feat(config): ignore swagger-ui assets (#1604)

also, ignore public known checkmarx secret

cmd/generate/config/base/config.go

@@ -50,6 +50,8 @@ func CreateGlobalConfig() config.Config {
 				regexp.MustCompile(`^\{\d{0,2}}$`),                       // Python (https://docs.python.org/3/tutorial/inputoutput.html)
 				// Urban Code Deploy (https://www.ibm.com/support/pages/replace-token-step-replaces-replacement-values-windows-variables)
 				regexp.MustCompile(`^@([A-Z_]+|[a-z_]+)@$`),
+
+				// ----------- Miscellaneous -----------
 			},
 			Paths: []*regexp.Regexp{
 				regexp.MustCompile(`gitleaks\.toml`),
@@ -80,7 +82,7 @@ func CreateGlobalConfig() config.Config {
 				regexp.MustCompile(`(^|/)npm-shrinkwrap\.json$`),
 				regexp.MustCompile(`(^|/)bower_components/.*?$`),
 				// TODO: Add more common static assets, such as swagger-ui.
-				regexp.MustCompile(`(^|/)jquery(-ui)?-[a-zA-Z0-9.-]+\.js$`),
+				regexp.MustCompile(`(^|/)(jquery(-?ui)?|swagger-?ui)-[a-zA-Z0-9.-]+\.js(\.map)?$`),
 
 				// ----------- Python files -----------
 				// Dependencies and lock files.
@@ -100,6 +102,11 @@ func CreateGlobalConfig() config.Config {
 				regexp.MustCompile(`Database.refactorlog`),
 				//regexp.MustCompile(`vendor`),
 			},
+			StopWords: []string{
+				// ----------- Secrets -----------
+				// Checkmarx client secret. (https://github.com/checkmarx-ts/checkmarx-python-sdk/blob/86560f6e2a3e46d16322101294da10d5d190312d/README.md?plain=1#L56)
+				"014df517-39d1-4453-b7b3-9930c563627c",
+			},
 		},
 	}
 }

cmd/generate/config/base/config_test.go

@@ -89,10 +89,12 @@ func TestConfigAllowlistPaths(t *testing.T) {
 		invalid []string
 		valid   []string
 	}{
-		"javascript - jquery.js": {
+		"javascript - common static assets": {
 			invalid: []string{
 				`src/main/resources/static/jquery-ui-1.12.1/jquery-ui-min.js`,
 				`src/main/resources/static/js/jquery-ui-1.10.4.min.js`,
+				`swagger/swaggerui/swagger-ui-bundle.js.map`,
+				`swagger/swaggerui/swagger-ui-es-bundle.js.map`,
 			},
 		},
 		"python": {

cmd/generate/config/rules/config.tmpl

@@ -22,6 +22,9 @@ regexes = [{{ range $i, $regex := . }}
 paths = [{{ range $i, $path := . }}
     '''{{ $path }}''',{{ end }}
 ]{{ end }}
+{{- with .Allowlist.StopWords }}{{println}}stopwords = [{{ range $j, $stopword := . }}
+    "{{ $stopword }}",{{ end }}
+]{{ end }}
 
 {{ range $i, $rule := .Rules }}[[rules]]
 id = "{{$rule.RuleID}}"

config/gitleaks.toml

@@ -43,7 +43,7 @@ paths = [
     '''(^|/)pnpm-lock\.yaml$''',
     '''(^|/)npm-shrinkwrap\.json$''',
     '''(^|/)bower_components/.*?$''',
-    '''(^|/)jquery(-ui)?-[a-zA-Z0-9.-]+\.js$''',
+    '''(^|/)(jquery(-?ui)?|swagger-?ui)-[a-zA-Z0-9.-]+\.js(\.map)?$''',
     '''(^|/)(Pipfile|poetry)\.lock$''',
     '''(?i)/?(v?env|virtualenv)/lib(64)?/.+$''',
     '''(?i)(^|/)(lib(64)?/python[23](\.\d{1,2})+/|python/[23](\.\d{1,2})+/lib(64)?/).+$''',
@@ -53,6 +53,9 @@ paths = [
     '''verification-metadata.xml''',
     '''Database.refactorlog''',
 ]
+stopwords = [
+    "014df517-39d1-4453-b7b3-9930c563627c",
+]
 
 [[rules]]
 id = "1password-service-account-token"