gitleaks / gitleaks-action Goto Github PK
View Code? Open in Web Editor NEWProtect your secrets using Gitleaks-Action
Home Page: https://gitleaks.io
License: Other
Protect your secrets using Gitleaks-Action
Home Page: https://gitleaks.io
License: Other
Examples:
Issue: If the job exits early (fails) before the actual scan, the Summary still shows "No leaks detected", which is technically true, but certainly misleading :)
Instead, print something more correct like "β Scan did not complete"
This is my yaml:
name: gitleaks
on: [pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: '0'
- name: gitleaks-action
uses: zricethezav/gitleaks-action@master
If i got some leaks in my code and delete it and commit again it's still failed (it's run on all the commits history).
Itried to change fetch-depth to '' or '1' or '2' but when i do it it don't check any commit.
How can i change it to work only on last commit?
Allow user input to choose the report output and format.
The main reason for this would be to opt in to use the sarif format for integration with Github Security tab - but of course would be useful to create artifacts in various formats for different purposes.
Ideally then combine with an output for the file location too
I have setup the workflow env as in the main workflow and the "GITLEAKS_ENABLE_UPLOAD_ARTIFACT" is working as expected and no sarif is being uploaded with the action. However, GITLEAKS_NOTIFY_USER_LIST does not work as expected as gitleaks is not putting a comment ccing the user defined in input1. In fact, it does not do any comment.
env:
GITLEAKS_NOTIFY_USER_LIST: ${{ inputs.input1 }}
GITLEAKS_ENABLE_UPLOAD_ARTIFACT: ${{ inputs.input2 }}
Hey there, I'm having trouble finding documentation whether related explicitly to gitleaks or Github actions with regards to ignoring the yarn.lock
file generated automatically. It's throwing errors when running that file, it seems like it's seeing the hashes and not liking them:
Any thoughts? Thanks
Hi I have tried this workflow yaml in GitHub action
name: gitleaks
on: [pull_request, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} #
But this workflow keep on scanning previous commits and finding the secrets which I have already deleted in the previous commits. How to make above yaml to scan only the latest commit
I'd like this action to scan for more than just the last commit, so I forked it to scan all code (not commits). After adding a new action, I wanted to create a selection for users to select via input:
'last_commit' - Scan the last commit
'whole_repo' - Scan the entire repository
When I use workflow_dispatch with this selection, the main action scans all commits, so previous leaks are detected and the action fails every time.
Is this the expected behavior of this action?
Is it possible to configure this action to scan code, not commits?
Hi
Is there any plan to support the merge_group
Github Action event?
Cheers
Request to add support the on: pull_request_target
event in addition to pull_request
.
I haven't thought through whether or not this would be possible, but I'd hope it would just work like the pull_request
event.
Hi,
I've been using successfully Gitleaks checks in my repos for a long time, but lately my PRs are getting stuck waiting for "Gitleaks report to be reported". After further investigation, it appears that no checks were run on the PR, though Gitleaks is still waiting for the report. It looks like GitHub is responding as it should. This started to happen about one month ago and keep happening. This lead me in disabling Gitleaks as a required status checks to be able to work. I was wondering if someone could help me solve this problem...I did not change both my workflow and rules files below during this period, which are pretty basic:
Workflow file:
name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
GITLEAKS_CONFIG: path/rules.toml
Rules file:
title = "Gitleaks Config File"
[extend]
useDefault = true
[allowlist]
description = "global allow list"
paths = [
'''path/rules.toml'''
]
stopwords = [
]
Thank you,
Igor
6/13/2022
On June 2, 2022, we released Gitleaks Action v2. There are a boatload of improvements in v2, but it also represents a breaking change from the prior version (v1.6.0). We haven't merged v2 to the master
branch yet because we noticed that many users of Gitleaks Action don't pin their version. If you are using zricethezav/gitleaks-action@master
(or now gitleaks/gitleaks-action@master
), then as soon as we merge v2 to master, your jobs will start failing.
We are planning to complete the merge on June 20, 2022. We recommend updating your .yml files to use v2 now so you aren't scrambling to do it after your gitleaks-action jobs start failing. As an alternative, you can pin your version to v1.6.0 for now, if you aren't ready to upgrade at the moment.
For full details, see the v2 README here: https://github.com/gitleaks/gitleaks-action/tree/v2. Here is the quick list of changes to your .yml:
- uses: gitleaks/gitleaks-action@v2
env:
section with GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
env:
section: GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
gitleaks/[email protected]
Hi, since today my Gitleaks runs are all failing with an error message similar to this:
Can't use 'tar -xzf' extract archive file: /home/runner/work/_actions/_temp_0ff29a0b-45d3-43d7-9e97-4bbf29eecf79/77956855-4854-4a8d-b3f9-9c2cda3025e6.tar.gz. return code: 2.
My workflow file wasn't changed:
name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
GITLEAKS_CONFIG: gitleaks/rules.toml
Can somebody help?
Thank you!
Hey @zricethezav,
Would you consider adding the support for a floating major version tag like in actions/checkout? ie: zricethezav/gitleaks-action@v1
The reason behind this request is I'm trying to enforce running gitleaks in hundreds of repositories and would like to benefit from a fairly stable up-to-date tag of your action without having to pin to a specific version or master/main.
Is there an existing way to override or merge config?
I have a use-case where we have an organisation wide configuration for gitleaks. For some repositories we need to add additional configuration or add an allowlist to an existing rule.
Currently we have to duplicate the configuration for these repositories - which means that they will become out of date if we add additional rules for the organisation configuration in the future.
I just cloned the recent gitleaks-action repo and modified the workflows yml file to point to my personal repo and tried running a push but it keeps failing with gitleaks encountering leaks but it's point to code that I have no idea where they're coming from. Below is a snip of the error - it's pointing to the entrypoint.sh file but the linenumber and code is not accurate. Please help.
{
"line": "# aws_access_key_id='REDACTED' ",
"lineNumber": 16,
"offender": "REDACTED",
"commit": "e7150a87e012d353a2c2e1ca8ec832b036dbde40",
"repo": "workspace",
"repoURL": "",
"leakURL": "",
"rule": "AWS Manager ID",
"commitMessage": "Update entrypoint.sh",
"author": "Zachary Rice",
"email": "[email protected]",
"file": "entrypoint.sh",
"date": "2020-02-25T11:06:44-05:00",
"tags": "key, AWS"
}
{
"line": "# aws_access_key_id='REDACTED'",
"lineNumber": 18,
"offender": "REDACTED",
"commit": "e1a5408dec0df17125c6a2e4bc57fa56e1296e7d",
"repo": "workspace",
"repoURL": "",
"leakURL": "",
"rule": "AWS Manager ID",
"commitMessage": "Update entrypoint.sh",
"author": "Zachary Rice",
"email": "[email protected]",
"file": "entrypoint.sh",
"date": "2020-02-25T10:53:36-05:00",
"tags": "key, AWS"
}
If the checkout action is performed with a given path, the gitleaks action won't work as it runs on a different path. As the "working-directory" param doesn't work with "uses", could the path be set as input param?
` - name: Checkout code
uses: actions/checkout@v2
with:
path: ./src/github.com/${{ github.repository }}
- name: Git Leaks
uses: zricethezav/gitleaks-action@master`
act
I understand this is meant to be used with docker, but perhaps it would be an idea to try to remove gitleaks.tmp from tmp before or after download and extraction?
For our self-hosted runner we fixed this by removing /tmp/gitleaks.tmp before running gitleaks-action
e.g:
- name: Remove gitleaks from tmp if it exist
run: rm -f /tmp/gitleaks.tmp || echo "gitleaks.tmp has already been removed."
gitleaks version: 8.18.0
Version to install: 8.18.0 (target directory: /tmp/gitleaks-8.18.0)
Downloading gitleaks from https://github.com/zricethezav/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
Destination file path /tmp/gitleaks.tmp already exists
Waiting 19 seconds before trying again
Destination file path /tmp/gitleaks.tmp already exists
Waiting 17 seconds before trying again
Error: could not install gitleaks from https://github.com/zricethezav/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz, error: Error: Destination file path /tmp/gitleaks.tmp already exists
/actions-runner/_work/_actions/AdmincontrolAS/gitleaks-action/v2/dist/index.js:86[12](https://github.com/AdmincontrolAS/unicorn/actions/runs/6705241157/job/18219262014?pr=8355#step:3:13)
throw new Error("parameter 'file' is required");
^
Error: parameter 'file' is required
at Object.<anonymous> (/actions-runner/_work/_actions/AdmincontrolAS/gitleaks-action/v2/dist/index.js:8612:19)
at Generator.next (<anonymous>)
at /actions-runner/_work/_actions/AdmincontrolAS/gitleaks-action/v2/dist/index.js:8411:71
at new Promise (<anonymous>)
at __webpack_modules__.7784.__awaiter (/actions-runner/_work/_actions/AdmincontrolAS/gitleaks-action/v2/dist/index.js:8407:12)
at Object.extractTar (/actions-runner/_work/_actions/AdmincontrolAS/gitleaks-action/v2/dist/index.js:8610:12)
at Object.Install (/actions-runner/_work/_actions/AdmincontrolAS/gitleaks-action/v2/dist/index.js:70516:16)
at async start (/actions-runner/_work/_actions/AdmincontrolAS/gitleaks-action/v2/dist/index.js:7[13](https://github.com/AdmincontrolAS/unicorn/actions/runs/6705241157/job/18219262014?pr=8355#step:3:14)42:[22](https://github.com/AdmincontrolAS/unicorn/actions/runs/6705241157/job/18219262014?pr=8355#step:3:23))
Error: STOP! Gitleaks encountered leaks or error
shows a message in output (and not exit the job)
fatal: ambiguous argument 'remotes/origin/master...remotes/origin/gitleaks': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
Because when creating pull request through a different repository, there won't be any remote/origin/gitleaks
. This line is the source of the problem.
My suggestion are below, already tested on my local machine (but not very sure if there are any other edge cases that i missed), what do you think ?
-git --git-dir="$GITHUB_WORKSPACE/.git" log --left-right --cherry-pick --pretty=format:"%H" remotes/origin/$GITHUB_BASE_REF...remotes/origin/$GITHUB_HEAD_REF > commit_list.txt
+git --git-dir="$GITHUB_WORKSPACE/.git" log --left-right --cherry-pick --pretty=format:"%H" remotes/origin/$GITHUB_BASE_REF... > commit_list.txt
btw thanks for your awesome work on gitleaks π€
It seems that action does not support passing path with usual with: path: ...
my checkout is in a subfolder and action failed because not a git repo
https://github.com/juju4/ansible-adduser/actions/runs/4151619785/jobs/7182030614#step:12:26
1:40PM DBG no gitleaks config found in path .gitleaks.toml, using default gitleaks config
1:40PM DBG executing: /usr/bin/git -C . log -p -U0 --no-merges --first-parent 7c0c0e648f21bea1575b57aba8091c8f2c705e06^..da271afad6e5b5d769a7bdf1c654fb1ea32942c1
1:40PM ERR [git] fatal: not a git repository (or any of the parent directories): .git
1:40PM DBG 0 commits scanned. Note: this number might be smaller than expected due to commits with no additions
steps:
- uses: actions/checkout@v2
with:
path: ${{ env.ANSIBLE_ROLE }}
[...]
- name: Gitleaks check
uses: gitleaks/gitleaks-action@1f2d10fb689bc07a5f56f48d6db61f5bbbe772fa
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_ENABLE_SUMMARY: true
GITLEAKS_ENABLE_COMMENTS: true
GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
with:
path: ${{ env.ANSIBLE_ROLE }}
running the gitleaks action on my self-hosted ARM7 runner fails:
log snippet:
2023-07-19T04:36:09.9024034Z [bwhitehead0] is an individual user. No license key is required.
2023-07-19T04:36:09.9048238Z gitleaks version: 8.12.0
2023-07-19T04:36:09.9086434Z Version to install: 8.12.0 (target directory: /tmp/gitleaks-8.12.0)
2023-07-19T04:36:10.6016829Z Downloading gitleaks from https://github.com/zricethezav/gitleaks/releases/download/v8.12.0/gitleaks_8.12.0_linux_arm.tar.gz
2023-07-19T04:36:11.0949685Z ##[error]could not install gitleaks from https://github.com/zricethezav/gitleaks/releases/download/v8.12.0/gitleaks_8.12.0_linux_arm.tar.gz, error: Error: Unexpected HTTP response: 404
2023-07-19T04:36:11.1353564Z /home/github-runner/actions-runner/_work/_actions/gitleaks/gitleaks-action/v2.3.2/dist/index.js:8612
in this case, it appears that this code block might need to be modified to account for ARM variants:
const gitleaksReleaseURL = downloadURL(
process.platform,
process.arch,
version
);
i'm not very familiar w/ node, but it appears we need to do something similar to this comment to properly construct the download URL for some ARM variants, or, find another way to determine architecture type is ARM, then poll the OS thru node to determine if it's arm64, arm6, or arm7.
os.cpus()
(model
) should report the ARM version:
node -p "os.cpus()"
[ { model: 'ARMv7 Processor rev 5 (v7l)',
speed: 900,
times:
{ user: 28061900,
nice: 1726100,
sys: 41051200,
idle: 3227428,
irq: 0 } },
...
wish i could offer more but node isn't my thing.
Describe the bug
I believe gitleaks-action is producing a false alarm
To Reproduce
Both of these repos were passing when i added the action on Jan 30, 2021. Then on Feb 22, 2021 after no significant changes in content. Both repos failed. Here are the logs from two of our repos.
Expected behavior
This image the leak is relating to in repo1
is produced using R code. Not sure why this would be considered a leak although it is reporting an AWS Access Key. The leak in repo2
seems to be related to a travis CI key.
Screenshots
See links above
Basic Info
cc @zricethezav
Hi @zricethezav
it's seem like don't have docker zricethezav/gitleaks:v7.3.0 in docker hub
FROM zricethezav/gitleaks:v7.3.0
https://github.com/zricethezav/gitleaks-action/blob/master/Dockerfile
Given the following gitleaks-action file placed in .github/workflows on my GitHub project
name: gitleaks
on: [pull_request, push, workflow_dispatch]
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
The GitHub action does not find my gitleaks.toml file placed at the root of the project even if this page says it will.
Defined the gitleaks.toml file elsewhere and precising through GITLEAKS_CONFIG env variable where to find it, the GitHub action just ignores it.
gitleaks.toml is like bellow:
[[rules]]
description = "Detect Some Service key in URL"
regex = '''(?i)apikey=([a-zA-Z0-9_-]{10})'''
and is working with gitleaks in CLI.
How make the GitHub Actions use the rules of the TOML file?
Following this PR, the behavior on push
is to scan the entire history, which I think is not actually intended.
In this PR, for example, two gitleaks
jobs run - one for pull_request
and one for push
. The PR job is both much faster (14s vs 1m) and also passes, while the push job fails due to a very old match.
I'm not sure what the perfect way forward is. I can understand the use case of wanting to scan multiple pushed commits, but for performance and to limit the effort for users I think it should still be bounded to only those commits. On a PR branch it is clear how far back to scan, but it's harder when committing directly to a branch. Maybe a better git wizard than I has an idea?
I recently added this Action to a workflow that, besides triggering on pushes and Pull Requests, also runs on a schedule. Then I discovered this is currently not supported (see this run, for example). It seems this is failing at:
Line 40 in 8fe1d33
due to the repository
property missing from the eventJSON
.
If it's possible to fix the above issue, I must admit I'm not 100% sure what supporting the schedule trigger would mean for gitleak-actions. I think it could be leveraged to perform a historic scan?
If a historic scan isn't an option, I would like to suggest documenting which triggers are supported and providing a proper error message for unsupported triggers (e.g. by checking the value of GITHUB_EVENT_NAME
and exiting with an error message when it's not "push", "pull_request", or "workflow_dispatch").
I am using a self-hosted GitHub Runner.
But when I run Git Leaks it through error to write and upload artifacts on GitHub
12:23PM DBG 1 commits scanned. Note: this number might be smaller than expected due to commits with no additions
12:23PM INF scan completed in 67.3ms
12:23PM WRN leaks found: 2
Starting artifact upload
For more detailed logs during the artifact upload process, enable step-debugging: https://docs.github.com/actions/monitoring-and-troubleshooting-workflows/enabling-debug-logging#enabling-step-debug-logging
Artifact name is valid!
/runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:1857
throw new Error(`The rootDirectory: ${rootDirectory} is not a parent directory of the file: ${file}`);
^
Error: The rootDirectory: /home/runner is not a parent directory of the file: /runner/_work/fe-app/fe-app/results.sarif
at Object.getUploadSpecification (/runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:1857:23)
at DefaultArtifactClient.<anonymous> (/runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:83:64)
at Generator.next (<anonymous>)
at /runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:[53](https://github.com/org/fe-app/actions/runs/5999759253/job/16270522345#step:4:54):71
at new Promise (<anonymous>)
at __webpack_modules__.8802.__awaiter (/runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:49:12)
at DefaultArtifactClient.uploadArtifact (/runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:78:16)
at Object.Scan (/runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:70[59](https://github.com/org/fe-app/actions/runs/5999759253/job/16270522345#step:4:60)0:26)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async start (/runner/_work/_actions/gitleaks/gitleaks-action/v2/dist/index.js:713[63](https://github.com/org/fe-app/actions/runs/5999759253/job/16270522345#step:4:64):16)
Also I am looking for an exit code in case leaks are found to Trigger Slack notifications which I am not able to do so.
GitHub Action Workflow file
name: gitleaks
on:
pull_request:
branches:
- main
- develop
push:
branches:
- main
- develop
jobs:
scan:
permissions:
contents: write
pull-requests: write
checks: write
name: gitleaks
runs-on:
labels: [self-hosted,dev-image-builder]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
id: gitleaks
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
- name: Notify Token Detected
if: steps.gitleaks.outputs.exitcode == 1
uses: voxmedia/github-action-slack-notify-build@v1
id: slack-token-notify
with:
channel_id: ${{ secrets.SLACK_CHANNEL_ID }}
status: Token Detected. Check Report at workflow.
color: warning
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
cc @zricethezav
Can you set an output variable to the action for the gitleaks finding?
Use case: Write the output back to comments for the commit.
Output lines of interest:
INFO[2020-08-28T15:21:36Z] No leaks detected. 1 commits scanned in 0 seconds
β
SUCCESS! Your code is good to go!
As of this morning, we started receiving the follow error from this GitHub Action:
Error: Validating key returned [{"meta":{"id":"b5c054e8-4f0f-4197-9258-e60653c980b4"},"errors":[{"title":"Internal server error","detail":"Looks like something went wrong! Our engineers have been notified. If you continue to have problems, please contact [email protected]."}]}]
Our GitLeaks License Key hasn't changed in 3 months. This also popped up after having successful runs earlier this morning.
gitleaks/gitleaks-action@1f2d10fb689bc07a5f56f48d6db61f5bbbe772fa # v2.3.2
Hello!
I'm using gitleaks as a docker and also installed with brew. There I can pass options to the scan, such as--no-git
, --verbose
and others.
Is there a way to do so with this GitHub action?
I'm quite new to it, saw nothing in the readme nor open issues.
thank you!
Add the option to change the output of the report from the gitleaks scan.
I think it's useful to have SARIF as the default, as Github actions can upload this for code scanning.
please see PR #34 for a proposed solution.
From the nightly run: https://github.com/gitleaks/gitleaks-action/actions/runs/3247466866
gitleaks-action-HEAD
The set-output
command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
cc @weineran
Example: https://github.com/smallstep/crypto/actions/runs/3114310200/jobs/5050004187
Warning: Error encountered when attempting to write a comment on PR #67.
Likely an issue with too large of a diff for the comment to be written.
All secrets that have been leaked will be reported in the summary and job artifact.
In this case, the diff is actually quite small, so probably something else is going on.
Hello dear developers
Could you, please, add free license for free Organizations?
We introduced gitleaks in our internal repository for check, it works well. However, recently we got a problem with gitleaks.
A complex JSON file is wrongly reported token leaks by gitleaks-action(which uses v4.1.0), but we run the gitleaks
command on our local machine(with gitleaks version: v6.0.0), the result is without token leaks. We repeated this problem by using docker-hosted gitleaks v4.1.0.
So we are waiting for the official update to fix this problem.
Though update toml config may also works, but it's better to solve this problem rootly.
Thanks!
Hello,
I would like to report an issue where GitLeaks CI fails with the error Invalid revision range
.
Reproduction steps:
[...]
7:30AM DBG executing: /usr/bin/git -C . log -p -U0 --no-merges --first-parent a833a[...]^..ea4e0[...]
7:30AM ERR [git] fatal: Invalid revision range a833a[...]^..ea4e0[...][27](https://github.com/xxxxx#step:5:28)
7:30AM DBG 0 commits scanned. Note: this number might be smaller than expected due to commits with no additions
7:30AM ERR git error encountered, see logs
7:30AM WRN partial scan completed in 60.2ms
7:30AM WRN no leaks found in partial scan
[...]
This issue seems like a race-condition to me where the GitLeaks initiated on the 1st commit but also got the details of the latest commit but git log
does not have the details about the latest commit.
Root Cause:
I also did some analysis:
1st commit: a833a --> Initiated the GitLeaks CI --> Fails with Invalid revision range
error
2nd commit: ea4e0 (note that this commit should be instantly after the 1st commit so that GitLeaks gets confused) --> Initiated the GitLeaks CI --> Pass (obv if no leak found)
Now notice, GitLeaks on the 1st commit has the Invalid revision range
error, and looking in detail you will find out that it also has the commit address of the 2nd commit. How is that possible?
Thanks!
When a user tries to activate too many repositories on their license, they get a message like this:
β this repo has not been associated with the license, attempting to activate a repo for the license
π Activation request returned [1] errors:
π Error activating repo: MACHINE_LIMIT_EXCEEDED | Unprocessable resource | machine count has exceeded maximum allowed by current policy (10) | /data |
We should improve this error message to read something like this:
Failed to activate repo [org123/repo456]. License has already reached its limit of [N] repos: [list, of, repos]. If you would like to increase your limit or remove some of these repos from your license, please do not hesitate to contact us.
The subject of the created issue is rather ugly:
Would be great if they could look more like this:
Thanks for the report @dopey!
Heyo!
The gitleaks summary is generating urls that are broken for all my private Org repos for all workflow event types.
The Url generated for example is https://github.com///actions/runs/undefined/commit/21f3bb48c90c82c688feb801ed5d539a6472273b
If I take out the "actions/runs/undefined" part of the url it seems to at least land on the commit page.
Any ideas whats happening here?
It seems odd because the url seems like it should be created based off eventJSON.repository.html_url and when I view that in the pipeline it looks correct without the actions/runs/undefined bit added.
When calling the gitleaks action from a reusable workflow the following error is received:
TypeError: Cannot read properties of undefined (reading 'commitSha')
at /home/runner/work/_actions/gitleaks/gitleaks-action/v2.3.2/dist/index.js:70938:52
at Array.forEach (<anonymous>)
at Object.Write (/home/runner/work/_actions/gitleaks/gitleaks-action/v2.3.2/dist/index.js:70937:27)
at start (/home/runner/work/_actions/gitleaks/gitleaks-action/v2.3.2/dist/index.js:71385:19)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
Seems like the GITHUB_EVENT_PATH is working on the subworkflow event path.
The GITLEAKS_ENABLE_SUMMARY
env variable is not needed after all for local testing.
Instead, use --env GITHUB_STEP_SUMMARY=/var/run/act/summary
See here: nektos/act#1187
In my workflow when I use the gitleaks action it works and scans the file for the first time.
Next build when I remove the secret from the repo then too the action refers to the previous commit sha and fails the build saying that the repo still has secrets/keys.
To Reproduce
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
test.txt AKIAIOSFODNN7EXAMPLE
cc @zricethezav
For push events, allow option to scan ONLY commits made in the working branch, rather than the entire repository.
The main reason for this is to reduce time spent scanning and place emphasis on newly made commits.
Hi π
Looks like the gitleaks
v7.0.0
removed the --pretty
flag. Unfortunately the action version 1.1.4
uses the latest image version but still includes the --pretty
flag, so it breaks:
running gitleaks v7.1.0 with the following commandπ
gitleaks --pretty --repo-path=/github/workspace --verbose --redact --commit=e0ec22ec6c76b425ad7c49ebb559f93a6520d966
unknown flag `pretty'
Usage:
gitleaks [OPTIONS]
...
Sample run: https://github.com/giantswarm/hyperkube/runs/1525377670?check_suite_focus=true
edit: As a side note, I'm not sure if this is intentional behavior but it surprised me that this didn't fail the build
I'd like to include the .gitleaks.toml
in my github actions directory rather than put this in the root of the repository, allowing easier management of workflows and sharing with my team.
Can this be an optional parameter please?
Hi, when setting up the action for PRs I noticed that with the fetch-depth: '2'
recommended in the marketplace description (https://github.com/marketplace/actions/gitleaks very bottom), the git log fails due to not having the target ref cloned, logging: fatal: ambiguous argument 'remotes/origin/main...': unknown revision or path not in the working tree.
, but the action step as a whole succeeds, hiding potential issues in the PR. fetch-depth: '0'
solves this problem although with a large history the clone may still be inefficient as the description says.
I'd expect the action as a whole to fail if it's not able to scan anything. If a similar problem appears again, it might silently fail to report problematic commits, and because it typically only scans new commits, those that slipped may not be easily discovered again.
I've set up a minimal repro, here is an example of this behavior in a PR build https://github.com/jbrestan/gitleaks-repro/runs/2965724359?check_suite_focus=true#step:4:6
Background
Currently, we are tracking "Last Validation" for each license (via keygen). However, when multiple repos are associated with a license, which is usually the case, we don't know which / how many repos were scanned at that Last Validation time.
New Feature
We should track the most recent timestamp that each repo was scanned as well. That would enable somewhat more flexible billing options such as "pay per repo, if scanned".
Additional Info
CC @zricethezav
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.