Update pre-commit hook gitleaks/gitleaks to v8.21.2 (main) #3232
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v8.16.3
->v8.21.2
Note: The
pre-commit
manager in Renovate is not supported by thepre-commit
maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.Release Notes
gitleaks/gitleaks (gitleaks/gitleaks)
v8.21.2
Compare Source
Changelog
43fae35
feat(rules): create Octopus Deploy api key (#1602)a158e4f
fix(aws-access-token): only match if correct length (#1584)b6e0eee
fix(config): ignore jquery/swagger w/o version (#1607)722e7d8
feat: add new GitLab tokens (#1560)961f2e6
feat(generic-api-key): tune false positives (#1606)e734fcf
Create .gitleaks.toml (#1605)7206d6b
feat(curl): tweak tps and fps (#1603)2db25f1
feat(config): ignore swagger-ui assets (#1604)e97695b
feat(generic-api-key): exclude keywords (#1587)0afb525
feat(okta): bump entropy to 4 (#1599)2068870
feat: update global allowlist (#1597)8cf93b9
refactor(allowlist): deduplicate commits & keywords (#1596)50c2818
feat(config): ignore jquery static assets (#1595)455ae0a
More rule fixes (#1586)5407c44
chore: log skipped symlinks (#1591)d03d6c4
feat: match left side of identifier (#1585)851c11a
what secrets?8cfa6b2
fix(rules): add entropy (#1580)9152eaa
feat(aws): add entropy & allowlist (#1582)93acc6e
feat(rules): add 1password token (#1583)83a5724
feat(config): add curl header rule (#1576)v8.21.1
Compare Source
Changelog
cf5334f
feat: add curl basic auth rule (#1575)d07b394
Update spelling in README.md (#1574)5c03fa4
refactor(allowlist): use iota for condition (#1569)12034a7
refactor(config): temporarily switch to [rules.allowlist] (#1573)v8.21.0
Compare Source
Changelog
aabe381
Define multiple allowlists per rule (#1496)8ea6085
build: upgrade gitleaks/go-gitdiff to v0.9.1 (#1559)be9d0f8
Fix rule extension (#1556)9988e52
Update base config allowlist (#1555)8fb39ba
feat(azure): detect Azure AD client secrets (#1199)14c924d
chore: match gitleaks.toml anywhere (#1553)respect @rgmz @9999years
v8.20.1
Compare Source
Changelog
b2fbaeb
feat(config): add placeholder regexes to global allowlist (#1547)00bb821
feat: add PrivateAI rule (#1548)445abe3
Bump golang verion used in docker build to match version specified in go.mod (#1551)1a2f656
feat: add cohere rule (#1549)82d737d
feat(generate): generate global (#1546)f6e5499
Feat/nuget config password rule (#1540)v8.20.0
Compare Source
Changelog
bf8a49f
Make private key check less greedy and include fifth dash (#1440)9c354f5
print tags if they exist2278a2a
Decode Base64 (#1488)c5b15c9
refactor(config): keyword map (#1538)a971a32
fix: use regexTarget for extend config (#1536)a0f2f46
feat: bump go to 1.22 (#1537)4e8d7d3
fix: handle pre-commit and staged (#1533)f8dcd83
Bugfix/1352 incorrect report multiple lines (#1501)Huge huge thanks to @bplaxco for supporting b64 decoding, @recreator66 for bug fixes, and to @rgmz for his continued support of the project in the form of PRs and reviews. Thanks you!
New Feature: Decoding
Sometimes secrets are encoded in a way that can make them difficult to find
with just regex. Now you can tell gitleaks to automatically find and decode
encoded text. The flag
--max-decode-depth
enables this feature (the defaultvalue "0" means the feature is disabled by default).
Recursive decoding is supported since decoded text can also contain encoded
text. The flag
--max-decode-depth
sets the recursion limit. Recursion stopswhen there are no new segments of encoded text to decode, so setting a really
high max depth doesn't mean it will make that many passes. It will only make as
many as it needs to decode the text. Overall, decoding only minimally increases
scan times.
The findings for encoded text differ from normal findings in the following
ways:
include that as well
decoded:<encoding>
anddecode-depth:<depth>
Currently supported encodings:
base64
(both standard and base64url)v8.19.3
Compare Source
Changelog
ed19c4e
fix(config): extend allowlist & handle extend when validating (#1524)989ef19
refactor(kubernetes-secret): tweak variable chars (#1520)191eb43
Revert "remove validate config test temporarily" (#1529)78f7d3f
feat: create fly.io rule (#1528)7098f6d
fix: to many false-positive for gltf files, add gltf suffix to allowlist (#1527)97dbe1e
Add support in .gitleaksignore file comment strings (#1425) (#1502)9e06824
Restrict Etsy keywords (#1491)db78260
feat(github): add entropy to rule (#1489)df126a7
feat(gcp): update api key rule (#1481)75dd70e
fix(hashicorp): ignore common fps (#1498)8510d39
fix(square): make prefix case sensitive (#1469)3698060
refactor(kubernetes-secret): collapse rules and update regex (#1462)v8.19.2
Compare Source
Changelog
128cd22
fix(rule): comment out errant validation case (#1509)1a6d2b0
remove validate config test temporarily0874ebc
Update README.mdv8.19.1
Compare Source
Changelog
9463ffa
fix flag access (#1506)v8.19.0
Compare Source
Changelog
44ad62e
Deprecatedetect
andprotect
. Addgit
,dir
,stdin
(#1504) HEY THIS IS AN IMPORTANT CHANGE. If it breaks some stuff... sorry, I'll fix it asap, just open an issue and make sure to ping me. The change is meant to be backwards compatible.e93a7c0
Update Harness rules to add _ and - in the account ID part. (#1503)4e43d11
chore: fix gl workflow error (#1487)bd81872
Make config generation utils public (#1480)3be7faa
Update Hashicorp Vault token pattern (#1483)1aae66d
feat(config): update rule validation (#1466)6dfcf5e
Update .gitleaksignoref361c5e
fix(detect): handle EOF with bytes (#1472)8a1ca9e
Added poetry.lock to default allowlist paths (#1474)525c4b4
refactor(sarif): remove |name| and change |shortDescription| (#1473)c0fda43
Use rule id for config validation error (#1463)d3c4b90
Use first non-empty group ifsecretGroup
isn't set (#1459)b4009bf
chore: remove unnecessary capture groups (#1460)80bd177
Return non-0 exit code fromDetectGit
(#1461)0334ec1
add gradle verification-metadata.xml to global allowlist (#1446)c1345e1
feat(openshift): add user token (#1449)7697b3e
(feat): Adding secret detection rule for Kubernetes secrets (#1454)26f3469
add version to defaultbc979de
Add go.work and go.work.sum to global allowlist (#1353)b899915
Add harness PAT and SAT rules (#1406)4c5195b
Update README.mdv8.18.4
Compare Source
Changelog
02808f4
Limit hashicorp-tf-password to .tf/.hcl files (#1420)07e1c30
rm printdb63fc1
reduce telegram... todo url and xml for later9a4538c
coderabbit.ai <3fe94ef9
Add NewRelic insert key detection (#1417)bb4424d
Improved Telegram bot token rule regex and added more test cases (#1404)575e923
Add intra42 client secret (#1408)Shout out to @coderabbit for their sponsorship!
v8.18.3
Compare Source
Changelog
39947b0
extend FB access token discovery (#1407)79cac73
tests: scalingo validation consistent test (#1359)247f423
add real (test) standard and restricted keys (#1375)821b232
Add Cloudflare API and Origin CA keys (#1374)57ac4b3
Update "contributing guidelines" link (#1390)db69e82
add update token from square (#1370)4b54328
feat: facebook secret, access token, and page access token rules (#1372)979f213
update mailchimp with new tokens (#1376)59c0cc7
Append ordered rules when extending (#1304)6c52f87
fix: age rule id with dashes (#1349)247a5e7
patching golang.org/x/text for CVE-2021-38561 and CVE-2022-32149 (#1342)8d23afd
Use latest base images. (#1334)v8.18.2
Compare Source
Changelog
ac4b514
removed gitleaks user from Dockerfile (#1313)76c9e31
Remove IAM identifiers for non-credential resources in the aws-access-token rule (#1307)afe046b
Update stripe rule to not alert on publishable keys (#1320)8b8920d
--max-target-megabytes flag now supported for --no-git flag as well (#1330)a59289c
add pre-commit hook gitleaks-system (#1225)870194b
fix errors when using protect and an external git diff tool (#1318)179c607
rename filesystem to directory (#1317)8de8938
Enhance Secret Descriptions (#1300)ca7aa14
Small refactordetect
andsources
(#1297)01e60c8
chore(config): refactor to go generate; simplify configRules init (#1295)54f5f04
forgot symlinks221d5c4
pretty apparent 'protect' and 'detect' should be merged into one command (#1294)128b50f
style: sort the stopwords (#1289)v8.18.1
Compare Source
Changelog
dab7d02
dont crash on 100gb files pls (#1292)e63b657
remove secretgroup from default config (#1288)20fcf50
feat: Hashicorp Terraform fields for password (#1237)b496677
perf: avoid allocations with(*regexp.Regexp).MatchString
(#1283)a3ab4e8
refactor: more explicit rules (#1280)bd9a25a
bugfix: reduce false positives for stripe tokens by using word boundaries in regex (#1278)6d0d8b5
add Infracost API rule (#1273)2959fc0
refactor: simplify test asserts (#1271)d37b38f
Update Makefile14b1ca9
refactor: change detect tests to t.Fatal instead of log.Fatal (#1270)d9f86d6
feat(rules): Add detection for Scalingo API Token (#1262)ed34259
feat(jwt): detect base64-encoded tokens (#1256)0d5e46f
feat: add --ignore-gitleaks-allow cmd flag (#1260)a82ac29
switch out libs (#1259)0b84afa
fix: no-color option should also affect zerolog output (#1242)8976539
Fixed lineEnd indexing if the match is the whole line (#1223)30c6117
feat: Add optional redaction value, default 100 (#1229)e9135cf
fix(jwt): longer segment lengths (#1214)f65f915
Added yarn.lock file to default allowlist paths (#1258)abfd0f3
Update README.md18283bb
feat(rules): make case insensitivity optional (#1215)9fb36b2
feat(rules): detect Hugging Face access tokens (#1204)db4bc0f
Resolve #1170 - Enable selection of a single rule (#1183)3cbcda2
Update authress.go to include alternate form account dash (-) (#1224)46c6272
refactor: remove unnecessary removing temp files in tests (#1255)963a697
refactor: use os.ReadFile instead of os.Open + io.ReadAll (#1254)163ec21
fix(sumologic): improve patterns (#1218)v8.18.0
Compare Source
What's Changed
New Contributors
Full Changelog: gitleaks/gitleaks@v8.17.0...v8.18.0
v8.17.0
Compare Source
What's Changed
REDACTED
to stopwords forgeneric-api-key
rule by @9999years in https://github.com/gitleaks/gitleaks/pull/1188.gitleaksignore
fingerprint lacks SHA by @rgmz in https://github.com/gitleaks/gitleaks/pull/1156--log-opts
values by @rgmz in https://github.com/gitleaks/gitleaks/pull/1160New Contributors
Full Changelog: gitleaks/gitleaks@v8.16.4...v8.17.0
v8.16.4
Compare Source
Changelog
6f75511
Added option to specify .gitleaksignore path (#1179) @pacorreia190ac97
Fix closing file in writeJson and writeSarif (#1187) @alexandear6dbb0c5
Simplify tests by using T.TempDir (#1186) @alexandear6705461
Fix typos in *.md, comments and logs (#1185) @alexandear9869eab
Update README.md16f1ec0
Update bug_report.md8d80a5a
Adding discord channel to readme146f69e
🐛 fix(sarif): update report to pass validator (#1167) @DariuszPorowskiConfiguration
📅 Schedule: Branch creation - "after 5am on thursday" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test
.This PR has been generated by MintMaker (powered by Renovate Bot).