v8.28.0
Changelog
- 4fb4382 cant count
- b1c9c7e Composite rules (#1905)
- 72977e4 feat: add Anthropic API key detection (#1910)
- 7b02c98 fix(git): handle port (#1912)
- 2a7bcff dont prematurely calculate fragment newlines (#1909)
- bd79c3e feat(allowlist): promote optimizations (#1908)
- 7fb4eda Fix: CVEs on go and go crypto (#1868)
- a044b81 feat: add artifactory reference token and api key detection (#1906)
- bf380d4 silly
- f487f85 Update gitleaks.yml
- 958f55a add just like that, no leaks
Optimizations
#1909 waits to find newlines until a match. This ends up saving a boat load of time since before we were finding newlines for every fragment regardless if a rule matched or not.
#1908 promoted @rgmz excellent stopword optimization
Composite Rules (Multi-part or required Rules) #1905
In v8.28.0 Gitleaks introduced composite rules, which are made up of a single "primary" rule and one or more auxiliary or required rules. To create a composite rule, add a [[rules.required]] table to the primary rule specifying an id and optionally withinLines and/or withinColumns proximity constraints. A fragment is a chunk of content that Gitleaks processes at once (typically a file, part of a file, or git diff), and proximity matching instructs the primary rule to only report a finding if the auxiliary required rules also find matches within the specified area of the fragment.
Proximity matching: Using the withinLines and withinColumns fields instructs the primary rule to only report a finding if the auxiliary required rules also find matches within the specified proximity. You can set:
withinLines: N- required findings must be within N lines (vertically)withinColumns: N- required findings must be within N characters (horizontally)- Both - creates a rectangular search area (both constraints must be satisfied)
- Neither - fragment-level matching (required findings can be anywhere in the same fragment)
Here are diagrams illustrating each proximity behavior:
p = primary captured secret
a = auxiliary (required) captured secret
fragment = section of data gitleaks is looking at
*Fragment-level proximity*
Any required finding in the fragment
ββββββββββ
ββββββββ€fragmentβββββββ
β ββββββββ¬ββ€ β βββββββββ
β βaβββββββΌβββ MATCHβ
β ββββββ β βββββββββ
ββββ βpβ β
ββaβ ββββββ β βββββββββ
ββββ βaβββββββββββββΌβββ MATCHβ
βββ²ββββββ΄ββ΄ββββββββββββ βββββββββ
β βββββββββ
βββββββ MATCHβ
βββββββββ
*Column bounded proximity*
`withinColumns = 3`
ββββββββββ
ββββββ¬ββ€fragmentβββ¬ββββ
β ββββββββ¬ββ€ β βββββββββββββ
β β βaβββΌββββΌββ+1C β MATCHβ
β ββββββ β βββββββββββββ
ββββ β βpβ β β
ββββΆβaβ βββ βββ β βββββββββββββ
β ββββ ββaβββββββββββΌββββΌββ-2C β MATCHβ
β β β β βββββββββββββ
β βββ -3C βββ0Cβββ +3C ββ
β βββββββββββ
β β -4C β NOβ
ββββ MATCH β
βββββββββββ
*Line bounded proximity*
`withinLines = 4`
ββββββββββ
βββββββ€fragmentβββββββ
+4Lβ β β΄ββββββββββ β ββ
β β
β βββ β ββββββββββββββ
β βββ βaβββββΌββ+1L β MATCH β
0L βββ βpβ βββ β ββββββββββββββ€
β βaβββββ΄ββ΄βββββββββΌββ-1L β MATCH β
β βββ β ββββββββββββββ
β β βββββββββββ
-4Lβ β β β β β β ββββββ β-5L β NO β
β βaβββΌββ MATCH β
ββββββββββββββββββ΄ββ΄ββ βββββββββββ
*Line and column bounded proximity*
`withinLines = 4`
`withinColumns = 3`
ββββββββββ
βββββββ€fragmentβββββββ
+4L βββββββββββ΄ β β
β βββ β βββββββββββββββββ
β β βaβββΌββββΌββ+2L/+1C β MATCHβ
β ββββββ β βββββββββββββββββ
0L β βpβ β β
β βββ β
β β β β ββββββββββββββ
-4L β β β β β ββββ β β-5L/+3C β NOβ
β βaβββΌββ MATCH β
ββββ-3Cββββ0Lβββ+3Cβ΄ββ ββββββββββββββ