Merge pull request #105 from zricethezav/wlrepo

Wlrepo

CHANGELOG.md

@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+1.8.0
+-----
+- whitelist repos
+- sample config option
+
 1.7.3
 -----
 - style points

README.md

@@ -46,6 +46,7 @@ Application Options:
       --csv            report output to csv
       --redact         redact secrets from log messages and report
       --version        version number
+      --sample-config  prints a sample config file
 
 Help Options:
   -h, --help           Show this help message

gitleaks_test.go

@@ -56,6 +56,17 @@ regexes= [
 ]
 `
 
+const testWhitelistRepo = `
+[[regexes]]
+description = "AWS"
+regex = '''AKIA[0-9A-Z]{16}'''
+
+[whitelist]
+repos = [
+  "gronit",
+]
+`
+
 var benchmarkRepo *RepoDescriptor
 var benchmarkLeaksRepo *RepoDescriptor
 
@@ -166,9 +177,8 @@ func TestGetRepo(t *testing.T) {
 	}
 }
 func TestRun(t *testing.T) {
-	err := loadToml()
+	var err error
 	configsDir := testTomlLoader()
-	defer os.RemoveAll(configsDir)
 
 	dir, err = ioutil.TempDir("", "gitleaksTestOwner")
 	defer os.RemoveAll(dir)
@@ -185,7 +195,9 @@ func TestRun(t *testing.T) {
 		testOpts       Options
 		description    string
 		expectedErrMsg string
+		whiteListRepos []string
 		numLeaks       int
+		configPath     string
 	}{
 		{
 			testOpts: Options{
@@ -263,11 +275,23 @@ func TestRun(t *testing.T) {
 			numLeaks:       0,
 			expectedErrMsg: "reference not found",
 		},
+		{
+			testOpts: Options{
+				GithubOrg: "gitleakstestorg",
+			},
+			description:    "test github org",
+			numLeaks:       0,
+			expectedErrMsg: "",
+			configPath:     path.Join(configsDir, "repo"),
+		},
 	}
 	g := goblin.Goblin(t)
 	for _, test := range tests {
 		g.Describe("TestRun", func() {
 			g.It(test.description, func() {
+				if test.configPath != "" {
+					os.Setenv("GITLEAKS_CONFIG", test.configPath)
+				}
 				opts = test.testOpts
 				leaks, err := run()
 				if err != nil {
@@ -344,6 +368,7 @@ func testTomlLoader() string {
 	ioutil.WriteFile(path.Join(tmpDir, "branch"), []byte(testWhitelistBranch), 0644)
 	ioutil.WriteFile(path.Join(tmpDir, "commit"), []byte(testWhitelistCommit), 0644)
 	ioutil.WriteFile(path.Join(tmpDir, "file"), []byte(testWhitelistFile), 0644)
+	ioutil.WriteFile(path.Join(tmpDir, "repo"), []byte(testWhitelistRepo), 0644)
 	return tmpDir
 }
 
@@ -387,6 +412,7 @@ func TestAuditRepo(t *testing.T) {
 		whiteListFiles    []*regexp.Regexp
 		whiteListCommits  map[string]bool
 		whiteListBranches []string
+		whiteListRepos    []string
 		whiteListRegexes  []*regexp.Regexp
 		configPath        string
 	}{
@@ -511,6 +537,20 @@ func TestAuditRepo(t *testing.T) {
 			configPath:  path.Join(configsDir, "commit"),
 			numLeaks:    2,
 		},
+		{
+			repo:        leaksRepo,
+			description: "audit whitelist repo",
+			numLeaks:    0,
+			whiteListRepos: []string{
+				"gronit",
+			},
+		},
+		{
+			repo:        leaksRepo,
+			description: "toml whitelist repo",
+			numLeaks:    0,
+			configPath:  path.Join(configsDir, "repo"),
+		},
 	}
 
 	whiteListCommits = make(map[string]bool)
@@ -540,6 +580,11 @@ func TestAuditRepo(t *testing.T) {
 				} else {
 					whiteListRegexes = nil
 				}
+				if test.whiteListRepos != nil {
+					whiteListRepos = test.whiteListRepos
+				} else {
+					whiteListRepos = nil
+				}
 
 				// config paths
 				if test.configPath != "" {

main.go

@@ -90,12 +90,13 @@ type Options struct {
 	// TODO: IncludeMessages  string `long:"messages" description:"include commit messages in audit"`
 
 	// Output options
-	Log     string `short:"l" long:"log" description:"log level"`
-	Verbose bool   `short:"v" long:"verbose" description:"Show verbose output from gitleaks audit"`
-	Report  string `long:"report" description:"path to write report file"`
-	CSV     bool   `long:"csv" description:"report output to csv"`
-	Redact  bool   `long:"redact" description:"redact secrets from log messages and report"`
-	Version bool   `long:"version" description:"version number"`
+	Log          string `short:"l" long:"log" description:"log level"`
+	Verbose      bool   `short:"v" long:"verbose" description:"Show verbose output from gitleaks audit"`
+	Report       string `long:"report" description:"path to write report file"`
+	CSV          bool   `long:"csv" description:"report output to csv"`
+	Redact       bool   `long:"redact" description:"redact secrets from log messages and report"`
+	Version      bool   `long:"version" description:"version number"`
+	SampleConfig bool   `long:"sample-config" description:"prints a sample config file"`
 }
 
 // Config struct for regexes matching and whitelisting
@@ -109,6 +110,7 @@ type Config struct {
 		Regexes  []string
 		Commits  []string
 		Branches []string
+		Repos    []string
 	}
 }
 
@@ -121,10 +123,16 @@ type gitDiff struct {
 }
 
 const defaultGithubURL = "https://api.github.com/"
-const version = "1.7.3"
+const version = "1.8.0"
 const errExit = 2
 const leakExit = 1
 const defaultConfig = `
+# This is a sample config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# The output you are seeing here is the default gitleaks config. If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+
+
 title = "gitleaks config"
 # add regexes to the regex table
 [[regexes]]
@@ -150,7 +158,6 @@ description = "Twitter"
 regex = '''(?i)twitter.*['\"][0-9a-zA-Z]{35,44}['\"]'''
 
 [whitelist]
-
 #regexes = [
 #  "AKAIMYFAKEAWKKEY",
 #]
@@ -167,6 +174,10 @@ regex = '''(?i)twitter.*['\"][0-9a-zA-Z]{35,44}['\"]'''
 #branches = [
 #	"dev/STUPDIFKNFEATURE"
 #]
+
+#repos = [
+#	"someYugeRepoWeKnowIsCLEAR"
+#]
 `
 
 var (
@@ -177,6 +188,7 @@ var (
 	whiteListFiles    []*regexp.Regexp
 	whiteListCommits  map[string]bool
 	whiteListBranches []string
+	whiteListRepos    []string
 	fileDiffRegex     *regexp.Regexp
 	sshAuth           *ssh.PublicKeys
 	dir               string
@@ -196,6 +208,10 @@ func main() {
 		fmt.Println(version)
 		os.Exit(0)
 	}
+	if opts.SampleConfig {
+		fmt.Println(defaultConfig)
+		os.Exit(0)
+	}
 	leaks, err := run()
 	if err != nil {
 		log.Error(err)
@@ -354,6 +370,11 @@ func auditGitRepo(repo *RepoDescriptor) ([]Leak, error) {
 		err   error
 		leaks []Leak
 	)
+	for _, repoName := range whiteListRepos {
+		if repoName == repo.name {
+			return nil, fmt.Errorf("skipping %s, whitelisted", repoName)
+		}
+	}
 	ref, err := repo.repository.Head()
 	if err != nil {
 		return leaks, err
@@ -694,6 +715,11 @@ func cloneGithubRepo(githubRepo *github.Repository) (*RepoDescriptor, error) {
 		repo *git.Repository
 		err  error
 	)
+	for _, repoName := range whiteListRepos {
+		if repoName == *githubRepo.Name {
+			return nil, fmt.Errorf("skipping %s, whitelisted", repoName)
+		}
+	}
 	log.Infof("cloning: %s", *githubRepo.Name)
 	if opts.Disk {
 		ownerDir, err := ioutil.TempDir(dir, opts.GithubUser)
@@ -878,6 +904,7 @@ func loadToml() error {
 		}
 	}
 	whiteListBranches = config.Whitelist.Branches
+	whiteListRepos = config.Whitelist.Repos
 	whiteListCommits = make(map[string]bool)
 	for _, commit := range config.Whitelist.Commits {
 		whiteListCommits[commit] = true