fmt

README.md

@@ -77,12 +77,9 @@ Application Options:
       --owner-path=     Path to owner directory (repos discovered)
       --threads=        Maximum number of threads gitleaks spawns
       --disk            Clones repo(s) to disk
-      --single-search=  single regular expression to search for
       --config=         path to gitleaks config
       --ssh-key=        path to ssh key
       --exclude-forks   exclude forks for organization/user audits
-  -e, --entropy=        Include entropy checks during audit. Entropy scale: 0.0(no entropy) - 8.0(max entropy)
-      --noise-reduction Reduce the number of finds when entropy checks are enabled
       --repo-config     Load config from target repo. Config file must be ".gitleaks.toml"
       --branch=         Branch to audit
   -l, --log=            log level

gitleaks.toml

@@ -1,39 +1,72 @@
-title = "gitleaks config"
-[[regexes]]
-description = "AWS"
+title = "sample gitleaks config"
+
+# This is a sample config file for gitleaks. You can configure gitleaks what to search for and what to whitelist.
+# The output you are seeing here is the default gitleaks config. If GITLEAKS_CONFIG environment variable
+# is set, gitleaks will load configurations from that path. If option --config-path is set, gitleaks will load
+# configurations from that path. Gitleaks does not whitelist anything by default.
+
+[[rules]]
+description = "AWS Key"
 regex = '''AKIA[0-9A-Z]{16}'''
-[[regexes]]
-description = "RKCS8"
+tags = ["key", "AWS"]
+
+[[rules]]
+description = "PKCS8"
 regex = '''-----BEGIN PRIVATE KEY-----'''
-[[regexes]]
+tags = ["key", "PKCS8"]
+
+[[rules]]
 description = "RSA"
 regex = '''-----BEGIN RSA PRIVATE KEY-----'''
-[[regexes]]
-description = "Github"
-regex = '''(?i)github.*['\"][0-9a-zA-Z]{35,40}['\"]'''
-[[regexes]]
+tags = ["key", "RSA"]
+
+[[rules]]
 description = "SSH"
 regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
-[[regexes]]
-description = "Facebook"
-regex = '''(?i)facebook.*['\"][0-9a-f]{32}['\"]'''
-[[regexes]]
-description = "Twitter"
-regex = '''(?i)twitter.*['\"][0-9a-zA-Z]{35,44}['\"]'''
-[[regexes]]
+tags = ["key", "SSH"]
+
+[[rules]]
 description = "PGP"
 regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
-[[regexes]]
-description = "Slack token"
-regex = '''xox[baprs]-.*'''
-[[regexes]]
-description = "Strip API Key"
-regex = '''(?i)(sk|pk)_(test|live)_[0-9a-zA-Z]{10,32}'''
+tags = ["key", "PGP"]
+
+[[rules]]
+description = "Facebook"
+regex = '''(?i)facebook(.{0,4})?['\"][0-9a-f]{32}['\"]'''
+tags = ["key", "Facebook"]
+
+[[rules]]
+description = "Twitter"
+regex = '''(?i)twitter(.{0,4})?['\"][0-9a-zA-Z]{35,44}['\"]'''
+tags = ["key", "Twitter"]
+
+[[rules]]
+description = "Github"
+regex = '''(?i)github(.{0,4})?['\"][0-9a-zA-Z]{35,40}['\"]'''
+tags = ["key", "Github"]
+
+[[rules]]
+description = "Slack"
+regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
+tags = ["key", "Slack"]
 
 [whitelist]
-regexes = [
-  # "AKIA.*EXAMPLE",
-]
 files = [
   "(.*?)(jpg|gif|doc|pdf|bin)$"
 ]
+#commits = [
+#  "whitelisted-commit1",
+#  "whitelisted-commit2",
+#]
+#repos = [
+#	"whitelisted-repo"
+#]
+
+# Additional Examples
+# [[rules]]
+# description = "Generic Key"
+# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
+# entropies = ["4.1-4.3"]
+# entropyROI = "line"
+# tags = ["key"]
+

src/config.go

@@ -25,7 +25,7 @@ type Rule struct {
 	severity    string
 	tags        []string
 	entropies   []*entropyRange
-    entropyROI  string
+	entropyROI  string
 }
 
 // TomlConfig is used for loading gitleaks configs from a toml file
@@ -36,7 +36,7 @@ type TomlConfig struct {
 		Entropies   []string
 		Tags        []string
 		Severity    string
-        EntropyROI  string
+		EntropyROI  string
 	}
 	Whitelist struct {
 		Files   []string
@@ -119,27 +119,11 @@ func (config *Config) update(tomlConfig TomlConfig) error {
 			severity:    rule.Severity,
 			tags:        rule.Tags,
 			entropies:   ranges,
-            entropyROI:  rule.EntropyROI,
+			entropyROI:  rule.EntropyROI,
 		}
 		config.Rules = append(config.Rules, r)
 	}
 
-	// // set stand alone rules from opts
-	// if opts.Entropy != 0.0 {
-	// 	ranges, err := getEntropyRanges([]string{fmt.Sprintf("0.0-%s", opts.Entropy)})
-	// 	if err != nil {
-	// 		log.Fatalf("could not create entropy range for %s", opts.Entropy)
-	// 	}
-	// 	r := &Rule{
-	// 		description: "Entropy ",
-	// 		severity:    "5",
-	// 		tags:        []string{"entropy"},
-	// 		entropies:   ranges,
-    //         entropyROI:
-	// 	}
-	// 	config.Rules = append(config.Rules, r)
-	// }
-
 	// set whitelists
 	config.WhiteList.commits = make(map[string]bool)
 	for _, commit := range tomlConfig.Whitelist.Commits {

src/constants.go

@@ -4,7 +4,11 @@ const version = "2.0.0"
 
 const defaultGithubURL = "https://api.github.com/"
 const defaultThreadNum = 1
+
+// ErrExit used to signal an error during gitleaks execution
 const ErrExit = 2
+
+// LeakExit used to signal leaks present in audit
 const LeakExit = 1
 
 const defaultConfig = `
@@ -14,14 +18,6 @@ const defaultConfig = `
 # configurations from that path. Gitleaks does not whitelist anything by default.
 
 title = "gitleaks config"
-# add rules to the rule table
-# [[rules]]
-# description = "Generic Key"
-# regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
-# entropies = ["4.1-4.3"]
-# entropyROI = "line"
-# tags = ["key"]
-
 [[rules]]
 description = "AWS Key"
 regex = '''AKIA[0-9A-Z]{16}'''
@@ -72,15 +68,10 @@ files = [
   "(.*?)(jpg|gif|doc|pdf|bin)$"
 ]
 #commits = [
-#  "BADHA5H1",
-#  "BADHA5H2",
+#  "whitelisted-commit1",
+#  "whitelisted-commit2",
 #]
 #repos = [
-#	"mygoodrepo"
-#]
-[misc]
-#entropy = [
-#	"3.3-4.30"
-#	"6.0-8.0
+#	"whitelisted-repo"
 #]
 `

src/core.go

@@ -48,10 +48,10 @@ func Run(optsL *Options) (*Report, error) {
 	if err != nil {
 		return nil, err
 	}
-    if opts.ValidateConfig {
-        log.Info("valid gitleaks config")
-        return nil, nil
-    }
+	if opts.ValidateConfig {
+		log.Info("valid gitleaks config")
+		return nil, nil
+	}
 
 	if opts.Disk {
 		// temporary directory where all the gitleaks plain clones will reside

src/options.go

@@ -35,23 +35,23 @@ type Options struct {
 	OwnerPath string `long:"owner-path" description:"Path to owner directory (repos discovered)"`
 
 	// Process options
-	Threads      int     `long:"threads" description:"Maximum number of threads gitleaks spawns"`
-	Disk         bool    `long:"disk" description:"Clones repo(s) to disk"`
-	ConfigPath   string  `long:"config" description:"path to gitleaks config"`
-	SSHKey       string  `long:"ssh-key" description:"path to ssh key"`
-	ExcludeForks bool    `long:"exclude-forks" description:"exclude forks for organization/user audits"`
-	RepoConfig   bool    `long:"repo-config" description:"Load config from target repo. Config file must be \".gitleaks.toml\""`
-	Branch       string  `long:"branch" description:"Branch to audit"`
+	Threads      int    `long:"threads" description:"Maximum number of threads gitleaks spawns"`
+	Disk         bool   `long:"disk" description:"Clones repo(s) to disk"`
+	ConfigPath   string `long:"config" description:"path to gitleaks config"`
+	SSHKey       string `long:"ssh-key" description:"path to ssh key"`
+	ExcludeForks bool   `long:"exclude-forks" description:"exclude forks for organization/user audits"`
+	RepoConfig   bool   `long:"repo-config" description:"Load config from target repo. Config file must be \".gitleaks.toml\""`
+	Branch       string `long:"branch" description:"Branch to audit"`
 	// TODO: IncludeMessages  string `long:"messages" description:"include commit messages in audit"`
 
 	// Output options
-	Log          string `short:"l" long:"log" description:"log level"`
-	Verbose      bool   `short:"v" long:"verbose" description:"Show verbose output from gitleaks audit"`
-	Report       string `long:"report" description:"path to write report file. Needs to be csv or json"`
-	Redact       bool   `long:"redact" description:"redact secrets from log messages and report"`
-	Version      bool   `long:"version" description:"version number"`
-	SampleConfig bool   `long:"sample-config" description:"prints a sample config file"`
-    ValidateConfig bool `long:"validate-config" description:"validate gitleaks config"`
+	Log            string `short:"l" long:"log" description:"log level"`
+	Verbose        bool   `short:"v" long:"verbose" description:"Show verbose output from gitleaks audit"`
+	Report         string `long:"report" description:"path to write report file. Needs to be csv or json"`
+	Redact         bool   `long:"redact" description:"redact secrets from log messages and report"`
+	Version        bool   `long:"version" description:"version number"`
+	SampleConfig   bool   `long:"sample-config" description:"prints a sample config file"`
+	ValidateConfig bool   `long:"validate-config" description:"validate gitleaks config"`
 }
 
 // ParseOpts parses the options

src/repo.go

@@ -23,8 +23,8 @@ type Leak struct {
 	Line     string    `json:"line"`
 	Commit   string    `json:"commit"`
 	Offender string    `json:"offender"`
-	Rule string    `json:"rule"`
-	Info string    `json:"info"`
+	Rule     string    `json:"rule"`
+	Info     string    `json:"info"`
 	Message  string    `json:"commitMsg"`
 	Author   string    `json:"author"`
 	Email    string    `json:"email"`

src/utils.go

@@ -41,9 +41,9 @@ func writeReport(leaks []Leak) error {
 		}
 		defer f.Close()
 		w := csv.NewWriter(f)
-		w.Write([]string{"repo", "line", "commit", "offender", "reason", "commitMsg", "author", "email", "file", "date"})
+		w.Write([]string{"repo", "line", "commit", "offender", "rule", "info", "tags", "commitMsg", "author", "email", "file", "date"})
 		for _, leak := range leaks {
-			w.Write([]string{leak.Repo, leak.Line, leak.Commit, leak.Offender, leak.Rule, leak.Message, leak.Author, leak.Email, leak.File, leak.Date.Format(time.RFC3339)})
+			w.Write([]string{leak.Repo, leak.Line, leak.Commit, leak.Offender, leak.Rule, leak.Info, leak.Tags, leak.Message, leak.Author, leak.Email, leak.File, leak.Date.Format(time.RFC3339)})
 		}
 		w.Flush()
 	} else {
@@ -91,28 +91,28 @@ func (rule *Rule) check(line string, commit *commitInfo) (*Leak, error) {
 	)
 
 	if rule.entropies != nil {
-        if rule.entropyROI == "line" {
-            _entropy := getShannonEntropy(line)
-            for _, e := range rule.entropies {
-                if _entropy > e.v1 && _entropy < e.v2 {
-                    entropy = _entropy
-                    entropyWord = line
-                    goto postEntropy
-                }
-            }
-        } else {
-            words := strings.Fields(line)
-            for _, word := range words {
-                _entropy := getShannonEntropy(word)
-                for _, e := range rule.entropies {
-                    if _entropy > e.v1 && _entropy < e.v2 {
-                        entropy = _entropy
-                        entropyWord = word
-                        goto postEntropy
-                    }
-                }
-            }
-        }
+		if rule.entropyROI == "line" {
+			_entropy := getShannonEntropy(line)
+			for _, e := range rule.entropies {
+				if _entropy > e.v1 && _entropy < e.v2 {
+					entropy = _entropy
+					entropyWord = line
+					goto postEntropy
+				}
+			}
+		} else {
+			words := strings.Fields(line)
+			for _, word := range words {
+				_entropy := getShannonEntropy(word)
+				for _, e := range rule.entropies {
+					if _entropy > e.v1 && _entropy < e.v2 {
+						entropy = _entropy
+						entropyWord = word
+						goto postEntropy
+					}
+				}
+			}
+		}
 	}
 
 postEntropy:
@@ -170,7 +170,7 @@ func newLeak(line string, info string, offender string, rule *Rule, commit *comm
 		Commit:   commit.sha,
 		Offender: offender,
 		Rule:     rule.description,
-        Info: info,
+		Info:     info,
 		Author:   commit.author,
 		Email:    commit.email,
 		File:     commit.filePath,