Upgrade gitleaks from v7.6.1 to v8.3.0 by secureCodeBoxBot · Pull Request #830 · secureCodeBox/secureCodeBox

secureCodeBoxBot · 2021-11-23T09:30:50Z

This PR upgrades gitleaks from v7.6.1 to v8.3.0. This includes a number of breaking changes, see the release notes by Gitleaks, particularly that for v8.0.0.

SCB-specific changes

Gitleaks no longer supports cloning natively. To clone a repository, use an init container as described in the updated documentation.

Findings no longer contain direct link to commit. Since Gitleaks no longer clones, it also does not include repository information in its output. We thus removed the attributes.repo key from the finding, and the attributes.commit no longer contains a link to the repo by default, only the SHA of the commit. To add the link to the repo, you need to add a scan annotation called metadata.scan.securecodebox.io/git-repo-url and point it at the URL of the repository (e.g. https://github.com/secureCodeBox/secureCodeBox). Further details can be found in the documentation.

Scanning only commits from a specific timeframe now works natively. There is no longer a need to use our fork of gitleaks. See the description in the documentation. Closes #790.

We removed the default cascading rules. There is no longer the possibility to write a generic cascading rule that covers all possible ways of authenticating. You can find an example cascading rule that downloads a repository from GitHub here, use it as a basis and change the used scanner to Gitleaks with your chosen parameters.

We removed the default rulesets. The ScanType no longer ships with a set of default rules, as they were outdated and it is better to rely on the rulesets maintained by the Gitleaks team. Use the ruleset built into the scanner or provide your own using a ConfigMap.

Severity of the findings now more explicitly based on result tags. All findings are now classified as medium severity by default. When defining your own Gitleaks rulesets, you can set the tags "LOW" or "HIGH" to override the severity for findings matching a particular rule.

We now use the official Docker image. Before, we used a custom version of the image to work around some limitations of Gitleaks (i.e., being unable to control the return code, and the system not creating a report file if no findings were found). Both of these limitations have been addressed, so we now use the official Docker image of Gitleaks directly. This will be changed automatically when you update the Helm install (you do not need to make any manual changes) but it will lead to a new image being installed on your cluster.

malexmave · 2021-11-23T09:34:34Z

Oh my. This is going to be a larger operation if we include it. Let's discuss what to do about this once we have our team together again.

malexmave · 2021-12-08T11:23:06Z

What will have to be done here:

Pull the version number up to the latest 8.X (there have been more releases)
Update the parser
Update the unit tests
Update the documentation (no more cloning directly from GitLeaks => use init containers, as described here for example)
Re-enable the version check in the CI files for SCB Bot

Signed-off-by: secureCodeBoxBot <securecodebox@iteratec.com>

Signed-off-by: GitHub Actions <securecodebox@iteratec.com>