Update pre-commit hook gitleaks/gitleaks to v8.21.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
gitleaks/gitleaks	repository	minor	v8.19.3 -> v8.21.0

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

gitleaks/gitleaks (gitleaks/gitleaks)

v8.21.0

Compare Source

Changelog

• aabe381 Define multiple allowlists per rule (#​1496)
• 8ea6085 build: upgrade gitleaks/go-gitdiff to v0.9.1 (#​1559)
• be9d0f8 Fix rule extension (#​1556)
• 9988e52 Update base config allowlist (#​1555)
• 8fb39ba feat(azure): detect Azure AD client secrets (#​1199)
• 14c924d chore: match gitleaks.toml anywhere (#​1553)

respect @​rgmz @​9999years

v8.20.1

Compare Source

Changelog

• b2fbaeb feat(config): add placeholder regexes to global allowlist (#​1547)
• 00bb821 feat: add PrivateAI rule (#​1548)
• 445abe3 Bump golang verion used in docker build to match version specified in go.mod (#​1551)
• 1a2f656 feat: add cohere rule (#​1549)
• 82d737d feat(generate): generate global (#​1546)
• f6e5499 Feat/nuget config password rule (#​1540)

v8.20.0

Compare Source

Changelog

• bf8a49f Make private key check less greedy and include fifth dash (#​1440)
• 9c354f5 print tags if they exist
• 2278a2a Decode Base64 (#​1488)
• c5b15c9 refactor(config): keyword map (#​1538)
• a971a32 fix: use regexTarget for extend config (#​1536)
• a0f2f46 feat: bump go to 1.22 (#​1537)
• 4e8d7d3 fix: handle pre-commit and staged (#​1533)
• f8dcd83 Bugfix/1352 incorrect report multiple lines (#​1501)

Huge huge thanks to @​bplaxco for supporting b64 decoding, @​recreator66 for bug fixes, and to @​rgmz for his continued support of the project in the form of PRs and reviews. Thanks you!

New Feature: Decoding

Sometimes secrets are encoded in a way that can make them difficult to find
with just regex. Now you can tell gitleaks to automatically find and decode
encoded text. The flag --max-decode-depth enables this feature (the default
value "0" means the feature is disabled by default).

Recursive decoding is supported since decoded text can also contain encoded
text. The flag --max-decode-depth sets the recursion limit. Recursion stops
when there are no new segments of encoded text to decode, so setting a really
high max depth doesn't mean it will make that many passes. It will only make as
many as it needs to decode the text. Overall, decoding only minimally increases
scan times.

The findings for encoded text differ from normal findings in the following
ways:

• The location points the bounds of the encoded text
  • If the rule matches outside the encoded text, the bounds are adjusted to
    include that as well
• The match and secret contain the decoded value
• Two tags are added decoded:<encoding> and decode-depth:<depth>

Currently supported encodings:

• base64 (both standard and base64url)

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.