2604ed3efd8248d574d6aff68b539678d7483129
10 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
a463199728 |
feat(infra): reactivate act_runner cache by sharing the runners network (#82)
## Summary Closes the deferred-since-day-one cache-server gap (documented as "Cache server (deferred)" in `infra/README.md` and mentioned every time we hit a slow CI install). **Root cause.** `act_runner`'s built-in cache server binds inside the runner container and advertises an IP on the compose-defined `apf-portal-act-runners` bridge — but jobs are spawned via the mounted `/var/run/docker.sock`, which puts them on Docker's anonymous default `bridge`. The advertised URL is unreachable from the job, every cache request burns a ~2 min `ETIMEDOUT` (restore + save), the hit rate is zero. **Fix.** Tell `act_runner` to attach jobs to the same compose-defined bridge as the runners, via `container.network` in the shared `runner-config.yaml`. The advertised cache URL becomes a normal internal-network DNS hop, jobs reach the cache server, `cache: 'pnpm'` works end-to-end. **Blast-radius trade-off** (bounded). Every container on `apf-portal-act-runners` is one of our runner containers, plus the jobs they spawn — all of which already have full docker-socket access. Sharing a network doesn't widen what a malicious workflow can already do; it just lets jobs reach the cache server. ## What lands - `infra/runner-config.yaml` — add `container.network: apf-portal-act-runners`. Surface the `cache.enabled: true` default explicitly so the toggle is discoverable. - `.gitea/workflows/ci.yml` — re-enable `cache: 'pnpm'` on every `actions/setup-node` step (5 jobs). Drop the now-stale block comment that explained the disablement. - `.gitea/workflows/security-scheduled.yml` — same on the two setup-node steps. - `infra/README.md` "Cache server" section rewritten — was `"(deferred)"`, now describes the working setup, rationale, and the disable toggle. - `ci.yml`'s Trivy comment trimmed to drop the cross-reference to the deferred-cache-server section that no longer exists. ## Roll-out (manual, post-merge, on the runner host) ```bash cd <repo>/infra git pull ./ci-runners.sh rotate ``` `rotate` recreates the containers with the new `runner-config.yaml` mount intact (rolling restart, ~15 s pause between each runner so the CI pipeline stays online). ## Test plan - [ ] CI green on this PR (the gates run on the runners as configured **before** rollout, so this PR's run is one last "uncached" cycle). - [ ] After rollout, the next CI run's `Set up Node.js` step shows the cache restore attempt **succeed quickly** (no ETIMEDOUT). The `Run pnpm install --frozen-lockfile` step on the first post-rollout run still reports `Progress: resolved N, reused 0, downloaded N` (cold seed). - [ ] The **second** post-rollout run reports `reused N, downloaded 0` (or a small downloaded delta if Renovate moved a dep meanwhile) — the cache hit is real. - [ ] `Complete job` step at the end no longer shows `reserveCache failed: connect ETIMEDOUT` warnings. - [ ] Wall-clock for a typical PR's CI drops by ~5-10 min (5 jobs × ~30-90 s saved on `pnpm install` + the 2× ~2 min ETIMEDOUTs we used to eat). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #82 |
||
|
|
674c8b2f88 |
chore(deps): update dependency gitleaks/gitleaks to v8.30.1 (#79)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [gitleaks/gitleaks](https://github.com/gitleaks/gitleaks) | minor | `8.21.0` -> `8.30.1` | --- ### Release Notes <details> <summary>gitleaks/gitleaks (gitleaks/gitleaks)</summary> ### [`v8.30.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.30.0...v8.30.1) ##### Changelog - [`83d9cd6`](https://github.com/gitleaks/gitleaks/commit/83d9cd684c87d95d656c1458ef04895a7f1cbd8e) update goreleaser - [`8d1f98c`](https://github.com/gitleaks/gitleaks/commit/8d1f98c7967eb1e79cb44ac6241a124e145d2165) Removed unnecessary functions from report template ([#​2040](https://github.com/gitleaks/gitleaks/issues/2040)) - [`ca20267`](https://github.com/gitleaks/gitleaks/commit/ca20267a84aa1fa2c2a9c1a13cdb50cafb48eeb0) its the simple things ([#​2020](https://github.com/gitleaks/gitleaks/issues/2020)) - [`b66ac75`](https://github.com/gitleaks/gitleaks/commit/b66ac75e4fa93d86d78fccd6e2f36d2c0698b2a2) build: switch to Go 1.24 ([#​2002](https://github.com/gitleaks/gitleaks/issues/2002)) ### [`v8.30.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.1...v8.30.0) ##### Changelog - [`6eaad03`](https://github.com/gitleaks/gitleaks/commit/6eaad03) 0 to 5 - notes on recursive decoding ([#​1994](https://github.com/gitleaks/gitleaks/issues/1994)) - [`09242ce`](https://github.com/gitleaks/gitleaks/commit/09242ce) Add new Looker client ID and client secret rules ([#​1947](https://github.com/gitleaks/gitleaks/issues/1947)) - [`c98e5e0`](https://github.com/gitleaks/gitleaks/commit/c98e5e0) feat: add Airtable Personnal Access Token detection ([#​1952](https://github.com/gitleaks/gitleaks/issues/1952)) - [`4ed0ca4`](https://github.com/gitleaks/gitleaks/commit/4ed0ca4) build: upgrade Go & alpine version ([#​1989](https://github.com/gitleaks/gitleaks/issues/1989)) ### [`v8.29.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.0...v8.29.1) ##### Changelog - [`fb5d707`](https://github.com/gitleaks/gitleaks/commit/fb5d707) thats a paddlin - [`50493db`](https://github.com/gitleaks/gitleaks/commit/50493db) feat: document stdout report path ([#​1990](https://github.com/gitleaks/gitleaks/issues/1990)) ### [`v8.29.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.28.0...v8.29.0) ##### Changelog - [`ed65b65`](https://github.com/gitleaks/gitleaks/commit/ed65b65) Add trace log for skipped archive file when not enabled ([#​1961](https://github.com/gitleaks/gitleaks/issues/1961)) - [`c5ccbb9`](https://github.com/gitleaks/gitleaks/commit/c5ccbb9) Respect contexts with timeouts ([#​1948](https://github.com/gitleaks/gitleaks/issues/1948)) - [`3821f30`](https://github.com/gitleaks/gitleaks/commit/3821f30) Config min version ([#​1955](https://github.com/gitleaks/gitleaks/issues/1955)) - [`d223718`](https://github.com/gitleaks/gitleaks/commit/d223718) fix(config): validate rules when \[extend] is used ([#​1592](https://github.com/gitleaks/gitleaks/issues/1592)) - [`87d9629`](https://github.com/gitleaks/gitleaks/commit/87d9629) feat: add Amazon Bedrock API key detection ([#​1935](https://github.com/gitleaks/gitleaks/issues/1935)) - [`228396b`](https://github.com/gitleaks/gitleaks/commit/228396b) Add GitHub Sponsors section and Discord link - [`a82bc53`](https://github.com/gitleaks/gitleaks/commit/a82bc53) feat: improve regex to detect Sonar tokens with prefixes ([#​1931](https://github.com/gitleaks/gitleaks/issues/1931)) ### [`v8.28.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.28.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.2...v8.28.0) ##### Changelog - [`4fb4382`](https://github.com/gitleaks/gitleaks/commit/4fb4382) cant count - [`b1c9c7e`](https://github.com/gitleaks/gitleaks/commit/b1c9c7e) Composite rules ([#​1905](https://github.com/gitleaks/gitleaks/issues/1905)) - [`72977e4`](https://github.com/gitleaks/gitleaks/commit/72977e4) feat: add Anthropic API key detection ([#​1910](https://github.com/gitleaks/gitleaks/issues/1910)) - [`7b02c98`](https://github.com/gitleaks/gitleaks/commit/7b02c98) fix(git): handle port ([#​1912](https://github.com/gitleaks/gitleaks/issues/1912)) - [`2a7bcff`](https://github.com/gitleaks/gitleaks/commit/2a7bcff) dont prematurely calculate fragment newlines ([#​1909](https://github.com/gitleaks/gitleaks/issues/1909)) - [`bd79c3e`](https://github.com/gitleaks/gitleaks/commit/bd79c3e) feat(allowlist): promote optimizations ([#​1908](https://github.com/gitleaks/gitleaks/issues/1908)) - [`7fb4eda`](https://github.com/gitleaks/gitleaks/commit/7fb4eda) Fix: CVEs on go and go crypto ([#​1868](https://github.com/gitleaks/gitleaks/issues/1868)) - [`a044b81`](https://github.com/gitleaks/gitleaks/commit/a044b81) feat: add artifactory reference token and api key detection ([#​1906](https://github.com/gitleaks/gitleaks/issues/1906)) - [`bf380d4`](https://github.com/gitleaks/gitleaks/commit/bf380d4) silly - [`f487f85`](https://github.com/gitleaks/gitleaks/commit/f487f85) Update gitleaks.yml - [`958f55a`](https://github.com/gitleaks/gitleaks/commit/958f55a) add just like that, no leaks ##### Optimizations [#​1909](https://github.com/gitleaks/gitleaks/issues/1909) waits to find newlines until a match. This ends up saving a boat load of time since before we were finding newlines for every fragment regardless if a rule matched or not. [#​1908](https://github.com/gitleaks/gitleaks/issues/1908) promoted [@​rgmz](https://github.com/rgmz) excellent stopword optimization ##### Composite Rules (Multi-part or `required` Rules) [#​1905](https://github.com/gitleaks/gitleaks/issues/1905) In v8.28.0 Gitleaks introduced composite rules, which are made up of a single "primary" rule and one or more auxiliary or `required` rules. To create a composite rule, add a `[[rules.required]]` table to the primary rule specifying an `id` and optionally `withinLines` and/or `withinColumns` proximity constraints. A fragment is a chunk of content that Gitleaks processes at once (typically a file, part of a file, or git diff), and proximity matching instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified area of the fragment. **Proximity matching:** Using the `withinLines` and `withinColumns` fields instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified proximity. You can set: - **`withinLines: N`** - required findings must be within N lines (vertically) - **`withinColumns: N`** - required findings must be within N characters (horizontally) - **Both** - creates a rectangular search area (both constraints must be satisfied) - **Neither** - fragment-level matching (required findings can be anywhere in the same fragment) Here are diagrams illustrating each proximity behavior: ``` p = primary captured secret a = auxiliary (required) captured secret fragment = section of data gitleaks is looking at *Fragment-level proximity* Any required finding in the fragment ┌────────┐ ┌──────┤fragment├─────┐ │ └──────┬─┤ │ ┌───────┐ │ │a│◀────┼─│✓ MATCH│ │ ┌─┐└─┘ │ └───────┘ │┌─┐ │p│ │ ││a│ ┌─┐└─┘ │ ┌───────┐ │└─┘ │a│◀──────────┼─│✓ MATCH│ └─▲─────┴─┴───────────┘ └───────┘ │ ┌───────┐ └────│✓ MATCH│ └───────┘ *Column bounded proximity* `withinColumns = 3` ┌────────┐ ┌────┬─┤fragment├─┬───┐ │ └──────┬─┤ │ ┌───────────┐ │ │ │a│◀┼───┼─│+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────┘ │┌─┐ │ │p│ │ │ ┌──▶│a│ ┌─┐ └─┘ │ ┌───────────┐ │ │└─┘ ││a│◀────────┼───┼─│-2C ✓ MATCH│ │ │ ┘ │ └───────────┘ │ └── -3C ───0C─── +3C ─┘ │ ┌─────────┐ │ │ -4C ✗ NO│ └──│ MATCH │ └─────────┘ *Line bounded proximity* `withinLines = 4` ┌────────┐ ┌─────┤fragment├─────┐ +4L─ ─ ┴────────┘─ ─ ─│ │ │ │ ┌─┐ │ ┌────────────┐ │ ┌─┐ │a│◀──┼─│+1L ✓ MATCH │ 0L ┌─┐ │p│ └─┘ │ ├────────────┤ │ │a│◀──┴─┴────────┼─│-1L ✓ MATCH │ │ └─┘ │ └────────────┘ │ │ ┌─────────┐ -4L─ ─ ─ ─ ─ ─ ─ ─┌─┐─│ │-5L ✗ NO │ │ │a│◀┼─│ MATCH │ └────────────────┴─┴─┘ └─────────┘ *Line and column bounded proximity* `withinLines = 4` `withinColumns = 3` ┌────────┐ ┌─────┤fragment├─────┐ +4L ┌└────────┴ ┐ │ │ ┌─┐ │ ┌───────────────┐ │ │ │a│◀┼───┼─│+2L/+1C ✓ MATCH│ │ ┌─┐└─┘ │ └───────────────┘ 0L │ │p│ │ │ │ └─┘ │ │ │ │ │ ┌────────────┐ -4L ─ ─ ─ ─ ─ ─┌─┐ │ │-5L/+3C ✗ NO│ │ │a│◀┼─│ MATCH │ └───-3C────0L───+3C┴─┘ └────────────┘ ``` ### [`v8.27.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.1...v8.27.2) ##### Changelog - [`c7acf33`](https://github.com/gitleaks/gitleaks/commit/c7acf33) Merge branch 'master' of github.com:gitleaks/gitleaks - [`9faaa4a`](https://github.com/gitleaks/gitleaks/commit/9faaa4a) Add experimental allowlist optimizations ([#​1731](https://github.com/gitleaks/gitleaks/issues/1731)) - [`79068b3`](https://github.com/gitleaks/gitleaks/commit/79068b3) Detect Notion Public API Keys [#​1889](https://github.com/gitleaks/gitleaks/issues/1889) ([#​1890](https://github.com/gitleaks/gitleaks/issues/1890)) ### [`v8.27.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.0...v8.27.1) ##### Changelog - [`80468ef`](https://github.com/gitleaks/gitleaks/commit/80468ef) Merge branch 'master' of github.com:gitleaks/gitleaks - [`ef82237`](https://github.com/gitleaks/gitleaks/commit/ef82237) fix(atlassian): reduce false-positives for v1 pattern ([#​1892](https://github.com/gitleaks/gitleaks/issues/1892)) - [`2463f11`](https://github.com/gitleaks/gitleaks/commit/2463f11) Fix log suppresion issue ([#​1887](https://github.com/gitleaks/gitleaks/issues/1887)) - [`6f251ee`](https://github.com/gitleaks/gitleaks/commit/6f251ee) Added Heroku API Key New Version ([#​1883](https://github.com/gitleaks/gitleaks/issues/1883)) - [`20f9a1d`](https://github.com/gitleaks/gitleaks/commit/20f9a1d) Add Platform Bitbucket ([#​1886](https://github.com/gitleaks/gitleaks/issues/1886)) - [`722ce82`](https://github.com/gitleaks/gitleaks/commit/722ce82) Add Platform Gitea ([#​1884](https://github.com/gitleaks/gitleaks/issues/1884)) - [`79780b8`](https://github.com/gitleaks/gitleaks/commit/79780b8) Merge branch 'master' of github.com:gitleaks/gitleaks - [`c5683ca`](https://github.com/gitleaks/gitleaks/commit/c5683ca) prevent default warn message when max-archive-depth not set ([#​1881](https://github.com/gitleaks/gitleaks/issues/1881)) - [`0357c3c`](https://github.com/gitleaks/gitleaks/commit/0357c3c) prevent default warn message when max-archive-depth not set ### [`v8.27.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.26.0...v8.27.0) ##### Changelog - [`782f310`](https://github.com/gitleaks/gitleaks/commit/782f310) Archive support ([#​1872](https://github.com/gitleaks/gitleaks/issues/1872)) - [`489d13c`](https://github.com/gitleaks/gitleaks/commit/489d13c) Update README.md - [`d29ee55`](https://github.com/gitleaks/gitleaks/commit/d29ee55) Reduce aws-access-token false positives ([#​1876](https://github.com/gitleaks/gitleaks/issues/1876)) - [`611db65`](https://github.com/gitleaks/gitleaks/commit/611db65) Set `pass_filenames` to `false` for Docker hook ([#​1850](https://github.com/gitleaks/gitleaks/issues/1850)) - [`0589ae0`](https://github.com/gitleaks/gitleaks/commit/0589ae0) unicode decoding ([#​1854](https://github.com/gitleaks/gitleaks/issues/1854)) - [`82f7e32`](https://github.com/gitleaks/gitleaks/commit/82f7e32) Diagnostics ([#​1856](https://github.com/gitleaks/gitleaks/issues/1856)) - [`f97a9ee`](https://github.com/gitleaks/gitleaks/commit/f97a9ee) chore: include decoder in debug log ([#​1853](https://github.com/gitleaks/gitleaks/issues/1853)) Got another [@​bplaxco](https://github.com/bplaxco) release. Cheers! ##### Archive Scanning Sometimes secrets are packaged within archive files like zip files or tarballs, making them difficult to discover. Now you can tell gitleaks to automatically extract and scan the contents of archives. The flag `--max-archive-depth` enables this feature for both `dir` and `git` scan types. The default value of "0" means this feature is disabled by default. Recursive scanning is supported since archives can also contain other archives. The `--max-archive-depth` flag sets the recursion limit. Recursion stops when there are no new archives to extract, so setting a very high max depth just sets the potential to go that deep. It will only go as deep as it needs to. The findings for secrets located within an archive will include the path to the file inside the archive. Inner paths are separated with `!`. Example finding (shortened for brevity): ``` Finding: DB_PASSWORD=8ae31cacf141669ddfb5da ... File: testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod Line: 4 Commit: 6e6ee6596d337bb656496425fb98644eb62b4a82 ... Fingerprint: 6e6ee6596d337bb656496425fb98644eb62b4a82:testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod:generic-api-key:4 Link: https://github.com/leaktk/gitleaks/blob/6e6ee6596d337bb656496425fb98644eb62b4a82/testdata/archives/nested.tar.gz ``` This means a secret was detected on line 4 of `files/.env.prod.` which is in `archives/files.tar` which is in `testdata/archives/nested.tar.gz`. Currently supported formats: The [compression](https://github.com/mholt/archives?tab=readme-ov-file#supported-compression-formats) and [archive](https://github.com/mholt/archives?tab=readme-ov-file#supported-archive-formats) formats supported by mholt's [archives package](https://github.com/mholt/archives) are supported. ### [`v8.26.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.26.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.1...v8.26.0) ##### Changelog - [`78eebac`](https://github.com/gitleaks/gitleaks/commit/78eebac) Percent/URL Decoding Support ([#​1831](https://github.com/gitleaks/gitleaks/issues/1831)) - [`6f967ca`](https://github.com/gitleaks/gitleaks/commit/6f967ca) fix(kubernetes): remove slow element from pat ([#​1848](https://github.com/gitleaks/gitleaks/issues/1848)) - [`88f56d3`](https://github.com/gitleaks/gitleaks/commit/88f56d3) feat: identify slow file ([#​1479](https://github.com/gitleaks/gitleaks/issues/1479)) - [`9609928`](https://github.com/gitleaks/gitleaks/commit/9609928) rm 1password detect test since we test it in cfg gen - [`23cb69f`](https://github.com/gitleaks/gitleaks/commit/23cb69f) feat(rules): Add 1Password secret key detection ([#​1834](https://github.com/gitleaks/gitleaks/issues/1834)) Calling this one [@​bplaxco](https://github.com/bplaxco)'s release as he introduced a really clever method for mixed decoding without sacrificing too much performance. As I stated in his PR, I think he's either a wizard or some time traveling AI. Dude [is wicked smaht](https://www.youtube.com/watch?v=hIdsjNGCGz4) Anyways, Gitleaks now supports the following decoders: `hex`, `percent(url enconding)`, and `b64`. It's relatively straight forward to add a new decoder so if you're motivated, community contributions are welcomed! Here's an example: ``` ~/code/gitleaks-org/gitleaks (master) cat decode.txt text below aGVsbG8sIHdvcmxkIQ%3D%3D%0A text above ~/code/gitleaks-org/gitleaks (master) ./gitleaks dir decode.txt --max-decode-depth=2 --log-level=debug ○ │╲ │ ○ ○ ░ ░ gitleaks 4:08PM DBG using stdlib regex engine 4:08PM DBG unable to load gitleaks config from decode.txt/.gitleaks.toml since --source=decode.txt is a file, using default config 4:08PM DBG found .gitleaksignore file: .gitleaksignore 4:08PM DBG segment found: original=[29,38] pos=[29,38]: "%3D%3D%0A" -> "==\n" 4:08PM DBG segment found: original=[11,38] pos=[11,31]: "aGVsbG8sIHdvcmxkIQ==" -> "hello, world!" 4:08PM INF scanned ~50 bytes (50 bytes) in 1.5ms 4:08PM INF no leaks found ``` ### [`v8.25.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.0...v8.25.1) ##### Changelog - [`d1c7759`](https://github.com/gitleaks/gitleaks/commit/d1c7759) fix(detect): test all allowlists ([#​1845](https://github.com/gitleaks/gitleaks/issues/1845)) Big thanks [@​rgmz](https://github.com/rgmz) ### [`v8.25.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.3...v8.25.0) ##### Changelog - [`4451b45`](https://github.com/gitleaks/gitleaks/commit/4451b45) feat(config): define multiple global allowlists ([#​1777](https://github.com/gitleaks/gitleaks/issues/1777)) (cause for the minor bump change) - [`7fb21a4`](https://github.com/gitleaks/gitleaks/commit/7fb21a4) feat(rules): Add Perplexity AI API key detection ([#​1825](https://github.com/gitleaks/gitleaks/issues/1825)) - [`f6193bc`](https://github.com/gitleaks/gitleaks/commit/f6193bc) feat(gcp): increase rule entropy ([#​1840](https://github.com/gitleaks/gitleaks/issues/1840)) - [`9bc7257`](https://github.com/gitleaks/gitleaks/commit/9bc7257) Adding clickhouse scanner ([#​1826](https://github.com/gitleaks/gitleaks/issues/1826)) - [`b6cc71a`](https://github.com/gitleaks/gitleaks/commit/b6cc71a) fix(baseline): work with --redact ([#​1741](https://github.com/gitleaks/gitleaks/issues/1741)) - [`cfdeb0d`](https://github.com/gitleaks/gitleaks/commit/cfdeb0d) feat(rule): validate & sort rule when generating ([#​1817](https://github.com/gitleaks/gitleaks/issues/1817)) ### [`v8.24.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.2...v8.24.3) ##### Changelog - [`107a418`](https://github.com/gitleaks/gitleaks/commit/107a418) Add support for GitLab Runner Tokens (Routable) ([#​1820](https://github.com/gitleaks/gitleaks/issues/1820)) - [`7fac002`](https://github.com/gitleaks/gitleaks/commit/7fac002) bump repo version in pre-commit example ([#​1815](https://github.com/gitleaks/gitleaks/issues/1815)) - [`4b54104`](https://github.com/gitleaks/gitleaks/commit/4b54104) Fix currentLine out of bounds error ([#​1810](https://github.com/gitleaks/gitleaks/issues/1810)) - [`af7d5bc`](https://github.com/gitleaks/gitleaks/commit/af7d5bc) add support for Azure DevOps platform in SCM detection and link ([#​1807](https://github.com/gitleaks/gitleaks/issues/1807)) - [`3e8cd2d`](https://github.com/gitleaks/gitleaks/commit/3e8cd2d) Add MaxMind license key rule ([#​1771](https://github.com/gitleaks/gitleaks/issues/1771)) - [`ddcc753`](https://github.com/gitleaks/gitleaks/commit/ddcc753) implement new openai regex pattern ([#​1780](https://github.com/gitleaks/gitleaks/issues/1780)) - [`9708e65`](https://github.com/gitleaks/gitleaks/commit/9708e65) A first attempt adding hooks.slack.com/triggers/ ([#​1792](https://github.com/gitleaks/gitleaks/issues/1792)) - [`198e410`](https://github.com/gitleaks/gitleaks/commit/198e410) feat(generic): tweak false-positives ([#​1803](https://github.com/gitleaks/gitleaks/issues/1803)) - [`e273a97`](https://github.com/gitleaks/gitleaks/commit/e273a97) chore: tweak logging and readme for GITLEAKS\_CONFIG\_TOML feature ([#​1802](https://github.com/gitleaks/gitleaks/issues/1802)) - [`a503b58`](https://github.com/gitleaks/gitleaks/commit/a503b58) feat: add option to set config from env var with toml content ([#​1662](https://github.com/gitleaks/gitleaks/issues/1662)) ### [`v8.24.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2) ##### What's Changed - Fix `platform` flag being ignored with `gitleaks detect` by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1765 - Make AddFinding public by [@​bplaxco](https://github.com/bplaxco) in https://github.com/gitleaks/gitleaks/pull/1767 - FIX upgrade x/crypto to 0.31.0 to get rid of CVE-2024-45337 by [@​cgoessen](https://github.com/cgoessen) in https://github.com/gitleaks/gitleaks/pull/1768 - Upgrade rs/zerolog, spf13/cobra, and spf13/viper by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1769 - Infer `report-format` from `report-path` extension if no value is provided by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1776 - `generic-api-key`: ignore csrf-tokens by [@​rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1779 - Prevent Yocto/BitBake false positives with generic-api-key rule by [@​Okeanos](https://github.com/Okeanos) in https://github.com/gitleaks/gitleaks/pull/1783 - Fix decoded line allowlist by [@​zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1788 - Readme badge revisions by [@​jessp01](https://github.com/jessp01) in https://github.com/gitleaks/gitleaks/pull/1744 - feat(regexp): use standard regexp by default, make go-re2 opt-in by [@​twpayne](https://github.com/twpayne) in https://github.com/gitleaks/gitleaks/pull/1798 - gore2 release tags by [@​zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1801 ##### New Contributors - [@​cgoessen](https://github.com/cgoessen) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1768 - [@​Okeanos](https://github.com/Okeanos) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1783 - [@​jessp01](https://github.com/jessp01) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1744 - [@​twpayne](https://github.com/twpayne) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1798 **Full Changelog**: https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2 ### [`v8.24.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.3...v8.24.0) ##### Changelog - [`c2afd56`](https://github.com/gitleaks/gitleaks/commit/c2afd56) Make paths and fingerprints platform-agnostic ([#​1622](https://github.com/gitleaks/gitleaks/issues/1622)) - [`818e32f`](https://github.com/gitleaks/gitleaks/commit/818e32f) Add Sonar rule ([#​1756](https://github.com/gitleaks/gitleaks/issues/1756)) - [`3fa5a3a`](https://github.com/gitleaks/gitleaks/commit/3fa5a3a) Minor false positive improvements ([#​1758](https://github.com/gitleaks/gitleaks/issues/1758)) - [`2020e6a`](https://github.com/gitleaks/gitleaks/commit/2020e6a) Add support for streaming DetectReader ([#​1760](https://github.com/gitleaks/gitleaks/issues/1760)) - [`9122a2d`](https://github.com/gitleaks/gitleaks/commit/9122a2d) chore: Update github.com/wasilibs/go-re2 to v1.9.0 ([#​1763](https://github.com/gitleaks/gitleaks/issues/1763)) - [`398d0c4`](https://github.com/gitleaks/gitleaks/commit/398d0c4) docs: describe extended rules take precedence over base rules ([#​1563](https://github.com/gitleaks/gitleaks/issues/1563)) - [`ae26eff`](https://github.com/gitleaks/gitleaks/commit/ae26eff) feat(git): disable link generation ([#​1748](https://github.com/gitleaks/gitleaks/issues/1748)) - [`c6424a6`](https://github.com/gitleaks/gitleaks/commit/c6424a6) added sourcegraph token rule ([#​1736](https://github.com/gitleaks/gitleaks/issues/1736)) - [`6411402`](https://github.com/gitleaks/gitleaks/commit/6411402) feat(config): add rule for .p12 files ([#​1738](https://github.com/gitleaks/gitleaks/issues/1738)) - [`d71d95d`](https://github.com/gitleaks/gitleaks/commit/d71d95d) add deno.lock to default exclusions ([#​1740](https://github.com/gitleaks/gitleaks/issues/1740)) ### [`v8.23.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.2...v8.23.3) ##### Changelog - [`3188ad6`](https://github.com/gitleaks/gitleaks/commit/3188ad6) Don't exit with error if git repacking is required ([#​1711](https://github.com/gitleaks/gitleaks/issues/1711)) - [`7fc11bb`](https://github.com/gitleaks/gitleaks/commit/7fc11bb) refactor(config): use non-capture groups for allowlists ([#​1735](https://github.com/gitleaks/gitleaks/issues/1735)) - [`36c52c6`](https://github.com/gitleaks/gitleaks/commit/36c52c6) chore: Enhance `curl-auth-user` to detect empty usernames or passwords ([#​1726](https://github.com/gitleaks/gitleaks/issues/1726)) - [`1f323d8`](https://github.com/gitleaks/gitleaks/commit/1f323d8) fix(cmd): read log-opts before GitLogCmd ([#​1730](https://github.com/gitleaks/gitleaks/issues/1730)) ### [`v8.23.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.1...v8.23.2) ##### Changelog - [`d88bc09`](https://github.com/gitleaks/gitleaks/commit/d88bc09) facebook keyword - [`3fdaefd`](https://github.com/gitleaks/gitleaks/commit/3fdaefd) fix(meraki): restrict keyword case ([#​1722](https://github.com/gitleaks/gitleaks/issues/1722)) - [`f3ae52e`](https://github.com/gitleaks/gitleaks/commit/f3ae52e) feat(generic-api-key): detect base64 ([#​1598](https://github.com/gitleaks/gitleaks/issues/1598)) - [`d6a828a`](https://github.com/gitleaks/gitleaks/commit/d6a828a) great branch name ([#​1721](https://github.com/gitleaks/gitleaks/issues/1721)) - [`d2ffffe`](https://github.com/gitleaks/gitleaks/commit/d2ffffe) fix(git): remove .git suffix for links ([#​1716](https://github.com/gitleaks/gitleaks/issues/1716)) - [`a43dc0d`](https://github.com/gitleaks/gitleaks/commit/a43dc0d) chore: refine generic-api-key fps + trace logging ([#​1720](https://github.com/gitleaks/gitleaks/issues/1720)) - [`69ed20e`](https://github.com/gitleaks/gitleaks/commit/69ed20e) fix(generate): move newline out of char range ([#​1719](https://github.com/gitleaks/gitleaks/issues/1719)) - [`52b895a`](https://github.com/gitleaks/gitleaks/commit/52b895a) newline literal ([#​1718](https://github.com/gitleaks/gitleaks/issues/1718)) - [`3f4d91f`](https://github.com/gitleaks/gitleaks/commit/3f4d91f) build: support either stdlib or 3rd-party regexp ([#​1706](https://github.com/gitleaks/gitleaks/issues/1706)) - [`049f5b2`](https://github.com/gitleaks/gitleaks/commit/049f5b2) chore(detect): update trace logging ([#​1713](https://github.com/gitleaks/gitleaks/issues/1713)) - [`7a6183d`](https://github.com/gitleaks/gitleaks/commit/7a6183d) feat(git): redact passwords from remote URL ([#​1709](https://github.com/gitleaks/gitleaks/issues/1709)) - [`3c7f3f0`](https://github.com/gitleaks/gitleaks/commit/3c7f3f0) feat(git): include link in report ([#​1698](https://github.com/gitleaks/gitleaks/issues/1698)) - [`0e3f4f7`](https://github.com/gitleaks/gitleaks/commit/0e3f4f7) chore: reduce generic-api-key fps ([#​1707](https://github.com/gitleaks/gitleaks/issues/1707)) - [`3ed8567`](https://github.com/gitleaks/gitleaks/commit/3ed8567) blorp - [`e977850`](https://github.com/gitleaks/gitleaks/commit/e977850) added new rule for cisco meraki api key ([#​1700](https://github.com/gitleaks/gitleaks/issues/1700)) - [`ad7a4fb`](https://github.com/gitleaks/gitleaks/commit/ad7a4fb) feat: general fp tweaks ([#​1703](https://github.com/gitleaks/gitleaks/issues/1703)) - [`b2cf03c`](https://github.com/gitleaks/gitleaks/commit/b2cf03c) chore(generate): use \x60 instead of literal ([#​1702](https://github.com/gitleaks/gitleaks/issues/1702)) - [`a3f623c`](https://github.com/gitleaks/gitleaks/commit/a3f623c) chore(regex): simplify secretPrefix, suffix ([#​1620](https://github.com/gitleaks/gitleaks/issues/1620)) - [`cc71bb1`](https://github.com/gitleaks/gitleaks/commit/cc71bb1) update version for pre-commit in README.md ([#​1699](https://github.com/gitleaks/gitleaks/issues/1699)) ### [`v8.23.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.0...v8.23.1) ##### Changelog - [`7bad9f7`](https://github.com/gitleaks/gitleaks/commit/7bad9f7) chore(gcp): add firebase example keys to the gcp-api-key allowlists ([#​1635](https://github.com/gitleaks/gitleaks/issues/1635)) - [`977236c`](https://github.com/gitleaks/gitleaks/commit/977236c) fix: unaligned 64-bit atomic operation panic ([#​1696](https://github.com/gitleaks/gitleaks/issues/1696)) - [`a211b16`](https://github.com/gitleaks/gitleaks/commit/a211b16) force push to master everyday - [`0e5f644`](https://github.com/gitleaks/gitleaks/commit/0e5f644) feat(config): disable extended rule ([#​1535](https://github.com/gitleaks/gitleaks/issues/1535)) - [`f320a60`](https://github.com/gitleaks/gitleaks/commit/f320a60) style: prevent globbing and word splitting ([#​1543](https://github.com/gitleaks/gitleaks/issues/1543)) - [`c4526b2`](https://github.com/gitleaks/gitleaks/commit/c4526b2) refactor(generic-api-key): remove hard-coded 'magic' ([#​1600](https://github.com/gitleaks/gitleaks/issues/1600)) - [`748076d`](https://github.com/gitleaks/gitleaks/commit/748076d) chore(generate): add failing test case ([#​1690](https://github.com/gitleaks/gitleaks/issues/1690)) ### [`v8.23.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.1...v8.23.0) ##### Changelog - [`db8e5e6`](https://github.com/gitleaks/gitleaks/commit/db8e5e6) feat(generate): use multiple allowlists ([#​1691](https://github.com/gitleaks/gitleaks/issues/1691)) - [`973c794`](https://github.com/gitleaks/gitleaks/commit/973c794) chore(rules): include fps in reference ([#​1471](https://github.com/gitleaks/gitleaks/issues/1471)) - [`f0d4499`](https://github.com/gitleaks/gitleaks/commit/f0d4499) Add comma as operator for GenerateSemiGenericRegex ([#​1679](https://github.com/gitleaks/gitleaks/issues/1679)) - [`ab38a46`](https://github.com/gitleaks/gitleaks/commit/ab38a46) refactor: central logger ([#​1692](https://github.com/gitleaks/gitleaks/issues/1692)) - [`b022d1c`](https://github.com/gitleaks/gitleaks/commit/b022d1c) friendship ended with tines READ THIS!!! The default gitleaks config now uses `[[rules.allowlists]]` ```toml ##### ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`. ##### This change was backwards-compatible: instances of `[rules.allowlist]` still work. # ##### You can define multiple allowlists for a rule to reduce false positives. ##### A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches. [[rules.allowlists]] description = "ignore commit A" ##### When multiple criteria are defined the default condition is "OR". ##### e.g., this can match on |commits| OR |paths| OR |stopwords|. condition = "OR" commits = [ "commit-A", "commit-B"] paths = [ '''go\.mod''', '''go\.sum''' ] ##### note: stopwords targets the extracted secret, not the entire regex match ##### like 'regexes' does. (stopwords introduced in 8.8.0) stopwords = [ '''client''', '''endpoint''', ] [[rules.allowlists]] ##### The "AND" condition can be used to make sure all criteria match. ##### e.g., this matches if |regexes| AND |paths| are satisfied. condition = "AND" ##### note: |regexes| defaults to check the _Secret_ in the finding. ##### Acceptable values for |regexTarget| are "secret" (default), "match", and "line". regexTarget = "match" regexes = [ '''(?i)parseur[il]''' ] paths = [ '''package-lock\.json''' ] ``` ### [`v8.22.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.0...v8.22.1) ##### Changelog - [`b69b515`](https://github.com/gitleaks/gitleaks/commit/b69b515) Entropy trace ([#​1659](https://github.com/gitleaks/gitleaks/issues/1659)) - [`7357adc`](https://github.com/gitleaks/gitleaks/commit/7357adc) build: add 'toolchain' to go.mod ([#​1682](https://github.com/gitleaks/gitleaks/issues/1682)) - [`4c3da6e`](https://github.com/gitleaks/gitleaks/commit/4c3da6e) refactor(detect): create readUntilSafeBoundary + add tests ([#​1676](https://github.com/gitleaks/gitleaks/issues/1676)) - [`dbe3746`](https://github.com/gitleaks/gitleaks/commit/dbe3746) twitter really does suck ass now - [`7edfc6b`](https://github.com/gitleaks/gitleaks/commit/7edfc6b) chore(tests): test cases for generate.go ([#​1623](https://github.com/gitleaks/gitleaks/issues/1623)) - [`efe40ca`](https://github.com/gitleaks/gitleaks/commit/efe40ca) fix: only use non-empty secret groups ([#​1632](https://github.com/gitleaks/gitleaks/issues/1632)) - [`7cb5f6f`](https://github.com/gitleaks/gitleaks/commit/7cb5f6f) build: upgrade sprig v2->v3 ([#​1674](https://github.com/gitleaks/gitleaks/issues/1674)) - [`2930537`](https://github.com/gitleaks/gitleaks/commit/2930537) fix: generate report file even if no findings ([#​1673](https://github.com/gitleaks/gitleaks/issues/1673)) ### [`v8.22.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.0) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.4...v8.22.0) ##### Changelog - [`a91c671`](https://github.com/gitleaks/gitleaks/commit/a91c671) replace std library regex engine with go-re2 ([#​1669](https://github.com/gitleaks/gitleaks/issues/1669)) *** This bumps the gitleaks binary size from around 8.5MB to 15MB but yields 2-4x speedup. Worth it imo. If you feel strongly against this change feel free to open an issue where we can discuss the tradeoffs in more depth. Credit to [@​ahrav](https://github.com/ahrav) ### [`v8.21.4`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.4) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.3...v8.21.4) ##### Changelog - [`906085f`](https://github.com/gitleaks/gitleaks/commit/906085f) Update golang version to 1.23 ([#​1672](https://github.com/gitleaks/gitleaks/issues/1672)) - [`8a83062`](https://github.com/gitleaks/gitleaks/commit/8a83062) log bytes ([#​1670](https://github.com/gitleaks/gitleaks/issues/1670)) ### [`v8.21.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.3) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.2...v8.21.3) ##### Changelog - [`a9e6d8c`](https://github.com/gitleaks/gitleaks/commit/a9e6d8c) go mod 1.23 - [`2f73a3e`](https://github.com/gitleaks/gitleaks/commit/2f73a3e) Ensure keywords are downcased ([#​1633](https://github.com/gitleaks/gitleaks/issues/1633)) - [`f696605`](https://github.com/gitleaks/gitleaks/commit/f696605) feat: add settlemint api keys detection ([#​1663](https://github.com/gitleaks/gitleaks/issues/1663)) - [`0bf13fc`](https://github.com/gitleaks/gitleaks/commit/0bf13fc) feat(dir): better chunking ([#​1665](https://github.com/gitleaks/gitleaks/issues/1665)) - [`83e99ba`](https://github.com/gitleaks/gitleaks/commit/83e99ba) feat(report): allow user-defined templates ([#​1650](https://github.com/gitleaks/gitleaks/issues/1650)) - [`e393d29`](https://github.com/gitleaks/gitleaks/commit/e393d29) Add support for GitLab routable tokens ([#​1656](https://github.com/gitleaks/gitleaks/issues/1656)) - [`263ce82`](https://github.com/gitleaks/gitleaks/commit/263ce82) Add freemius secret key detection ([#​1611](https://github.com/gitleaks/gitleaks/issues/1611)) - [`3c0e068`](https://github.com/gitleaks/gitleaks/commit/3c0e068) fix(kubernetes): only match 'kind: secret' ([#​1649](https://github.com/gitleaks/gitleaks/issues/1649)) - [`f3adda0`](https://github.com/gitleaks/gitleaks/commit/f3adda0) feat: use STDOUT when report file not specified ([#​1642](https://github.com/gitleaks/gitleaks/issues/1642)) - [`ed205a5`](https://github.com/gitleaks/gitleaks/commit/ed205a5) fix(dir): skip opening file\&dir if allowlist matches ([#​1653](https://github.com/gitleaks/gitleaks/issues/1653)) - [`6018012`](https://github.com/gitleaks/gitleaks/commit/6018012) fix: increase chunk size 10kb -> 100kb ([#​1652](https://github.com/gitleaks/gitleaks/issues/1652)) - [`7f77987`](https://github.com/gitleaks/gitleaks/commit/7f77987) feat: detect sentry.io tokens in the new format ([#​1640](https://github.com/gitleaks/gitleaks/issues/1640)) - [`48a2e0e`](https://github.com/gitleaks/gitleaks/commit/48a2e0e) refactor: pre-commit hooks ([#​1627](https://github.com/gitleaks/gitleaks/issues/1627)) - [`4e303d0`](https://github.com/gitleaks/gitleaks/commit/4e303d0) fix(easypost): only detect tokens of correct length ([#​1628](https://github.com/gitleaks/gitleaks/issues/1628)) - [`c1add1d`](https://github.com/gitleaks/gitleaks/commit/c1add1d) feat(dir): continue on permission error ([#​1621](https://github.com/gitleaks/gitleaks/issues/1621)) - [`202106a`](https://github.com/gitleaks/gitleaks/commit/202106a) Add human readable description for curl rules ([#​1625](https://github.com/gitleaks/gitleaks/issues/1625)) - [`8e94f98`](https://github.com/gitleaks/gitleaks/commit/8e94f98) Add option to include `Line` field in report ([#​1616](https://github.com/gitleaks/gitleaks/issues/1616)) - [`dbb42a7`](https://github.com/gitleaks/gitleaks/commit/dbb42a7) hm (great comment) - [`2599460`](https://github.com/gitleaks/gitleaks/commit/2599460) Update README.md - [`8ffb980`](https://github.com/gitleaks/gitleaks/commit/8ffb980) nop for stupid build - [`4181ad6`](https://github.com/gitleaks/gitleaks/commit/4181ad6) Add new jira api token pattern ([#​1601](https://github.com/gitleaks/gitleaks/issues/1601)) - [`48ea14b`](https://github.com/gitleaks/gitleaks/commit/48ea14b) feat: update global & generic allowlist ([#​1618](https://github.com/gitleaks/gitleaks/issues/1618)) - [`81f0002`](https://github.com/gitleaks/gitleaks/commit/81f0002) fix(vault-service-token): ensure that TPS contains digits ([#​1614](https://github.com/gitleaks/gitleaks/issues/1614)) - [`c11adc9`](https://github.com/gitleaks/gitleaks/commit/c11adc9) Generate comprehensive secret samples ([#​1484](https://github.com/gitleaks/gitleaks/issues/1484)) - [`d1d9054`](https://github.com/gitleaks/gitleaks/commit/d1d9054) fix(aws): detect token in url ([#​1615](https://github.com/gitleaks/gitleaks/issues/1615)) - [`5fe58bf`](https://github.com/gitleaks/gitleaks/commit/5fe58bf) fix(rules): entropy, uppercase in samples ([#​1593](https://github.com/gitleaks/gitleaks/issues/1593)) - [`5c2e813`](https://github.com/gitleaks/gitleaks/commit/5c2e813) feat: tweak rules ([#​1608](https://github.com/gitleaks/gitleaks/issues/1608)) ### [`v8.21.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.2) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) ##### Changelog - [`43fae35`](https://github.com/gitleaks/gitleaks/commit/43fae35) feat(rules): create Octopus Deploy api key ([#​1602](https://github.com/gitleaks/gitleaks/issues/1602)) - [`a158e4f`](https://github.com/gitleaks/gitleaks/commit/a158e4f) fix(aws-access-token): only match if correct length ([#​1584](https://github.com/gitleaks/gitleaks/issues/1584)) - [`b6e0eee`](https://github.com/gitleaks/gitleaks/commit/b6e0eee) fix(config): ignore jquery/swagger w/o version ([#​1607](https://github.com/gitleaks/gitleaks/issues/1607)) - [`722e7d8`](https://github.com/gitleaks/gitleaks/commit/722e7d8) feat: add new GitLab tokens ([#​1560](https://github.com/gitleaks/gitleaks/issues/1560)) - [`961f2e6`](https://github.com/gitleaks/gitleaks/commit/961f2e6) feat(generic-api-key): tune false positives ([#​1606](https://github.com/gitleaks/gitleaks/issues/1606)) - [`e734fcf`](https://github.com/gitleaks/gitleaks/commit/e734fcf) Create .gitleaks.toml ([#​1605](https://github.com/gitleaks/gitleaks/issues/1605)) - [`7206d6b`](https://github.com/gitleaks/gitleaks/commit/7206d6b) feat(curl): tweak tps and fps ([#​1603](https://github.com/gitleaks/gitleaks/issues/1603)) - [`2db25f1`](https://github.com/gitleaks/gitleaks/commit/2db25f1) feat(config): ignore swagger-ui assets ([#​1604](https://github.com/gitleaks/gitleaks/issues/1604)) - [`e97695b`](https://github.com/gitleaks/gitleaks/commit/e97695b) feat(generic-api-key): exclude keywords ([#​1587](https://github.com/gitleaks/gitleaks/issues/1587)) - [`0afb525`](https://github.com/gitleaks/gitleaks/commit/0afb525) feat(okta): bump entropy to 4 ([#​1599](https://github.com/gitleaks/gitleaks/issues/1599)) - [`2068870`](https://github.com/gitleaks/gitleaks/commit/2068870) feat: update global allowlist ([#​1597](https://github.com/gitleaks/gitleaks/issues/1597)) - [`8cf93b9`](https://github.com/gitleaks/gitleaks/commit/8cf93b9) refactor(allowlist): deduplicate commits & keywords ([#​1596](https://github.com/gitleaks/gitleaks/issues/1596)) - [`50c2818`](https://github.com/gitleaks/gitleaks/commit/50c2818) feat(config): ignore jquery static assets ([#​1595](https://github.com/gitleaks/gitleaks/issues/1595)) - [`455ae0a`](https://github.com/gitleaks/gitleaks/commit/455ae0a) More rule fixes ([#​1586](https://github.com/gitleaks/gitleaks/issues/1586)) - [`5407c44`](https://github.com/gitleaks/gitleaks/commit/5407c44) chore: log skipped symlinks ([#​1591](https://github.com/gitleaks/gitleaks/issues/1591)) - [`d03d6c4`](https://github.com/gitleaks/gitleaks/commit/d03d6c4) feat: match left side of identifier ([#​1585](https://github.com/gitleaks/gitleaks/issues/1585)) - [`851c11a`](https://github.com/gitleaks/gitleaks/commit/851c11a) what secrets? - [`8cfa6b2`](https://github.com/gitleaks/gitleaks/commit/8cfa6b2) fix(rules): add entropy ([#​1580](https://github.com/gitleaks/gitleaks/issues/1580)) - [`9152eaa`](https://github.com/gitleaks/gitleaks/commit/9152eaa) feat(aws): add entropy & allowlist ([#​1582](https://github.com/gitleaks/gitleaks/issues/1582)) - [`93acc6e`](https://github.com/gitleaks/gitleaks/commit/93acc6e) feat(rules): add 1password token ([#​1583](https://github.com/gitleaks/gitleaks/issues/1583)) - [`83a5724`](https://github.com/gitleaks/gitleaks/commit/83a5724) feat(config): add curl header rule ([#​1576](https://github.com/gitleaks/gitleaks/issues/1576)) ### [`v8.21.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.1) [Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.0...v8.21.1) ##### Changelog - [`cf5334f`](https://github.com/gitleaks/gitleaks/commit/cf5334f) feat: add curl basic auth rule ([#​1575](https://github.com/gitleaks/gitleaks/issues/1575)) - [`d07b394`](https://github.com/gitleaks/gitleaks/commit/d07b394) Update spelling in README.md ([#​1574](https://github.com/gitleaks/gitleaks/issues/1574)) - [`5c03fa4`](https://github.com/gitleaks/gitleaks/commit/5c03fa4) refactor(allowlist): use iota for condition ([#​1569](https://github.com/gitleaks/gitleaks/issues/1569)) - [`12034a7`](https://github.com/gitleaks/gitleaks/commit/12034a7) refactor(config): temporarily switch to \[rules.allowlist] ([#​1573](https://github.com/gitleaks/gitleaks/issues/1573)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/79 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
4473b1d4a4 |
chore(ci): track trivy and gitleaks binary versions via renovate custom manager (#78)
## Summary Until now the Trivy and gitleaks pins in `.gitea/workflows/*.yml` were manual — Renovate's built-in managers only see package-manager-tracked deps (npm, docker-compose images, GitHub Actions, etc.) and ignore plain env vars. The comment in each workflow telling the next contributor to "bump manually from the releases page" is the kind of friction that gets forgotten between two security advisories. Add a **custom regex manager** that picks up `# renovate: datasource=… depName=…` annotations immediately followed by an env-var assignment of the form `<NAME>_VERSION: '<version>'`. The 4 pins (`TRIVY_VERSION` + `GITLEAKS_VERSION` in both `ci.yml` and `security-scheduled.yml`) get annotated with the `github-releases` datasource and the upstream `owner/repo` depName. `extractVersionTemplate: ^v?(?<version>.+)$` strips the `v` prefix used by both projects' release tags, so the version substituted into the env var (which our shell script consumes without `v`) stays correct. ## What lands - **`renovate.json`** — new `customManagers` block. The dashboard triage header is updated to reflect the new tracking (was "not Renovate-tracked yet"). - **`.gitea/workflows/ci.yml`** — annotate the Trivy and gitleaks env vars; remove the dead "manual bump" comments. - **`.gitea/workflows/security-scheduled.yml`** — same. ## Verified Node-side dry-run of the regex against both workflow files: ``` ci.yml → trivy 0.70.0, gitleaks 8.21.0 security-scheduled.yml → trivy 0.70.0, gitleaks 8.21.0 ``` All 4 expected matches with the right `datasource` / `depName` / `currentValue` captures. ## Test plan - [ ] CI green on this PR. - [ ] After merge, the next Renovate run picks up Trivy and gitleaks as detected dependencies in the dashboard. New patch / minor releases should now produce normal Renovate PRs (auto-merging on patches per #74). - [ ] No manual "bump from the releases page" reminders left in the workflow YAML. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #78 |
||
|
|
a0e8e095d0 |
fix(ci): run scanners before pnpm install to avoid node_modules false positives (#51)
## Summary First successful gitleaks run flagged **381 "leaks"** — all inside `node_modules/` and `.pnpm-store/`, populated by the `pnpm install --frozen-lockfile` step that ran earlier in the job. Upstream npm packages routinely embed demo RSA keys / fake API tokens in their READMEs and test fixtures, and gitleaks correctly (by its rules) flags them. Same class of false-positive Trivy hit in #49 — solved there by `--scanners vuln`. Here, the cleanest solution is **reordering**: run the scanners *before* `pnpm install`, so the working tree contains only our committed source. - **Trivy** scans `pnpm-lock.yaml` (committed) — doesn't need install. - **Gitleaks** scans the working tree (`--no-git --source .` in ci.yml) — doesn't need install. - **pnpm audit** reads `pnpm-lock.yaml` against the advisory DB — also doesn't need install. The install before audit remains for the workspace-integrity sanity check. The ordering rationale is committed as a comment at the top of each job's `steps:` block, so a future contributor doesn't innocently shuffle the steps and re-flood the gate with FPs. Same reordering applied to `.gitea/workflows/security-scheduled.yml` for consistency, even though its deep-history gitleaks scan doesn't suffer this issue (`node_modules` is `.gitignore`d from day one — never in history). ## Test plan - [ ] `scan` job goes green end-to-end on this PR — gitleaks reports 0 leaks (or only real ones from our source, none expected). - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually before next Monday's cron to verify the same ordering doesn't break the deep scan. ## After this PR With #43 (TS/ESLint reverts), #45 (Trivy install), #49 (Trivy `--scanners vuln`), #50 (gitleaks install), and now this — every gate of the CI pipeline should be green end-to-end. Phase-1 CI bring-up is then complete and we can move to **A — local infra recipe** (Postgres + Redis + OTel Collector). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #51 |
||
|
|
0d27f835c3 |
fix(ci): replace gitleaks-action with manual install (#50)
## Summary `gitleaks/gitleaks-action@v2` is now paywalled for organisations — the action requires a `GITLEAKS_LICENSE` secret from gitleaks.io (commercial) or it errors out: ``` 🛑 missing gitleaks license. Go grab one at gitleaks.io and store it as a GitHub Secret named GITLEAKS_LICENSE. ``` Worse, on Gitea it cannot reliably detect personal-vs-org accounts (different API contract), so it defaults to license enforcement and the scan always fails. The **gitleaks binary itself stays MIT-licensed and free** — only the wrapper went commercial. Mirror the pattern from #45 (Trivy): drop the wrapper, install the binary directly via curl + tar, run the CLI. ## Scope of the PR The same two broken integrations existed in `.gitea/workflows/security-scheduled.yml` and would have failed silently at next Monday's cron. Fix both files in one PR for consistency. - **`ci.yml`** — gitleaks step replaced. Per-PR scan uses `--no-git --source .` (working tree only — the scan job uses a shallow checkout anyway). - **`security-scheduled.yml`** — both gitleaks AND trivy steps replaced; `fetch-depth: 0` added so gitleaks can do its **deep history scan** here (the value-add of the scheduled job over the per-PR gate); `cache: 'pnpm'` dropped from `actions/setup-node` (consistency with #8 — the act_runner cache server is unreachable from job containers). - `--redact` on both gitleaks invocations so any matched secret is masked in the CI log itself (avoids re-leaking via log artefacts). ## Trade-off Like Trivy, gitleaks version is now manually pinned. Same comment in the workflow points to releases for bumps. ## Test plan - [ ] `scan` job goes green end-to-end on this PR (audit ✓, Trivy ✓, gitleaks ✓). - [ ] `gitleaks version` line in the install step's logs shows `8.21.0`. - [ ] On `push` to main post-merge, scan stays green. - [ ] Trigger `security-scheduled` manually (Actions → Run workflow) to verify the deep-history scan path before next Monday's cron fires. --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #50 |
||
|
|
3e4c580519 |
chore(deps): update pnpm/action-setup action to v6 (#37)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [pnpm/action-setup](https://github.com/pnpm/action-setup) | action | major | `v3` -> `v6` | --- ### Release Notes <details> <summary>pnpm/action-setup (pnpm/action-setup)</summary> ### [`v6`](https://github.com/pnpm/action-setup/compare/v5...v6) [Compare Source](https://github.com/pnpm/action-setup/compare/v5...v6) ### [`v5`](https://github.com/pnpm/action-setup/compare/v4...v5) [Compare Source](https://github.com/pnpm/action-setup/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #37 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
9fbf37c2ef |
chore(deps): update actions/upload-artifact action to v7 (#28)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | major | `v4` -> `v7` | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://github.com/actions/upload-artifact/compare/v6...v7) ### [`v6`](https://github.com/actions/upload-artifact/compare/v5...v6) [Compare Source](https://github.com/actions/upload-artifact/compare/v5...v6) ### [`v5`](https://github.com/actions/upload-artifact/compare/v4...v5) [Compare Source](https://github.com/actions/upload-artifact/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #28 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
4244f63831 |
chore(deps): update actions/setup-node action to v6 (#27)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v4` -> `v6` | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v6`](https://github.com/actions/setup-node/compare/v5...v6) [Compare Source](https://github.com/actions/setup-node/compare/v5...v6) ### [`v5`](https://github.com/actions/setup-node/compare/v4...v5) [Compare Source](https://github.com/actions/setup-node/compare/v4...v5) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #27 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
adc14c14e0 |
chore(deps): update actions/checkout action to v6 (#26)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://github.com/actions/checkout) | action | major | `v4` -> `v6` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v602) [Compare Source](https://github.com/actions/checkout/compare/v5...v6) - Fix tag handling: preserve annotations and explicit fetch-tags by [@​ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2356 ### [`v5`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v501) [Compare Source](https://github.com/actions/checkout/compare/v4...v5) - Port v6 cleanup to v5 by [@​ericsciple](https://github.com/ericsciple) in https://github.com/actions/checkout/pull/2301 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Reviewed-on: #26 Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com> |
||
|
|
be7187d5f2 |
chore: scaffold Gitea Actions pipelines per ADR-0015 / ADR-0017
Wire the CI/CD pipeline scaffolding. Implements the level-2 (Gitea
Actions) part of ADR-0015 with the thin-YAML pattern, plus the perf
gate from ADR-0017. The level-1 decisions (gates list, branch model,
secrets policy) are unchanged.
Files:
- .nvmrc pins Node 24 (latest LTS major) for actions/setup-node.
- package.json gains four ci:* scripts that the workflows call:
- ci:check - 'nx affected -t format:check lint test build'
- ci:audit - 'pnpm audit --audit-level=moderate'
- ci:commits- 'commitlint --from $COMMIT_LINT_FROM --to HEAD'
- ci:perf - 'nx build portal-shell --configuration=production
&& lhci autorun --config=./lighthouserc.js'
All four runnable locally; CI workflows are thin wrappers.
- @lhci/cli added as a dev dependency for ci:perf.
- lighthouserc.js encodes the Core Web Vitals thresholds from
ADR-0017 (LCP <= 2500ms, CLS <= 0.1, TBT <= 200ms, server
response <= 800ms, Performance >= 0.9). v1 measures only the
static-served portal-shell bundle (Nx Welcome placeholder); the
critical-routes list expands as real screens land.
- .gitea/workflows/ci.yml runs five jobs on PR + push to main:
check, scan (audit + Trivy + gitleaks), commits (PR-only), perf,
a11y. The a11y job is a placeholder that no-ops with a clear
message; it wires up for real with the first Playwright e2e suite
(ADR-0016). All gates are blocking - branch protection on main
will require all five jobs green.
- .gitea/workflows/security-scheduled.yml runs weekly (Mon 04:00
UTC) for full-tree Trivy + gitleaks (no severity filter, no
skip-dirs - broader than per-PR) plus a Lighthouse run against
the prod URL when vars.LHCI_PROD_URL is set.
Slight deviation from ADR-0015 §'Level 2': Trivy and gitleaks are
binaries (Go) and don't have clean npm wrappers, so they are
invoked through their official Gitea-Actions-compatible actions
inside the YAML rather than via 'pnpm ci:scan'. The high-level
decision (gates: audit + secret-scan + dep-scan) is unchanged; the
script/action boundary is shifted by one tool. Documented here for
traceability; no ADR amendment needed.
Operational TODOs (not blocking the scaffold):
- pnpm audit currently reports 6 moderate transitive vulnerabilities
(ajv, brace-expansion, yaml, @hono/node-server, follow-redirects,
uuid) in deep deps of Nx/Angular plugins. CI will fail on this
gate until upstream updates land or Renovate bumps; expected and
documented.
- act_runner self-hosted instances are not yet registered against
the Gitea organisation; the workflows reference [self-hosted,
on-prem] runner labels per ADR-0015. CI will not actually execute
until the runners are up - that's an infra task.
- Branch protection rules on main (require all five jobs green) are
configured in Gitea UI, not in this commit.
- Lighthouse-prod scheduled job runs only when vars.LHCI_PROD_URL
is set - skipped silently otherwise. To be configured once a prod
environment exists.
|