You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- `-r`: The link to the repository you want to scan.
45
-
- `--access-token`: Only for non-public repositories.
46
-
- `--username`and`--password`: Only for non-public repositories.
47
-
- `--config-path`: The ruleset you want to use.
48
-
49
-
#### Ruleset
50
-
51
-
At this point we provide three rulesets which you can pass to the `--config-path` oprtion:
52
-
53
-
- `/home/config_all.toml`: Includes every rule.
54
-
- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions.
55
-
- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't
56
-
find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives.
57
-
58
-
If you like to provide your custom ruleset, you can create a configMap and mount it into
59
-
the scan. Checkout the examples for more information about providing your own gitleaks rules config.
60
-
{{- end }}
61
-
62
-
{{- define"extra.chartConfigurationSection" -}}
63
-
**Do not** override the option `--report-format`or`--report`. It is already configured for automatic findings parsing.
64
-
65
-
## Additional Chart Configurations
66
-
### secureCodeBox extended GitLeaks Features
67
-
68
-
:::info
69
-
If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule.
70
-
Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day.
71
-
72
-
_Problem is: This is a feature and configuration option gitleaks is currently not supporting._
73
-
74
-
That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that.
75
-
If you like the idea, please vote for our issue and PR.
76
-
77
-
If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image.
78
-
:::
42
+
Starting with version 8.0, gitleaks no longer supports cloning the repository directly.
43
+
Instead, you will have to use an init container to do so.
44
+
[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on.
79
45
46
+
### Scanning Specific Timeframes
47
+
When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time.
48
+
Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`.
49
+
For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters:
80
50
```yaml
81
-
# Corresponding HelmChart Configuration
82
-
scanner:
83
-
image:
84
-
# scanner.image.repository -- Container Image to run the scan
--commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each
101
-
with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
102
-
--commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with
103
-
optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
104
-
```
105
-
106
-
#### Other useful options are:
107
-
108
-
- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format.
109
-
- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format.
110
-
- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml"or"gitleaks.toml".
111
-
112
-
#### Finding format
113
-
114
-
It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real
115
-
or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore,
116
-
we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS
117
-
secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low
118
-
severity because the often produce false positives.
119
-
120
-
**Please keep in mind that findings with a low severity can be actually
121
-
very critical.**
122
-
123
-
#### Cascading Rules
124
-
125
-
If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should
126
-
take a look at the cascading rules which get triggered by the **git-repo-scanner**.
127
-
For more information on how to use **git-repo-scanner** checkout the
# Only consider commits within the last 7 days, on all branches
58
+
- "--log-opts=--since=7days --all --full-history"
137
59
```
60
+
Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan!
61
+
It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly).
62
+
63
+
### Human-Friendly Commit URLs
64
+
Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret.
65
+
The base URL was pulled from the parameter given to gitleaks.
66
+
Since this is no longer possible, we cannot automatically infer which repository the commits belong to.
67
+
However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`.
68
+
See the examples below on how to use it.
69
+
70
+
### Cascading Scans
71
+
Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules.
72
+
We do not ship default cascading rules for this purpose.
73
+
However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go.
74
+
75
+
### Providing Your Own Ruleset
76
+
SecureCodeBox used to ship a number of default rulesets.
77
+
We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained.
78
+
However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules).
79
+
The parser will set all found issues to `medium` severity by default.
80
+
To override the severity in your own rulesets, include the result tag "HIGH"or"LOW" in your gitleaks rule.
81
+
{{- end }}
138
82
139
-
For more information on how to use cascades take a look at
0 commit comments