any configuration option for a Megalinter user to either provide their own gitleaks configuration for the sanitize or to disable it, such that no connection to github is necessary?