gitleaks: gitleaks ignores default config and doesn't merge configs

Describe the bug If I have a config like the following zero secrets are detected. I’m unable to specify a few allow directives.

[allowlist]
paths = ["testdata/malformed_key.pem"]

gitleaks reports no secrets, but there are some. This is likely due to gitleaks thinking --config should replace the default config, but that’s not what I want.

gitleaks version: 8.8.5

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks 

9:39AM INF scan completed in 4.701718ms
9:39AM INF no leaks found
finished gitleaks check

Expected behavior It would be nice to have a way to allow a few entries as many projects require dummy keys.

Basic Info (please complete the following information):

OS: macOS 12.x
Gitleaks Version: 8.8.5

cc @zricethezav

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 2
Comments: 22 (10 by maintainers)

Most upvoted comments

Thanks, I hear you guys. I’m thinking of ways to introduce this. In the meantime if you want this feature expedited consider reaching out to me for a maintenance and support agreement https://gitleaks.io/products.html

Some design restrictions I want to impose:

no cli arguments, everything should be defined within the config
resource authentication should be kept to a minimum if none at all. I,e. if the base config is pointing to a url, that url should be publicly available without authentication or maybe a bearer token… still undecided on whether or not I want to support authentication
no merging, only extending the config

So a config might look something like

title = "repo foo gitleaks config"

[extends]
  url = "https://github.com/zricethezav/gitleaks/config/baseconfig.toml"
  # path = "path/to/base/config.toml" 
  # useDefault = true

Only one url, path, or useDefault should be specified. useDefault would extend the repo config with the default gitleaks config

cc @adamdecaf

zricethezav on Jun 1, 2022

@zricethezav awesome! We just tested this feature and it is working just as expected/hoped 🥇

Looking forward to upgrading to a new version with this feature included 😄

maltemorgenstern on Jul 26, 2022

I have a branch I’m working on locally and still deciding on the design of this. Next month or two probably, or maybe next week. idk

zricethezav on Jul 12, 2022

@adamdecaf @very-doge-wow @foolioo @wolfch-elsevier I just merged https://github.com/zricethezav/gitleaks/pull/926. Check out the updated https://github.com/zricethezav/gitleaks#configuration section for instructions on how to use this new feature. Feel free to pull down master and try it out before I release it sometime this week with 8.9.0

zricethezav on Jul 24, 2022

With the release of https://github.com/zricethezav/gitleaks/releases/tag/v8.9.0 I’m gonna close out this issue. Thanks for being patient and hope you get some value out of the new feature. Feel free to re-open or continue the discussion 👍🏻

zricethezav on Jul 27, 2022

Hi @adamdecaf, this isn’t a bug as --config replaces the default config by design. I am considering ways to extend the default config in the future.

zricethezav on May 25, 2022

But won’t includeDefault=true try and download the default config from GitHub?

@very-doge-wow, nope. includeDefault will use what is already baked into the binary

https://github.com/zricethezav/gitleaks/blob/master/config/config.go#L186-L206

https://github.com/zricethezav/gitleaks/blob/master/config/config.go#L13-L14

zricethezav on Jul 25, 2022

https://github.com/zricethezav/gitleaks/tree/extend-config wip

zricethezav on Jul 23, 2022

@wolfch-elsevier https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml

electriquo on Jun 6, 2022

@zricethezav, I am echoing with @adamdecaf. It will be great if there is a separate config to allow users to customize the global allowlists without overwriting the default config.

Dingjie-Daniel-Yang on May 27, 2022