пре 1 година · 989ef19fb0
--- a/cmd/generate/config/rules/kubernetes.go
+++ b/cmd/generate/config/rules/kubernetes.go
@@ -17,8 +17,7 @@ func KubernetesSecret() *config.Rule {
 
				 	// - valid base64 characters
			
 
				 	// - longer than 10 characters (no "YmFyCg==")
			
 
				 	//language=regexp
			
 
				-	dataPat := `\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w.-]+}}|""|''))`
			
 
				-	//dataPat := `\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*["']?[a-z0-9]{10,}={0,3})["']?`
			
 
				+	dataPat := `\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))`
			
 
				 
			
 
				 	// define rule
			
 
				 	r := config.Rule{
			
@@ -35,10 +34,10 @@ func KubernetesSecret() *config.Rule {
 
				 		Allowlist: config.Allowlist{
			
 
				 			Regexes: []*regexp.Regexp{
			
 
				 				// Ignore empty or placeholder values.
			
 
				-				// variable: {{ .Values.Example }}
			
 
				+				// variable: {{ .Values.Example }} (https://helm.sh/docs/chart_template_guide/variables/)
			
 
				 				// variable: ""
			
 
				 				// variable: ''
			
 
				-				regexp.MustCompile(`[\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:\{\{[ \t\w.-]+}}|""|'')`),
			
 
				+				regexp.MustCompile(`[\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:\{\{[ \t\w"|$:=,.-]+}}|""|'')`),
			
 
				 			},
			
 
				 		},
			
 
				 	}
			
--- a/config/gitleaks.toml
+++ b/config/gitleaks.toml
@@ -2238,7 +2238,7 @@ keywords = [
 
				 [[rules]]
			
 
				 id = "kubernetes-secret-yaml"
			
 
				 description = "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments"
			
 
				-regex = '''(?i)(?:\bkind:[ \t]*["']?secret["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?secret["']?)'''
			
 
				+regex = '''(?i)(?:\bkind:[ \t]*["']?secret["']?(?:.|\s){0,200}?\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))|\bdata:(?:.|\s){0,100}?\s+([\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:["']?[a-z0-9]{10,}={0,3}["']?|\{\{[ \t\w"|$:=,.-]+}}|""|''))(?:.|\s){0,200}?\bkind:[ \t]*["']?secret["']?)'''
			
 
				 path = '''(?i)\.ya?ml$'''
			
 
				 keywords = [
			
 
				     "secret",
			
@@ -2247,7 +2247,7 @@ keywords = [
 
				 [rules.allowlist]
			
 
				 
			
 
				 regexes = [
			
 
				-    '''[\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:\{\{[ \t\w.-]+}}|""|'')''',
			
 
				+    '''[\w.-]+:(?:[ \t]*(?:\||>[-+]?)\s+)?[ \t]*(?:\{\{[ \t\w"|$:=,.-]+}}|""|'')''',
			
 
				 ]
			
 
				 
			
 
				 [[rules]]