examples and more tests

audit/audit_test.go

@@ -153,6 +153,15 @@ func TestAudit(t *testing.T) {
 			},
 			wantPath: "../test_data/test_local_repo_four_alt_config_entropy.json",
 		},
+		{
+			description: "test local repo four entropy alternative config",
+			opts: options.Options{
+				RepoPath: "../test_data/test_repos/test_repo_1",
+				Report:   "../test_data/test_regex_whitelist.json.got",
+				Config:   "../test_data/test_configs/aws_key_aws_whitelisted.toml",
+			},
+			wantEmpty: true,
+		},
 	}
 
 	for _, test := range tests {
@@ -178,7 +187,6 @@ func TestAudit(t *testing.T) {
 			}
 			continue
 		}
-		// time.Sleep(time.Millisecond * 50)
 
 		err = m.Report()
 

audit/util.go

@@ -87,6 +87,7 @@ func shannonEntropy(data string) (entropy float64) {
 	return entropy
 }
 
+// aws_access_key_id='AKIAIO5FODNN7EXAMPLE',
 // trippedEntropy checks if a given line falls in between entropy ranges supplied
 // by a custom gitleaks configuration. Gitleaks do not check entropy by default.
 func trippedEntropy(line string, rule config.Rule) bool {
@@ -144,6 +145,20 @@ func InspectString(content string, c *object.Commit, repo *Repo, filename string
 					// both entropy and regex set which work in combination. This helps narrow down false positives
 					// on searches for generic passwords in code.
 					match := rule.Regex.FindString(line)
+
+					// check if any rules are whitelisting this leak
+					if len(rule.Whitelist) != 0 {
+						for _, wl := range rule.Whitelist {
+							if fileMatched(filename, wl.File) {
+								// if matched, go to next rule
+								goto NEXTLINE
+							}
+							if wl.Regex.FindString(line) != "" {
+								goto NEXTLINE
+							}
+						}
+					}
+
 					if match != "" {
 						// both the regex and entropy in this rule have been tripped which means this line
 						// contains a leak
@@ -162,6 +177,7 @@ func InspectString(content string, c *object.Commit, repo *Repo, filename string
 						})
 					}
 				}
+			NEXTLINE:
 			}
 			return
 		}
@@ -197,6 +213,14 @@ func InspectString(content string, c *object.Commit, repo *Repo, filename string
 
 				offender := content[loc[0]:loc[1]]
 				line := content[start:end]
+
+				if len(rule.Whitelist) != 0 {
+					for _, wl := range rule.Whitelist {
+						if wl.Regex.FindString(line) != "" {
+							goto NEXT
+						}
+					}
+				}
 				if repo.Manager.Opts.Redact {
 					line = strings.ReplaceAll(line, offender, "REDACTED")
 					offender = "REDACTED"

examples/pre-commit.example

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# This is an example of what adding gitleaks to a pre-commit hook would look like.
+
+gitleaksEnabled=$(git config --bool hooks.gitleaks)
+cmd="/Users/zrice/go/src/github.com/zricethezav/gitleaks/gitleaks --verbose --redact --pretty"
+if [ $gitleaksEnabled == "true" ]; then
+    $cmd
+    if [ $? -eq 1 ]; then
+cat <<\EOF
+Error: gitleaks has detected sensitive information in your changes.
+If you know what you are doing you can disable this check using:
+
+    git config hooks.gitleaks false
+
+EOF
+exit 1
+    fi
+fi

examples/regex_and_entropy_config.toml

@@ -0,0 +1,17 @@
+# This config contains a single rule which defines a regex and a range of entropy values. If a rule has
+# both regex and entropy then that rule uses BOTH the regex and entropy in combination when performing an audit.
+# In other words, if a line of code has an entropy value that is within the range of the entropies defined and
+# a regex match is found then that line of code contains a leak.
+
+# So, for this example if a line of code has an entropy value of 4.6 AND matches the regex below then we got a leak.
+
+[[rules]]
+	description = "entropy and regex"
+	regex = '''(?i)key(.{0,20})?['|"][0-9a-zA-Z]{16,45}['|"]'''
+    entropies = [
+        "4.5-4.7",
+        "5.5-6.3",
+    ]
+	tags = ["entropy"]
+
+

examples/simple_regex_and_whitelist_config.toml

@@ -0,0 +1,5 @@
+
+[[rules]]
+    description = "AWS Manager ID"
+    regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    tags = ["key", "AWS"]

examples/simple_regex_config.toml

@@ -0,0 +1,6 @@
+# This is a simple gitleaks config that contains one rule which checks for AWS keys.
+
+[[rules]]
+    description = "AWS Manager ID"
+    regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    tags = ["key", "AWS"]

test_data/test_configs/aws_key_aws_whitelisted.toml

@@ -0,0 +1,7 @@
+[[rules]]
+    description = "AWS Manager ID"
+    regex = '''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    tags = ["key", "AWS"]
+        [[rules.whitelist]]
+            regex = '''AKIAIO5FODNN7EXAMPLE.*'''
+            description = "ignore aws key"

test_data/test_regex_whitelist.json.got

@@ -0,0 +1,15 @@
+[
+ {
+  "line": "    aws_access_key_id='AKIAIO5FODNN7EXAMPLE',",
+  "offender": "AKIAIO5FODNN7EXAMPLE",
+  "commit": "6557c92612d3b35979bd426d429255b3bf9fab74",
+  "repo": "test_repo_1",
+  "rule": "AWS Manager ID",
+  "commitMessage": "commit 1 with secrets\n",
+  "author": "zach rice",
+  "email": "zricer@protonmail.com",
+  "file": "server.test.py",
+  "date": "2019-10-24T09:29:27-04:00",
+  "tags": "key, AWS"
+ }
+]