gitleaks: --no-git option does not seem to be working properly
Describe the bug This is very simalir to issue #751. When I run gitleaks detect with --no-git option (which I assume should recursively scan all folders) no leaks are returned and scan finishes really fast wihtout going into all subdirectories.
To Reproduce
- Create any private RSA key (.pem) or any other secret for that matter in a nested directory structure. Like this: /example/nest1/nest2/nest3/secret.pem
- Run
gitleaks detect -s "/example/nest1/nest2" -v --no-gitthe secret.pem will be detected. - Run
gitleaks detect -s "/example/nest1/" -v --no-gitthe secret.pem will not be detected. - Run the same thing using v7.6.1 and it works as expected.
Expected behavior Recursively go through all files and folders under --source to report leaks.
Basic Info (please complete the following information):
- OS: Linux version 5.4.0-105-generic (buildd@lcy02-amd64-066) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04))
- Gitleaks Version: v8.6.1
cc @zricethezav
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 17
@KameleonSec I’ll look at this time permitting, I have a full time job and don’t get paid for this.
10x is a an abbreviation for thanks 😃
@KameleonSec please provide more detailed instructions with the report output and sample repo if you want me to debug this. From my tests, I am not seeing an issue with
--no-gitor nested directories.The private key rule is another issue entirely. That regex could use some work.
@lutzwillek-tomtom Although it does explain some of the other leak misses. This spesific issue is about the same test keys as @zricethezav used (without RSA just
-----BEGIN PRIVATE KEY-----). Where all kind of secrets aren’t detected when nested. It fails the same, with and without the RSA keyword under the nested directory.10x anyways