Home Explore Help
Sign In
LBP
/
gitleaks
mirror of https://github.com/gitleaks/gitleaks.git
4
0
Fork 0
Files Issues 0 Wiki
Browse Source

Update README.md

Zachary Rice 3 years ago
parent
3e5e63956e
commit
31ff8677dd
1 changed files with 33 additions and 63 deletions
Split View Show Diff Stats
  1. 33 63
      README.md

+ 33 - 63
README.md
View File 

@@ -1,10 +1,10 @@
 
-
 
+# gitleaks
 
 ```
 
-○
 
-│╲
 
-│ ○
 
-○ ░
 
-░    gitleaks
 
+┌────┐
 
+│╲
 
+│ ○
 
+○ ░
 
+└─░───┘
 
 ```
 
 
 
@@ -200,93 +200,63 @@ title = "Gitleaks title"
 
 # An array of tables that contain information that define instructions
 
 # on how to detect secrets
 
 [[rules]]
 
+
 
 # Unique identifier for this rule
 
 id = "awesome-rule-1"
 
+
 
 # Short human readable description of the rule.
 
 description = "awesome rule 1"
 
+
 
 # Golang regular expression used to detect secrets. Note Golang's regex engine
 
 # does not support lookaheads.
 
 regex = '''one-go-style-regex-for-this-rule'''
 
+
 
 # Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
 
 # in conjunction with a valid `regex` entry.
 
 path = '''a-file-path-regex'''
 
+
 
 # Array of strings used for metadata and reporting purposes.
 
 tags = ["tag","another tag"]
 
+
 
 # Int used to extract secret from regex match and used as the group that will have
 
 # its entropy checked if `entropy` is set.
 
 secretGroup = 3
 
+
 
 # Float representing the minimum shannon entropy a regex group must have to be considered a secret.
 
 entropy = 3.5
 
+
 
 # You can include an allowlist table for a single rule to reduce false positives or ignore commits
 
 # with known/rotated secrets
 
 [rules.allowlist]
 
 description = "ignore commit A"
 
 commits = [ "commit-A", "commit-B"]
 
-paths = ['''one-file-path-regex''']
 
-regexes = ['''one-regex-within-the-already-matched-regex''']
 
+paths = [
 
+	'''go\.mod''',
 
+	'''go\.sum'''
 
+]
 
+regexes = [
 
+   	'''process''',
 
+	'''getenv''',
 
+]
 
 
 # This is a global allowlist which has a higher order of precedence than rule-specific allowlists.
 
 # If a commit listed in the `commits` field below is encountered then that commit will be skipped and no
 
 # secrets will be detected for said commit. The same logic applies for regexes and paths.
 
 [allowlist]
 
-description = "ignore commit A"
 
-commits = [ "commit-A", "commit-B"]
 
-paths = ['''one-file-path-regex''']
 
-regexes = ['''one-regex-within-the-already-matched-regex''']
 
+description = "global allow list"
 
+commits = [ "commit-A", "commit-B", "commit-C"]
 
+paths = [
 
+	'''gitleaks\.toml''',
 
+	'''(.*?)(jpg|gif|doc)'''
 
+]
 
+regexes = [
 
+    	'''219-09-9999''', 
+    	'''078-05-1120''', 
+    	'''(9[0-9]{2}|666)-\d{2}-\d{4}''',
 
+]
 
 ```
 
 Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples and advice on writing regular expressions for secret detection.
 
 
-### Tips on Writing Regular Expressions
 
- Gitleaks rules are defined by regular expressions and entropy ranges.
 
- Some secrets have unique signatures which make detecting those secrets easy.
 
- Examples of those secrets would be Gitlab Personal Access Tokens, AWS keys, and Github Access Tokens.
 
- All these examples have defined prefixes like `glpat`, `AKIA`, `ghp_`, etc.
 
-
 
- Other secrets might just be a hash which means we need to write more complex rules to verify
 
- that what we are matching is a secret.
 
-
 
- Here is an example of a semi-generic secret
 
-```
 
-discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"
 
-```
 
- We can write a regular expression to capture the variable name (identifier),
 
- the assignment symbol (like '=' or ':='), and finally the actual secret.
 
- The structure of a rule to match this example secret is below:
 
-
 
-                                                           Beginning string
 
-                                                               quotation
 
-                                                                   │            End string quotation
 
-                                                                   │                      │
 
-                                                                   ▼                      ▼
 
-    (?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]
 
-
 
-                   ▲                              ▲                                ▲
 
-                   │                              │                                │
 
-                   │                              │                                │
 
-              identifier                  assignment symbol
 
-                                                                                Secret
 
-
 
-
 
-#### A Note on Generic Secrets
 
-Let's continue with the example `discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"`.
 
-This secret would match both the `discord-client-secret` rule and the `generic-api-key` rule in the default config.
 
-```
 
-[[rules]]
 
-id = "discord-client-secret"
 
-description = "Discord client secret"
 
-regex = '''(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-z0-9=_\-]{32})['\"]'''
 
-secretGroup = 3
 
-
 
-[[rules]]
 
-id = "generic-api-key"
 
-description = "Generic API Key"
 
-regex = '''(?i)((key|api|token|secret|password)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
 
-entropy = 3.7
 
-secretGroup = 4
 
-```
 
-If gitleaks encountered `discord_client_secret = "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ"`, only the `discord` rule would report a finding because
 
-the generic rule has the string `generic` somewhere in the rule's `id`. If a secret is encountered and both a `generic` and non-generic rule have discovered the same secret, the non-generic
 
-will be given precedence.
 
 
 
 ## Sponsorships