If you have a feature or bug fix you would like to contribute please check if there are any open issues describing your proposed addition. If there are open issues, make a comment stating you are working on fixing or implementing said issue. If not, then please open an issue describing your addition. Make sure to link your PR to an issue.
Fill out the template as best you can. Make sure your tests pass. If you see a PR that isn't one you opened and want it introduced in the next release, give it a 👍 on the PR description.
If you want to add a new rule to the default Gitleaks configuration then follow these steps.
-
Create a
cmd/generate/config/rules/{provider}.gofile. This file is used to generate a new Gitleaks rule. Let's look atbeamer.gofor example. Comments have been added for context.func Beamer() *config.Rule { // Define Rule r := config.Rule{ // Human readable description of the rule Description: "Beamer API token", // Unique ID for the rule RuleID: "beamer-api-token", // Regex capture group for the actual secret // Regex used for detecting secrets. See regex section below for more details Regex: generateSemiGenericRegex([]string{"beamer"}, `b_[a-z0-9=_\-]{44}`, true) // Keywords used for string matching on fragments (think of this as a prefilter) Keywords: []string{"beamer"}, } // validate tps := []string{ generateSampleSecret("beamer", "b_"+secrets.NewSecret(alphaNumericExtended("44"))), } return validate(r, tps, nil) }
Feel free to use this example as a template when writing new rules. This file should be fairly self-explanatory except for a few items; regex and secret generation. To help with maintence, most rules should be uniform. The functions,
generateSemiGenericRegexandgenerateUniqueTokenRegexwill generate rules that follow defined patterns.The function signatures look like this:
func generateSemiGenericRegex(identifiers []string, secretRegex string, isCaseInsensitive bool) *regexp.Regexp func generateUniqueTokenRegex(secretRegex string, isCaseInsensitive bool) *regexp.Regexp
generateSemiGenericRegexaccepts a list of identifiers, a regex, and a boolean indicating whether the pattern should be case-insensitive. The list of identifiers should match the list ofKeywordsin the rule definition above. Bothidentifiersin thegenerateSemiGenericRegexfunction andKeywordsact as filters for Gitleaks telling the program "at least one of these strings must be present to be considered a leak"generateUniqueTokenjust accepts a regex and a boolean indicating whether the pattern should be case-insensitive. If you are writing a rule for a token that is unique enough not to require an identifier then you can use this function. For example, Pulumi's API Token has the prefixpul-which is unique enough to usegenerateUniqueToken. But something like Beamer's API token that has ab_prefix is not unique enough to usegenerateUniqueToken, so instead we usegenerateSemiGenericRegexand require abeameridentifier is part of the rule. If a token's prefix has more than3characters then you could probably get away with usinggenerateUniqueToken.Last thing you'll want to hit before we move on from this file is the validation part. You can use
generateSampleSecretto create a secret for the true positives (tpsin the example above) used invalidate. -
Update
cmd/generate/config/main.go. ExtendconfigRulesslice with therules.Beamer(),inmain(). Try and keep this alphabetically pretty please. -
Run
go generate ./... -
Check out your new rules in
config/gitleaks.tomland see if everything looks good. -
Open a PR