secureCodeBox · J12934 · Mar 16, 2022 · Nov 23, 2021 · Jan 11, 2022 · Jan 11, 2022
diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml
@@ -11,7 +11,7 @@ jobs:
           - amass
           - angularjs-csti-scanner
           - cmseek
-          # - gitleaks
+          - gitleaks
           - kube-hunter
           - kubeaudit
           - ncrack

diff --git a/scanners/gitleaks/.helm-docs.gotmpl b/scanners/gitleaks/.helm-docs.gotmpl
@@ -36,108 +36,52 @@ To learn more about gitleaks visit <https://github.com/zricethezav/gitleaks>.
 
 {{- define "extra.scannerConfigurationSection" -}}
 ## Scanner Configuration
+For a complete overview of the configuration options, see the
+[Gitleaks documentation](https://github.com/zricethezav/gitleaks#usage).
 
-For a complete overview of the configuration options checkout the
-[Gitleaks documentation](https://github.com/zricethezav/gitleaks/wiki/Options).
-
-The only mandatory parameters are:
-- `-r`: The link to the repository you want to scan.
-- `--access-token`: Only for non-public repositories.
-- `--username` and `--password`: Only for non-public repositories.
-- `--config-path`: The ruleset you want to use.
-
-#### Ruleset
-
-At this point we provide three rulesets which you can pass to the `--config-path` oprtion:
-
-- `/home/config_all.toml`: Includes every rule.
-- `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions.
-- `/home/config_no_generics.toml`: No generic rules like searching for the word *password*. With this option you won't
-find something like **password = Ej2ifDk2jfeo2**, but it will reduce resulting false positives.
-
-If you like to provide your custom ruleset, you can create a configMap and mount it into
-the scan. Checkout the examples for more information about providing your own gitleaks rules config.
-{{- end }}
-
-{{- define "extra.chartConfigurationSection" -}}
-**Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing.
-
-## Additional Chart Configurations
-### secureCodeBox extended GitLeaks Features
-
-:::info
-If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule.
-Instead of scanning all commits in the complete git history every day it would save a lot of resources to scan only all commits of the last day.
-
-_Problem is: This is a feature and configuration option gitleaks is currently not supporting._
-
-That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that.
-If you like the idea, please vote for our issue and PR.
-
-If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image.
-:::
+Starting with version 8.0, gitleaks no longer supports cloning the repository directly.
+Instead, you will have to use an init container to do so.
+[We provide example scan definitions below](https://docs.securecodebox.io/docs/scanners/gitleaks/#examples) that you can build on.
 
+### Scanning Specific Timeframes
+When running gitleaks as a [scheduled scan](https://docs.securecodebox.io/docs/how-tos/automatically-repeating-scans), you may not want to go through the entire repository history every time.
+Gitleaks allows you to limit the commits it will scan using the `--log-opts` parameter, which accepts all parameters supported by `git log -p`.
+For example, if you want to scan only commits made in the last 7 days, on all branches of the repository, use the following parameters:
 ```yaml
-# Corresponding HelmChart Configuration
-scanner:
-  image:
-    # scanner.image.repository -- Container Image to run the scan
-    repository: docker.io/securecodebox/scanner-gitleaks
-    # scanner.image.tag -- defaults to the charts version
-    tag: v7.3.0
-```
-
-#### Deployment with extended GitLeaks
-```bash
-# Install HelmChart (use -n to configure another namespace)
-helm upgrade --install gitleaks secureCodeBox/gitleaks \
-  --set="scanner.image.repository=docker.io/securecodebox/scanner-gitleaks" \
-  --set="scanner.image.tag=v7.3.0"
-```
-
-#### Additional (Fork) Scanner configuration options
-```bash
---commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each
-                               with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
---commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with
-                               optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
-```
-
-#### Other useful options are:
-
-- `--commit-since`: Scan commits more recent than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format.
-- `--commit-until`: Scan commits older than a specific date. Ex: '2006-01-02' or '2006-01-02T15:04:05-0700' format.
-- `--repo-config`: Load config from target repo. Config file must be ".gitleaks.toml" or "gitleaks.toml".
-
-#### Finding format
-
-It is not an easy task to classify the severity of the scans because we can't tell for sure if the finding is e.g. a real
-or a testing password. Another issue is that the rate of false positives for generic rules can be very high. Therefore,
-we tried to classify the severity of the finding by looking at the accuracy of the rule which detected it. Rules for AWS
-secrets or Artifactory tokens are very precise, so they get a high severity. Generic rules on the other hand get a low
-severity because the often produce false positives.
-
-**Please keep in mind that findings with a low severity can be actually
-very critical.**
-
-#### Cascading Rules
-
-If you want to scan multiple repositories from GitHub or gitlab automatically at once, you should
-take a look at the cascading rules which get triggered by the **git-repo-scanner**.
-For more information on how to use **git-repo-scanner** checkout the
-[Readme](https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners/git-repo-scanner).
-
-For cascading scans on public GitHub repositories you don't need any credentials. For the gitlab
-and private GitHub rules you need to provide an access token via environment. You could do that with
-the following commands:
-
-```bash
-kubectl create secret generic github-access-token --from-literal="token=<YOUR-GITHUB-TOKEN>"
-kubectl create secret generic gitlab-access-token --from-literal="token=<YOUR-GITLAB-TOKEN>"
+parameters:
+  # Run gitleaks in "detect" mode
+  - "detect"
+  # Point it at the location of the repository
+  - "--source"
+  - "/repo/"
+  # Only consider commits within the last 7 days, on all branches
+  - "--log-opts=--since=7days --all --full-history"
 ```
+Note that the parameters to `--log-opts` are not quoted separately due to the way the scanner is called inside secureCodeBox - adding extra quotes will break the scan!
+It is important to remember to pass `--all --full-history` when using `--log-opts`, as otherwise only the default branch will be scanned (when not using `--log-opts`, gitleaks adds these parameters implicitly).
+
+### Human-Friendly Commit URLs
+Before gitleaks 8.0, the findings used to contain a direct link to the commit that contained the secret.
+The base URL was pulled from the parameter given to gitleaks.
+Since this is no longer possible, we cannot automatically infer which repository the commits belong to.
+However, you can provide this information manually using a scan annotation called `metadata.scan.securecodebox.io/git-repo-url`.
+See the examples below on how to use it.
+
+### Cascading Scans
+Gitleaks works well in conjunction with [git-repo-scanner](https://docs.securecodebox.io/docs/scanners/git-repo-scanner) to enumerate Git repositories and scan them using cascading rules.
+We do not ship default cascading rules for this purpose.
+However, you can find instructions on running such cascading scans in [this article](https://docs.securecodebox.io/blog/2021/10/27/sast-scanning) - simply adapt it to use gitleaks instead of semgrep and you are good to go.
+
+### Providing Your Own Ruleset
+SecureCodeBox used to ship a number of default rulesets.
+We have stopped doing this, as the official ruleset of gitleaks is much more up-to-date and well-maintained.
+However, if you still want to write and use your own rulesets, we [provide an example below](https://docs.securecodebox.io/docs/scanners/gitleaks#provide-own-rules).
+The parser will set all found issues to `medium` severity by default.
+To override the severity in your own rulesets, include the result tag "HIGH" or "LOW" in your gitleaks rule.
+{{- end }}
 
-For more information on how to use cascades take a look at
-[Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/)
+{{- define "extra.chartConfigurationSection" -}}
+**Do not** override the option `--report-format` or `--report-path`. It is already configured for automatic findings parsing.
 {{- end }}
 
 {{- define "extra.scannerLinksSection" -}}

diff --git a/scanners/gitleaks/Chart.yaml b/scanners/gitleaks/Chart.yaml
@@ -5,16 +5,13 @@
 apiVersion: v2
 name: gitleaks
 description: A Helm chart for the gitleaks repository scanner that integrates with the secureCodeBox.
-
 type: application
 # version - gets automatically set to the secureCodeBox release version when the helm charts gets published
 version: v3.1.0-alpha1
-appVersion: "v7.6.1"
+appVersion: "v8.3.0"
 kubeVersion: ">=v1.11.0-0"
-
 annotations:
   versionApi: https://api.github.com/repos/zricethezav/gitleaks/releases/latest
-
 keywords:
   - security
   - gitleaks

diff --git a/scanners/gitleaks/Makefile b/scanners/gitleaks/Makefile
@@ -7,7 +7,13 @@
 
 include_guard = set
 scanner = gitleaks
-custom_scanner = set
 
 include ../../scanners.mk
 
+integration-tests:
+	@echo ".: 🩺 Starting integration test in kind namespace 'integration-tests'."
+	kubectl -n integration-tests delete scans --all
+	cd ../../tests/integration/ && npm ci
+	cd ../../scanners/${scanner}
+	npx --yes --package jest@$(JEST_VERSION) jest --verbose --ci --colors --coverage --passWithNoTests ${scanner}/integration-tests
+