Define multiple global allowlists #1777
Conversation
6a3a2b0 to
2b4f451
Compare
c914c1d to
72583b8
Compare
|
@zricethezav @bplaxco What are your thoughts on this feature (conceptually, ignoring the current ugly code)? It feels quite useful, especially for large configs that have duplicated allowlists that may not be suitable for the global allowlist (e.g., leaktk/patterns#64). The following are equivalent: Before [[rules]]
id = "github-app-token"
regex = '''(?:ghu|ghs)_[0-9a-zA-Z]{36}'''
[[rules.allowlists]]
paths = [
'''(?:^|/)@octokit/auth-token/README\.md$''',
]
[[rules]]
id = "github-oauth"
regex = '''gho_[0-9a-zA-Z]{36}'''
[[rules]]
id = "github-pat"
regex = '''ghp_[0-9a-zA-Z]{36}'''
[[rules.allowlists]]
paths = [
'''(?:^|/)@octokit/auth-token/README\.md$''',
]After [[rules]]
id = "github-app-token"
regex = '''(?:ghu|ghs)_[0-9a-zA-Z]{36}'''
[[rules]]
id = "github-oauth"
regex = '''gho_[0-9a-zA-Z]{36}'''
[[rules]]
id = "github-pat"
regex = '''ghp_[0-9a-zA-Z]{36}'''
[[allowlists]]
ruleIDs = ["github-app-token", "github-pat"]
paths = [
'''(?:^|/)@octokit/auth-token/README\.md$''',
] |
|
@rgmz multiple global allowlists makes sense to me. It mirrors what's on the rules, and I like the idea of having the ability to have a global allowlist with an AND condition apart from the other normal large global allowlist. It'd probably also simplify the code (if this hasn't already been done) for extending existing allowlist config. You'd just append the extended allowlist rather than mutating the existing global one. |
Heh aside: in that specific MR I also added support for a All that to say, I don't think I'd want gitleaks to allow variables or anything like that for me in the config—I like gitleaks taking a simple static config, but for writing large configs, having a dynamic source is really handy. |
ff2ce76 to
e7beb14
Compare
Good point. I've updated the logic to simplify extending: Lines 441 to 444 in e7beb14 |
bbc0c7c to
06b0164
Compare
Conceptually, I agree with this proposal. What do you need from me to get this PR from a draft state to a ready state? |
f00162e to
eb3676b
Compare
21f7201 to
af8e1b4
Compare
After a second pass, I'm much happier with how this looks. I think it's ready for review now. Forgive the large number of files moved. I did shuffle around a bunch of tests in |
bbc408d to
f9b1dea
Compare
| @@ -13,23 +13,9 @@ | |||
|
|
|||
| title = "gitleaks config" | |||
|
|
|||
| # TODO: change to [[allowlists]] | |||
|
@rgmz could you update the description to be a little more ... descriptive :P, namely |
| @@ -60,18 +62,22 @@ type viperRuleAllowlist struct { | |||
| StopWords []string | |||
| } | |||
|
|
|||
| type viperGlobalAllowlist struct { | |||
| TargetRules []string | |||
| viperRuleAllowlist `mapstructure:",squash"` | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
I went a bit crazy at first trying to get parseAllowlist to work.
f9b1dea to
e52b2cf
Compare
e52b2cf to
bb47e30
Compare
Great point -- I've updated the PR description. LMK if you feel there's anything I've missed. |
|
FYI @taiki45. |
Updates gitleaks to v8.26.0. Gitleaks added the ability to have multiple configured allow lists with gitleaks/gitleaks#1777 , so this also adjusts how we add the configured allow list to the detector's config. Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
Updates gitleaks to v8.26.0. Gitleaks added the ability to have multiple configured allow lists with gitleaks/gitleaks#1777 , so this also adjusts how we add the configured allow list to the detector's config. Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
Description:
This is a follow-up to #1496. It allows defining multiple global allowlists with independent AND/OR conditions.
Multiple Allowlists
Supports multiple top-level allowlists with AND/OR conditions, similar to multiple rule allowlists added in #1496.
Targeted / Reuable Allowlists
Instead of copying & pasting allowlists between multiples rules, the top-level allowlists now have
targetRuleswhich will be assigned to the rules at runtime. Allowlists that havetargetRulesare not added to the global allowlists. (Inspired by Finatext/gls.)Example: #1777 (comment).
Miscellaneous Changes
titlein the parsed config (inconsequential other than Create command to print config #1654 I think)logging.Fatal()with returning an error to simplify testscheckCommitOrPathAllowedandcheckFindingAllowedfunctions, rather than large amounts of duplicated codeChecklist: