Files
apf_portal/.gitea/workflows/ci.yml
T
APF Portal Bot 674c8b2f88
CI / commits (push) Has been skipped
CI / check (push) Successful in 1m46s
CI / a11y (push) Successful in 1m59s
CI / scan (push) Successful in 2m35s
CI / perf (push) Successful in 3m15s
chore(deps): update dependency gitleaks/gitleaks to v8.30.1 (#79)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [gitleaks/gitleaks](https://github.com/gitleaks/gitleaks) | minor | `8.21.0` -> `8.30.1` |

---

### Release Notes

<details>
<summary>gitleaks/gitleaks (gitleaks/gitleaks)</summary>

### [`v8.30.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.1)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.30.0...v8.30.1)

##### Changelog

- [`83d9cd6`](https://github.com/gitleaks/gitleaks/commit/83d9cd684c87d95d656c1458ef04895a7f1cbd8e) update goreleaser
- [`8d1f98c`](https://github.com/gitleaks/gitleaks/commit/8d1f98c7967eb1e79cb44ac6241a124e145d2165) Removed unnecessary functions from report template ([#&#8203;2040](https://github.com/gitleaks/gitleaks/issues/2040))
- [`ca20267`](https://github.com/gitleaks/gitleaks/commit/ca20267a84aa1fa2c2a9c1a13cdb50cafb48eeb0) its the simple things ([#&#8203;2020](https://github.com/gitleaks/gitleaks/issues/2020))
- [`b66ac75`](https://github.com/gitleaks/gitleaks/commit/b66ac75e4fa93d86d78fccd6e2f36d2c0698b2a2) build: switch to Go 1.24 ([#&#8203;2002](https://github.com/gitleaks/gitleaks/issues/2002))

### [`v8.30.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.30.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.1...v8.30.0)

##### Changelog

- [`6eaad03`](https://github.com/gitleaks/gitleaks/commit/6eaad03) 0 to 5 - notes on recursive decoding ([#&#8203;1994](https://github.com/gitleaks/gitleaks/issues/1994))
- [`09242ce`](https://github.com/gitleaks/gitleaks/commit/09242ce) Add new Looker client ID and client secret rules ([#&#8203;1947](https://github.com/gitleaks/gitleaks/issues/1947))
- [`c98e5e0`](https://github.com/gitleaks/gitleaks/commit/c98e5e0) feat: add Airtable Personnal Access Token detection ([#&#8203;1952](https://github.com/gitleaks/gitleaks/issues/1952))
- [`4ed0ca4`](https://github.com/gitleaks/gitleaks/commit/4ed0ca4) build: upgrade Go & alpine version ([#&#8203;1989](https://github.com/gitleaks/gitleaks/issues/1989))

### [`v8.29.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.1)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.29.0...v8.29.1)

##### Changelog

- [`fb5d707`](https://github.com/gitleaks/gitleaks/commit/fb5d707) thats a paddlin
- [`50493db`](https://github.com/gitleaks/gitleaks/commit/50493db) feat: document stdout report path ([#&#8203;1990](https://github.com/gitleaks/gitleaks/issues/1990))

### [`v8.29.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.29.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.28.0...v8.29.0)

##### Changelog

- [`ed65b65`](https://github.com/gitleaks/gitleaks/commit/ed65b65) Add trace log for skipped archive file when not enabled ([#&#8203;1961](https://github.com/gitleaks/gitleaks/issues/1961))
- [`c5ccbb9`](https://github.com/gitleaks/gitleaks/commit/c5ccbb9) Respect contexts with timeouts ([#&#8203;1948](https://github.com/gitleaks/gitleaks/issues/1948))
- [`3821f30`](https://github.com/gitleaks/gitleaks/commit/3821f30) Config min version ([#&#8203;1955](https://github.com/gitleaks/gitleaks/issues/1955))
- [`d223718`](https://github.com/gitleaks/gitleaks/commit/d223718) fix(config): validate rules when \[extend] is used ([#&#8203;1592](https://github.com/gitleaks/gitleaks/issues/1592))
- [`87d9629`](https://github.com/gitleaks/gitleaks/commit/87d9629) feat: add Amazon Bedrock API key detection ([#&#8203;1935](https://github.com/gitleaks/gitleaks/issues/1935))
- [`228396b`](https://github.com/gitleaks/gitleaks/commit/228396b) Add GitHub Sponsors section and Discord link
- [`a82bc53`](https://github.com/gitleaks/gitleaks/commit/a82bc53) feat: improve regex  to detect Sonar tokens with prefixes ([#&#8203;1931](https://github.com/gitleaks/gitleaks/issues/1931))

### [`v8.28.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.28.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.2...v8.28.0)

##### Changelog

- [`4fb4382`](https://github.com/gitleaks/gitleaks/commit/4fb4382) cant count
- [`b1c9c7e`](https://github.com/gitleaks/gitleaks/commit/b1c9c7e) Composite rules ([#&#8203;1905](https://github.com/gitleaks/gitleaks/issues/1905))
- [`72977e4`](https://github.com/gitleaks/gitleaks/commit/72977e4) feat: add Anthropic API key detection ([#&#8203;1910](https://github.com/gitleaks/gitleaks/issues/1910))
- [`7b02c98`](https://github.com/gitleaks/gitleaks/commit/7b02c98) fix(git): handle port ([#&#8203;1912](https://github.com/gitleaks/gitleaks/issues/1912))
- [`2a7bcff`](https://github.com/gitleaks/gitleaks/commit/2a7bcff) dont prematurely calculate fragment newlines ([#&#8203;1909](https://github.com/gitleaks/gitleaks/issues/1909))
- [`bd79c3e`](https://github.com/gitleaks/gitleaks/commit/bd79c3e) feat(allowlist): promote optimizations ([#&#8203;1908](https://github.com/gitleaks/gitleaks/issues/1908))
- [`7fb4eda`](https://github.com/gitleaks/gitleaks/commit/7fb4eda) Fix: CVEs on go and go crypto ([#&#8203;1868](https://github.com/gitleaks/gitleaks/issues/1868))
- [`a044b81`](https://github.com/gitleaks/gitleaks/commit/a044b81) feat: add artifactory reference token and api key detection ([#&#8203;1906](https://github.com/gitleaks/gitleaks/issues/1906))
- [`bf380d4`](https://github.com/gitleaks/gitleaks/commit/bf380d4) silly
- [`f487f85`](https://github.com/gitleaks/gitleaks/commit/f487f85) Update gitleaks.yml
- [`958f55a`](https://github.com/gitleaks/gitleaks/commit/958f55a) add just like that, no leaks

##### Optimizations

[#&#8203;1909](https://github.com/gitleaks/gitleaks/issues/1909) waits to find newlines until a match. This ends up saving a boat load of time since before we were finding newlines for every fragment regardless if a rule matched or not.
[#&#8203;1908](https://github.com/gitleaks/gitleaks/issues/1908) promoted [@&#8203;rgmz](https://github.com/rgmz) excellent stopword optimization

##### Composite Rules (Multi-part or `required` Rules) [#&#8203;1905](https://github.com/gitleaks/gitleaks/issues/1905)

In v8.28.0 Gitleaks introduced composite rules, which are made up of a single "primary" rule and one or more auxiliary or `required` rules. To create a composite rule, add a `[[rules.required]]` table to the primary rule specifying an `id` and optionally `withinLines` and/or `withinColumns` proximity constraints. A fragment is a chunk of content that Gitleaks processes at once (typically a file, part of a file, or git diff), and proximity matching instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified area of the fragment.

**Proximity matching:** Using the `withinLines` and `withinColumns` fields instructs the primary rule to only report a finding if the auxiliary `required` rules also find matches within the specified proximity. You can set:

- **`withinLines: N`** - required findings must be within N lines (vertically)
- **`withinColumns: N`** - required findings must be within N characters (horizontally)
- **Both** - creates a rectangular search area (both constraints must be satisfied)
- **Neither** - fragment-level matching (required findings can be anywhere in the same fragment)

Here are diagrams illustrating each proximity behavior:

```
p = primary captured secret
a = auxiliary (required) captured secret
fragment = section of data gitleaks is looking at

    *Fragment-level proximity*
    Any required finding in the fragment
          ┌────────┐
   ┌──────┤fragment├─────┐
   │      └──────┬─┤     │ ┌───────┐
   │             │a│◀────┼─│✓ MATCH│
   │          ┌─┐└─┘     │ └───────┘
   │┌─┐       │p│        │
   ││a│    ┌─┐└─┘        │ ┌───────┐
   │└─┘    │a│◀──────────┼─│✓ MATCH│
   └─▲─────┴─┴───────────┘ └───────┘
     │    ┌───────┐
     └────│✓ MATCH│
          └───────┘

   *Column bounded proximity*
   `withinColumns = 3`
          ┌────────┐
   ┌────┬─┤fragment├─┬───┐
   │      └──────┬─┤     │ ┌───────────┐
   │    │        │a│◀┼───┼─│+1C ✓ MATCH│
   │          ┌─┐└─┘     │ └───────────┘
   │┌─┐ │     │p│    │   │
┌──▶│a│  ┌─┐  └─┘        │ ┌───────────┐
│  │└─┘ ││a│◀────────┼───┼─│-2C ✓ MATCH│
│  │       ┘             │ └───────────┘
│  └── -3C ───0C─── +3C ─┘
│  ┌─────────┐
│  │ -4C ✗ NO│
└──│  MATCH  │
   └─────────┘

   *Line bounded proximity*
   `withinLines = 4`
         ┌────────┐
   ┌─────┤fragment├─────┐
  +4L─ ─ ┴────────┘─ ─ ─│
   │                    │
   │              ┌─┐   │ ┌────────────┐
   │         ┌─┐  │a│◀──┼─│+1L ✓ MATCH │
   0L  ┌─┐   │p│  └─┘   │ ├────────────┤
   │   │a│◀──┴─┴────────┼─│-1L ✓ MATCH │
   │   └─┘              │ └────────────┘
   │                    │ ┌─────────┐
  -4L─ ─ ─ ─ ─ ─ ─ ─┌─┐─│ │-5L ✗ NO │
   │                │a│◀┼─│  MATCH  │
   └────────────────┴─┴─┘ └─────────┘

   *Line and column bounded proximity*
   `withinLines = 4`
   `withinColumns = 3`
         ┌────────┐
   ┌─────┤fragment├─────┐
  +4L   ┌└────────┴ ┐   │
   │            ┌─┐     │ ┌───────────────┐
   │    │       │a│◀┼───┼─│+2L/+1C ✓ MATCH│
   │         ┌─┐└─┘     │ └───────────────┘
   0L   │    │p│    │   │
   │         └─┘        │
   │    │           │   │ ┌────────────┐
  -4L    ─ ─ ─ ─ ─ ─┌─┐ │ │-5L/+3C ✗ NO│
   │                │a│◀┼─│   MATCH    │
   └───-3C────0L───+3C┴─┘ └────────────┘
```

### [`v8.27.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.2)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.1...v8.27.2)

##### Changelog

- [`c7acf33`](https://github.com/gitleaks/gitleaks/commit/c7acf33) Merge branch 'master' of github.com:gitleaks/gitleaks
- [`9faaa4a`](https://github.com/gitleaks/gitleaks/commit/9faaa4a) Add experimental allowlist optimizations ([#&#8203;1731](https://github.com/gitleaks/gitleaks/issues/1731))
- [`79068b3`](https://github.com/gitleaks/gitleaks/commit/79068b3) Detect Notion Public API Keys [#&#8203;1889](https://github.com/gitleaks/gitleaks/issues/1889) ([#&#8203;1890](https://github.com/gitleaks/gitleaks/issues/1890))

### [`v8.27.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.1)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.27.0...v8.27.1)

##### Changelog

- [`80468ef`](https://github.com/gitleaks/gitleaks/commit/80468ef) Merge branch 'master' of github.com:gitleaks/gitleaks
- [`ef82237`](https://github.com/gitleaks/gitleaks/commit/ef82237) fix(atlassian): reduce false-positives for v1 pattern ([#&#8203;1892](https://github.com/gitleaks/gitleaks/issues/1892))
- [`2463f11`](https://github.com/gitleaks/gitleaks/commit/2463f11) Fix log suppresion issue ([#&#8203;1887](https://github.com/gitleaks/gitleaks/issues/1887))
- [`6f251ee`](https://github.com/gitleaks/gitleaks/commit/6f251ee) Added Heroku API Key New Version ([#&#8203;1883](https://github.com/gitleaks/gitleaks/issues/1883))
- [`20f9a1d`](https://github.com/gitleaks/gitleaks/commit/20f9a1d) Add Platform Bitbucket ([#&#8203;1886](https://github.com/gitleaks/gitleaks/issues/1886))
- [`722ce82`](https://github.com/gitleaks/gitleaks/commit/722ce82) Add Platform Gitea ([#&#8203;1884](https://github.com/gitleaks/gitleaks/issues/1884))
- [`79780b8`](https://github.com/gitleaks/gitleaks/commit/79780b8) Merge branch 'master' of github.com:gitleaks/gitleaks
- [`c5683ca`](https://github.com/gitleaks/gitleaks/commit/c5683ca) prevent default warn message when max-archive-depth not set ([#&#8203;1881](https://github.com/gitleaks/gitleaks/issues/1881))
- [`0357c3c`](https://github.com/gitleaks/gitleaks/commit/0357c3c) prevent default warn message when max-archive-depth not set

### [`v8.27.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.27.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.26.0...v8.27.0)

##### Changelog

- [`782f310`](https://github.com/gitleaks/gitleaks/commit/782f310) Archive support ([#&#8203;1872](https://github.com/gitleaks/gitleaks/issues/1872))
- [`489d13c`](https://github.com/gitleaks/gitleaks/commit/489d13c) Update README.md
- [`d29ee55`](https://github.com/gitleaks/gitleaks/commit/d29ee55) Reduce aws-access-token false positives ([#&#8203;1876](https://github.com/gitleaks/gitleaks/issues/1876))
- [`611db65`](https://github.com/gitleaks/gitleaks/commit/611db65) Set `pass_filenames` to `false` for Docker hook ([#&#8203;1850](https://github.com/gitleaks/gitleaks/issues/1850))
- [`0589ae0`](https://github.com/gitleaks/gitleaks/commit/0589ae0) unicode decoding ([#&#8203;1854](https://github.com/gitleaks/gitleaks/issues/1854))
- [`82f7e32`](https://github.com/gitleaks/gitleaks/commit/82f7e32) Diagnostics ([#&#8203;1856](https://github.com/gitleaks/gitleaks/issues/1856))
- [`f97a9ee`](https://github.com/gitleaks/gitleaks/commit/f97a9ee) chore: include decoder in debug log ([#&#8203;1853](https://github.com/gitleaks/gitleaks/issues/1853))

Got another [@&#8203;bplaxco](https://github.com/bplaxco) release. Cheers!

##### Archive Scanning

Sometimes secrets are packaged within archive files like zip files or tarballs,
making them difficult to discover. Now you can tell gitleaks to automatically
extract and scan the contents of archives. The flag `--max-archive-depth`
enables this feature for both `dir` and `git` scan types. The default value of
"0" means this feature is disabled by default.

Recursive scanning is supported since archives can also contain other archives.
The `--max-archive-depth` flag sets the recursion limit. Recursion stops when
there are no new archives to extract, so setting a very high max depth just
sets the potential to go that deep. It will only go as deep as it needs to.

The findings for secrets located within an archive will include the path to the
file inside the archive. Inner paths are separated with `!`.

Example finding (shortened for brevity):

```
Finding:     DB_PASSWORD=8ae31cacf141669ddfb5da
...
File:        testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod
Line:        4
Commit:      6e6ee6596d337bb656496425fb98644eb62b4a82
...
Fingerprint: 6e6ee6596d337bb656496425fb98644eb62b4a82:testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod:generic-api-key:4
Link:        https://github.com/leaktk/gitleaks/blob/6e6ee6596d337bb656496425fb98644eb62b4a82/testdata/archives/nested.tar.gz
```

This means a secret was detected on line 4 of `files/.env.prod.` which is in
`archives/files.tar` which is in `testdata/archives/nested.tar.gz`.

Currently supported formats:

The [compression](https://github.com/mholt/archives?tab=readme-ov-file#supported-compression-formats)
and [archive](https://github.com/mholt/archives?tab=readme-ov-file#supported-archive-formats)
formats supported by mholt's [archives package](https://github.com/mholt/archives)
are supported.

### [`v8.26.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.26.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.1...v8.26.0)

##### Changelog

- [`78eebac`](https://github.com/gitleaks/gitleaks/commit/78eebac) Percent/URL Decoding Support ([#&#8203;1831](https://github.com/gitleaks/gitleaks/issues/1831))
- [`6f967ca`](https://github.com/gitleaks/gitleaks/commit/6f967ca) fix(kubernetes): remove slow element from pat ([#&#8203;1848](https://github.com/gitleaks/gitleaks/issues/1848))
- [`88f56d3`](https://github.com/gitleaks/gitleaks/commit/88f56d3) feat: identify slow file ([#&#8203;1479](https://github.com/gitleaks/gitleaks/issues/1479))
- [`9609928`](https://github.com/gitleaks/gitleaks/commit/9609928) rm 1password detect test since we test it in cfg gen
- [`23cb69f`](https://github.com/gitleaks/gitleaks/commit/23cb69f) feat(rules): Add 1Password secret key detection ([#&#8203;1834](https://github.com/gitleaks/gitleaks/issues/1834))

Calling this one [@&#8203;bplaxco](https://github.com/bplaxco)'s release as he introduced a really clever method for mixed decoding without sacrificing too much performance. As I stated in his PR, I think he's either a wizard or some time traveling AI. Dude [is wicked smaht](https://www.youtube.com/watch?v=hIdsjNGCGz4)

Anyways, Gitleaks now supports the following decoders: `hex`, `percent(url enconding)`, and `b64`. It's relatively straight forward to add a new decoder so if you're motivated, community contributions are welcomed!

Here's an example:

```
~/code/gitleaks-org/gitleaks (master) cat decode.txt
text below
aGVsbG8sIHdvcmxkIQ%3D%3D%0A
text above
~/code/gitleaks-org/gitleaks (master) ./gitleaks dir decode.txt --max-decode-depth=2 --log-level=debug

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

4:08PM DBG using stdlib regex engine
4:08PM DBG unable to load gitleaks config from decode.txt/.gitleaks.toml since --source=decode.txt is a file, using default config
4:08PM DBG found .gitleaksignore file: .gitleaksignore
4:08PM DBG segment found: original=[29,38] pos=[29,38]: "%3D%3D%0A" -> "==\n"
4:08PM DBG segment found: original=[11,38] pos=[11,31]: "aGVsbG8sIHdvcmxkIQ==" -> "hello, world!"
4:08PM INF scanned ~50 bytes (50 bytes) in 1.5ms
4:08PM INF no leaks found
```

### [`v8.25.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.1)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.25.0...v8.25.1)

##### Changelog

- [`d1c7759`](https://github.com/gitleaks/gitleaks/commit/d1c7759) fix(detect): test all allowlists ([#&#8203;1845](https://github.com/gitleaks/gitleaks/issues/1845))

Big thanks [@&#8203;rgmz](https://github.com/rgmz)

### [`v8.25.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.25.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.3...v8.25.0)

##### Changelog

- [`4451b45`](https://github.com/gitleaks/gitleaks/commit/4451b45) feat(config): define multiple global allowlists ([#&#8203;1777](https://github.com/gitleaks/gitleaks/issues/1777)) (cause for the minor bump change)
- [`7fb21a4`](https://github.com/gitleaks/gitleaks/commit/7fb21a4) feat(rules): Add Perplexity AI API key detection ([#&#8203;1825](https://github.com/gitleaks/gitleaks/issues/1825))
- [`f6193bc`](https://github.com/gitleaks/gitleaks/commit/f6193bc) feat(gcp): increase rule entropy ([#&#8203;1840](https://github.com/gitleaks/gitleaks/issues/1840))
- [`9bc7257`](https://github.com/gitleaks/gitleaks/commit/9bc7257) Adding clickhouse scanner ([#&#8203;1826](https://github.com/gitleaks/gitleaks/issues/1826))
- [`b6cc71a`](https://github.com/gitleaks/gitleaks/commit/b6cc71a) fix(baseline): work with --redact ([#&#8203;1741](https://github.com/gitleaks/gitleaks/issues/1741))
- [`cfdeb0d`](https://github.com/gitleaks/gitleaks/commit/cfdeb0d) feat(rule): validate & sort rule when generating ([#&#8203;1817](https://github.com/gitleaks/gitleaks/issues/1817))

### [`v8.24.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.3)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.2...v8.24.3)

##### Changelog

- [`107a418`](https://github.com/gitleaks/gitleaks/commit/107a418) Add support for GitLab Runner Tokens (Routable) ([#&#8203;1820](https://github.com/gitleaks/gitleaks/issues/1820))
- [`7fac002`](https://github.com/gitleaks/gitleaks/commit/7fac002) bump repo version in pre-commit example ([#&#8203;1815](https://github.com/gitleaks/gitleaks/issues/1815))
- [`4b54104`](https://github.com/gitleaks/gitleaks/commit/4b54104) Fix currentLine out of bounds error ([#&#8203;1810](https://github.com/gitleaks/gitleaks/issues/1810))
- [`af7d5bc`](https://github.com/gitleaks/gitleaks/commit/af7d5bc) add support for Azure DevOps platform in SCM detection and link ([#&#8203;1807](https://github.com/gitleaks/gitleaks/issues/1807))
- [`3e8cd2d`](https://github.com/gitleaks/gitleaks/commit/3e8cd2d) Add MaxMind license key rule ([#&#8203;1771](https://github.com/gitleaks/gitleaks/issues/1771))
- [`ddcc753`](https://github.com/gitleaks/gitleaks/commit/ddcc753) implement new openai regex pattern ([#&#8203;1780](https://github.com/gitleaks/gitleaks/issues/1780))
- [`9708e65`](https://github.com/gitleaks/gitleaks/commit/9708e65) A first attempt adding hooks.slack.com/triggers/ ([#&#8203;1792](https://github.com/gitleaks/gitleaks/issues/1792))
- [`198e410`](https://github.com/gitleaks/gitleaks/commit/198e410) feat(generic): tweak false-positives ([#&#8203;1803](https://github.com/gitleaks/gitleaks/issues/1803))
- [`e273a97`](https://github.com/gitleaks/gitleaks/commit/e273a97) chore: tweak logging and readme for GITLEAKS\_CONFIG\_TOML feature ([#&#8203;1802](https://github.com/gitleaks/gitleaks/issues/1802))
- [`a503b58`](https://github.com/gitleaks/gitleaks/commit/a503b58) feat: add option to set config from env var with toml content ([#&#8203;1662](https://github.com/gitleaks/gitleaks/issues/1662))

### [`v8.24.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.2)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2)

##### What's Changed

- Fix `platform` flag being ignored with `gitleaks detect` by [@&#8203;rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1765
- Make AddFinding public by [@&#8203;bplaxco](https://github.com/bplaxco) in https://github.com/gitleaks/gitleaks/pull/1767
- FIX upgrade x/crypto to 0.31.0 to get rid of CVE-2024-45337 by [@&#8203;cgoessen](https://github.com/cgoessen) in https://github.com/gitleaks/gitleaks/pull/1768
- Upgrade rs/zerolog, spf13/cobra, and spf13/viper by [@&#8203;rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1769
- Infer `report-format` from `report-path` extension if no value is provided by [@&#8203;rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1776
- `generic-api-key`: ignore csrf-tokens by [@&#8203;rgmz](https://github.com/rgmz) in https://github.com/gitleaks/gitleaks/pull/1779
- Prevent Yocto/BitBake false positives with generic-api-key rule by [@&#8203;Okeanos](https://github.com/Okeanos) in https://github.com/gitleaks/gitleaks/pull/1783
- Fix decoded line allowlist by [@&#8203;zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1788
- Readme badge revisions by [@&#8203;jessp01](https://github.com/jessp01) in https://github.com/gitleaks/gitleaks/pull/1744
- feat(regexp): use standard regexp by default, make go-re2 opt-in by [@&#8203;twpayne](https://github.com/twpayne) in https://github.com/gitleaks/gitleaks/pull/1798
- gore2 release tags by [@&#8203;zricethezav](https://github.com/zricethezav) in https://github.com/gitleaks/gitleaks/pull/1801

##### New Contributors

- [@&#8203;cgoessen](https://github.com/cgoessen) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1768
- [@&#8203;Okeanos](https://github.com/Okeanos) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1783
- [@&#8203;jessp01](https://github.com/jessp01) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1744
- [@&#8203;twpayne](https://github.com/twpayne) made their first contribution in https://github.com/gitleaks/gitleaks/pull/1798

**Full Changelog**: https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2

### [`v8.24.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.24.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.3...v8.24.0)

##### Changelog

- [`c2afd56`](https://github.com/gitleaks/gitleaks/commit/c2afd56) Make paths and fingerprints platform-agnostic ([#&#8203;1622](https://github.com/gitleaks/gitleaks/issues/1622))
- [`818e32f`](https://github.com/gitleaks/gitleaks/commit/818e32f) Add Sonar rule ([#&#8203;1756](https://github.com/gitleaks/gitleaks/issues/1756))
- [`3fa5a3a`](https://github.com/gitleaks/gitleaks/commit/3fa5a3a) Minor false positive improvements ([#&#8203;1758](https://github.com/gitleaks/gitleaks/issues/1758))
- [`2020e6a`](https://github.com/gitleaks/gitleaks/commit/2020e6a) Add support for streaming DetectReader ([#&#8203;1760](https://github.com/gitleaks/gitleaks/issues/1760))
- [`9122a2d`](https://github.com/gitleaks/gitleaks/commit/9122a2d) chore: Update github.com/wasilibs/go-re2 to v1.9.0 ([#&#8203;1763](https://github.com/gitleaks/gitleaks/issues/1763))
- [`398d0c4`](https://github.com/gitleaks/gitleaks/commit/398d0c4) docs: describe extended rules take precedence over base rules ([#&#8203;1563](https://github.com/gitleaks/gitleaks/issues/1563))
- [`ae26eff`](https://github.com/gitleaks/gitleaks/commit/ae26eff) feat(git): disable link generation ([#&#8203;1748](https://github.com/gitleaks/gitleaks/issues/1748))
- [`c6424a6`](https://github.com/gitleaks/gitleaks/commit/c6424a6) added sourcegraph token rule ([#&#8203;1736](https://github.com/gitleaks/gitleaks/issues/1736))
- [`6411402`](https://github.com/gitleaks/gitleaks/commit/6411402) feat(config): add rule for .p12 files ([#&#8203;1738](https://github.com/gitleaks/gitleaks/issues/1738))
- [`d71d95d`](https://github.com/gitleaks/gitleaks/commit/d71d95d) add deno.lock to default exclusions ([#&#8203;1740](https://github.com/gitleaks/gitleaks/issues/1740))

### [`v8.23.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.3)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.2...v8.23.3)

##### Changelog

- [`3188ad6`](https://github.com/gitleaks/gitleaks/commit/3188ad6) Don't exit with error if git repacking is required ([#&#8203;1711](https://github.com/gitleaks/gitleaks/issues/1711))
- [`7fc11bb`](https://github.com/gitleaks/gitleaks/commit/7fc11bb) refactor(config): use non-capture groups for allowlists ([#&#8203;1735](https://github.com/gitleaks/gitleaks/issues/1735))
- [`36c52c6`](https://github.com/gitleaks/gitleaks/commit/36c52c6) chore: Enhance `curl-auth-user` to detect empty usernames or passwords ([#&#8203;1726](https://github.com/gitleaks/gitleaks/issues/1726))
- [`1f323d8`](https://github.com/gitleaks/gitleaks/commit/1f323d8) fix(cmd): read log-opts before GitLogCmd ([#&#8203;1730](https://github.com/gitleaks/gitleaks/issues/1730))

### [`v8.23.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.2)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.1...v8.23.2)

##### Changelog

- [`d88bc09`](https://github.com/gitleaks/gitleaks/commit/d88bc09) facebook keyword
- [`3fdaefd`](https://github.com/gitleaks/gitleaks/commit/3fdaefd) fix(meraki): restrict keyword case ([#&#8203;1722](https://github.com/gitleaks/gitleaks/issues/1722))
- [`f3ae52e`](https://github.com/gitleaks/gitleaks/commit/f3ae52e) feat(generic-api-key): detect base64 ([#&#8203;1598](https://github.com/gitleaks/gitleaks/issues/1598))
- [`d6a828a`](https://github.com/gitleaks/gitleaks/commit/d6a828a) great branch name ([#&#8203;1721](https://github.com/gitleaks/gitleaks/issues/1721))
- [`d2ffffe`](https://github.com/gitleaks/gitleaks/commit/d2ffffe) fix(git): remove .git suffix for links ([#&#8203;1716](https://github.com/gitleaks/gitleaks/issues/1716))
- [`a43dc0d`](https://github.com/gitleaks/gitleaks/commit/a43dc0d) chore: refine generic-api-key fps + trace logging ([#&#8203;1720](https://github.com/gitleaks/gitleaks/issues/1720))
- [`69ed20e`](https://github.com/gitleaks/gitleaks/commit/69ed20e) fix(generate): move newline out of char range ([#&#8203;1719](https://github.com/gitleaks/gitleaks/issues/1719))
- [`52b895a`](https://github.com/gitleaks/gitleaks/commit/52b895a) newline literal ([#&#8203;1718](https://github.com/gitleaks/gitleaks/issues/1718))
- [`3f4d91f`](https://github.com/gitleaks/gitleaks/commit/3f4d91f) build: support either stdlib or 3rd-party regexp ([#&#8203;1706](https://github.com/gitleaks/gitleaks/issues/1706))
- [`049f5b2`](https://github.com/gitleaks/gitleaks/commit/049f5b2) chore(detect): update trace logging ([#&#8203;1713](https://github.com/gitleaks/gitleaks/issues/1713))
- [`7a6183d`](https://github.com/gitleaks/gitleaks/commit/7a6183d) feat(git): redact passwords from remote URL ([#&#8203;1709](https://github.com/gitleaks/gitleaks/issues/1709))
- [`3c7f3f0`](https://github.com/gitleaks/gitleaks/commit/3c7f3f0) feat(git): include link in report ([#&#8203;1698](https://github.com/gitleaks/gitleaks/issues/1698))
- [`0e3f4f7`](https://github.com/gitleaks/gitleaks/commit/0e3f4f7) chore: reduce generic-api-key fps ([#&#8203;1707](https://github.com/gitleaks/gitleaks/issues/1707))
- [`3ed8567`](https://github.com/gitleaks/gitleaks/commit/3ed8567) blorp
- [`e977850`](https://github.com/gitleaks/gitleaks/commit/e977850) added new rule for cisco meraki api key ([#&#8203;1700](https://github.com/gitleaks/gitleaks/issues/1700))
- [`ad7a4fb`](https://github.com/gitleaks/gitleaks/commit/ad7a4fb) feat: general fp tweaks ([#&#8203;1703](https://github.com/gitleaks/gitleaks/issues/1703))
- [`b2cf03c`](https://github.com/gitleaks/gitleaks/commit/b2cf03c) chore(generate): use \x60 instead of literal ([#&#8203;1702](https://github.com/gitleaks/gitleaks/issues/1702))
- [`a3f623c`](https://github.com/gitleaks/gitleaks/commit/a3f623c) chore(regex): simplify secretPrefix, suffix ([#&#8203;1620](https://github.com/gitleaks/gitleaks/issues/1620))
- [`cc71bb1`](https://github.com/gitleaks/gitleaks/commit/cc71bb1) update version for pre-commit in README.md ([#&#8203;1699](https://github.com/gitleaks/gitleaks/issues/1699))

### [`v8.23.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.1)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.23.0...v8.23.1)

##### Changelog

- [`7bad9f7`](https://github.com/gitleaks/gitleaks/commit/7bad9f7) chore(gcp): add firebase example keys to the gcp-api-key allowlists ([#&#8203;1635](https://github.com/gitleaks/gitleaks/issues/1635))
- [`977236c`](https://github.com/gitleaks/gitleaks/commit/977236c) fix: unaligned 64-bit atomic operation panic ([#&#8203;1696](https://github.com/gitleaks/gitleaks/issues/1696))
- [`a211b16`](https://github.com/gitleaks/gitleaks/commit/a211b16) force push to master everyday
- [`0e5f644`](https://github.com/gitleaks/gitleaks/commit/0e5f644) feat(config): disable extended rule ([#&#8203;1535](https://github.com/gitleaks/gitleaks/issues/1535))
- [`f320a60`](https://github.com/gitleaks/gitleaks/commit/f320a60) style: prevent globbing and word splitting ([#&#8203;1543](https://github.com/gitleaks/gitleaks/issues/1543))
- [`c4526b2`](https://github.com/gitleaks/gitleaks/commit/c4526b2) refactor(generic-api-key): remove hard-coded 'magic' ([#&#8203;1600](https://github.com/gitleaks/gitleaks/issues/1600))
- [`748076d`](https://github.com/gitleaks/gitleaks/commit/748076d) chore(generate): add failing test case ([#&#8203;1690](https://github.com/gitleaks/gitleaks/issues/1690))

### [`v8.23.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.23.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.1...v8.23.0)

##### Changelog

- [`db8e5e6`](https://github.com/gitleaks/gitleaks/commit/db8e5e6) feat(generate): use multiple allowlists ([#&#8203;1691](https://github.com/gitleaks/gitleaks/issues/1691))
- [`973c794`](https://github.com/gitleaks/gitleaks/commit/973c794) chore(rules): include fps in reference ([#&#8203;1471](https://github.com/gitleaks/gitleaks/issues/1471))
- [`f0d4499`](https://github.com/gitleaks/gitleaks/commit/f0d4499) Add comma as operator for GenerateSemiGenericRegex ([#&#8203;1679](https://github.com/gitleaks/gitleaks/issues/1679))
- [`ab38a46`](https://github.com/gitleaks/gitleaks/commit/ab38a46) refactor: central logger ([#&#8203;1692](https://github.com/gitleaks/gitleaks/issues/1692))
- [`b022d1c`](https://github.com/gitleaks/gitleaks/commit/b022d1c) friendship ended with tines

READ THIS!!! The default gitleaks config now uses `[[rules.allowlists]]`

```toml

##### ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.
##### This change was backwards-compatible: instances of `[rules.allowlist]` still  work.
    #

##### You can define multiple allowlists for a rule to reduce false positives.
##### A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.
    [[rules.allowlists]]
    description = "ignore commit A"

##### When multiple criteria are defined the default condition is "OR".
##### e.g., this can match on |commits| OR |paths| OR |stopwords|.
    condition = "OR"
    commits = [ "commit-A", "commit-B"]
    paths = [
      '''go\.mod''',
      '''go\.sum'''
    ]

##### note: stopwords targets the extracted secret, not the entire regex match
##### like 'regexes' does. (stopwords introduced in 8.8.0)
    stopwords = [
      '''client''',
      '''endpoint''',
    ]

    [[rules.allowlists]]

##### The "AND" condition can be used to make sure all criteria match.
##### e.g., this matches if |regexes| AND |paths| are satisfied.
    condition = "AND"

##### note: |regexes| defaults to check the _Secret_ in the finding.
##### Acceptable values for |regexTarget| are "secret" (default), "match", and "line".
    regexTarget = "match"
    regexes = [ '''(?i)parseur[il]''' ]
    paths = [ '''package-lock\.json''' ]
```

### [`v8.22.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.1)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.22.0...v8.22.1)

##### Changelog

- [`b69b515`](https://github.com/gitleaks/gitleaks/commit/b69b515) Entropy trace ([#&#8203;1659](https://github.com/gitleaks/gitleaks/issues/1659))
- [`7357adc`](https://github.com/gitleaks/gitleaks/commit/7357adc) build: add 'toolchain' to go.mod ([#&#8203;1682](https://github.com/gitleaks/gitleaks/issues/1682))
- [`4c3da6e`](https://github.com/gitleaks/gitleaks/commit/4c3da6e) refactor(detect): create readUntilSafeBoundary + add tests ([#&#8203;1676](https://github.com/gitleaks/gitleaks/issues/1676))
- [`dbe3746`](https://github.com/gitleaks/gitleaks/commit/dbe3746) twitter really does suck ass now
- [`7edfc6b`](https://github.com/gitleaks/gitleaks/commit/7edfc6b) chore(tests): test cases for generate.go ([#&#8203;1623](https://github.com/gitleaks/gitleaks/issues/1623))
- [`efe40ca`](https://github.com/gitleaks/gitleaks/commit/efe40ca) fix: only use non-empty secret groups ([#&#8203;1632](https://github.com/gitleaks/gitleaks/issues/1632))
- [`7cb5f6f`](https://github.com/gitleaks/gitleaks/commit/7cb5f6f) build: upgrade sprig v2->v3 ([#&#8203;1674](https://github.com/gitleaks/gitleaks/issues/1674))
- [`2930537`](https://github.com/gitleaks/gitleaks/commit/2930537) fix: generate report file even if no findings ([#&#8203;1673](https://github.com/gitleaks/gitleaks/issues/1673))

### [`v8.22.0`](https://github.com/gitleaks/gitleaks/releases/tag/v8.22.0)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.4...v8.22.0)

##### Changelog

- [`a91c671`](https://github.com/gitleaks/gitleaks/commit/a91c671) replace std library regex engine with go-re2 ([#&#8203;1669](https://github.com/gitleaks/gitleaks/issues/1669))

***

This bumps the gitleaks binary size from around 8.5MB to 15MB but yields 2-4x speedup. Worth it imo. If you feel strongly against this change feel free to open an issue where we can discuss the tradeoffs in more depth. Credit to [@&#8203;ahrav](https://github.com/ahrav)

### [`v8.21.4`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.4)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.3...v8.21.4)

##### Changelog

- [`906085f`](https://github.com/gitleaks/gitleaks/commit/906085f) Update golang version to 1.23 ([#&#8203;1672](https://github.com/gitleaks/gitleaks/issues/1672))
- [`8a83062`](https://github.com/gitleaks/gitleaks/commit/8a83062) log bytes ([#&#8203;1670](https://github.com/gitleaks/gitleaks/issues/1670))

### [`v8.21.3`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.3)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.2...v8.21.3)

##### Changelog

- [`a9e6d8c`](https://github.com/gitleaks/gitleaks/commit/a9e6d8c) go mod 1.23
- [`2f73a3e`](https://github.com/gitleaks/gitleaks/commit/2f73a3e) Ensure keywords are downcased ([#&#8203;1633](https://github.com/gitleaks/gitleaks/issues/1633))
- [`f696605`](https://github.com/gitleaks/gitleaks/commit/f696605) feat: add settlemint api keys detection ([#&#8203;1663](https://github.com/gitleaks/gitleaks/issues/1663))
- [`0bf13fc`](https://github.com/gitleaks/gitleaks/commit/0bf13fc) feat(dir): better chunking ([#&#8203;1665](https://github.com/gitleaks/gitleaks/issues/1665))
- [`83e99ba`](https://github.com/gitleaks/gitleaks/commit/83e99ba) feat(report): allow user-defined templates ([#&#8203;1650](https://github.com/gitleaks/gitleaks/issues/1650))
- [`e393d29`](https://github.com/gitleaks/gitleaks/commit/e393d29) Add support for GitLab routable tokens ([#&#8203;1656](https://github.com/gitleaks/gitleaks/issues/1656))
- [`263ce82`](https://github.com/gitleaks/gitleaks/commit/263ce82) Add freemius secret key detection ([#&#8203;1611](https://github.com/gitleaks/gitleaks/issues/1611))
- [`3c0e068`](https://github.com/gitleaks/gitleaks/commit/3c0e068) fix(kubernetes): only match 'kind: secret' ([#&#8203;1649](https://github.com/gitleaks/gitleaks/issues/1649))
- [`f3adda0`](https://github.com/gitleaks/gitleaks/commit/f3adda0) feat: use STDOUT when report file not specified ([#&#8203;1642](https://github.com/gitleaks/gitleaks/issues/1642))
- [`ed205a5`](https://github.com/gitleaks/gitleaks/commit/ed205a5) fix(dir): skip opening file\&dir if allowlist matches ([#&#8203;1653](https://github.com/gitleaks/gitleaks/issues/1653))
- [`6018012`](https://github.com/gitleaks/gitleaks/commit/6018012) fix: increase chunk size 10kb -> 100kb ([#&#8203;1652](https://github.com/gitleaks/gitleaks/issues/1652))
- [`7f77987`](https://github.com/gitleaks/gitleaks/commit/7f77987) feat: detect sentry.io tokens in the new format ([#&#8203;1640](https://github.com/gitleaks/gitleaks/issues/1640))
- [`48a2e0e`](https://github.com/gitleaks/gitleaks/commit/48a2e0e) refactor: pre-commit hooks ([#&#8203;1627](https://github.com/gitleaks/gitleaks/issues/1627))
- [`4e303d0`](https://github.com/gitleaks/gitleaks/commit/4e303d0) fix(easypost): only detect tokens of correct length ([#&#8203;1628](https://github.com/gitleaks/gitleaks/issues/1628))
- [`c1add1d`](https://github.com/gitleaks/gitleaks/commit/c1add1d) feat(dir): continue on permission error ([#&#8203;1621](https://github.com/gitleaks/gitleaks/issues/1621))
- [`202106a`](https://github.com/gitleaks/gitleaks/commit/202106a) Add human readable description for curl rules ([#&#8203;1625](https://github.com/gitleaks/gitleaks/issues/1625))
- [`8e94f98`](https://github.com/gitleaks/gitleaks/commit/8e94f98) Add option to include `Line` field in report ([#&#8203;1616](https://github.com/gitleaks/gitleaks/issues/1616))
- [`dbb42a7`](https://github.com/gitleaks/gitleaks/commit/dbb42a7) hm (great comment)
- [`2599460`](https://github.com/gitleaks/gitleaks/commit/2599460) Update README.md
- [`8ffb980`](https://github.com/gitleaks/gitleaks/commit/8ffb980) nop for stupid build
- [`4181ad6`](https://github.com/gitleaks/gitleaks/commit/4181ad6) Add new jira api token pattern ([#&#8203;1601](https://github.com/gitleaks/gitleaks/issues/1601))
- [`48ea14b`](https://github.com/gitleaks/gitleaks/commit/48ea14b) feat: update global & generic allowlist ([#&#8203;1618](https://github.com/gitleaks/gitleaks/issues/1618))
- [`81f0002`](https://github.com/gitleaks/gitleaks/commit/81f0002) fix(vault-service-token): ensure that TPS contains digits ([#&#8203;1614](https://github.com/gitleaks/gitleaks/issues/1614))
- [`c11adc9`](https://github.com/gitleaks/gitleaks/commit/c11adc9) Generate comprehensive secret samples ([#&#8203;1484](https://github.com/gitleaks/gitleaks/issues/1484))
- [`d1d9054`](https://github.com/gitleaks/gitleaks/commit/d1d9054) fix(aws): detect token in url ([#&#8203;1615](https://github.com/gitleaks/gitleaks/issues/1615))
- [`5fe58bf`](https://github.com/gitleaks/gitleaks/commit/5fe58bf) fix(rules): entropy, uppercase in samples ([#&#8203;1593](https://github.com/gitleaks/gitleaks/issues/1593))
- [`5c2e813`](https://github.com/gitleaks/gitleaks/commit/5c2e813) feat: tweak rules ([#&#8203;1608](https://github.com/gitleaks/gitleaks/issues/1608))

### [`v8.21.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.2)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2)

##### Changelog

- [`43fae35`](https://github.com/gitleaks/gitleaks/commit/43fae35) feat(rules): create Octopus Deploy api key ([#&#8203;1602](https://github.com/gitleaks/gitleaks/issues/1602))
- [`a158e4f`](https://github.com/gitleaks/gitleaks/commit/a158e4f) fix(aws-access-token): only match if correct length ([#&#8203;1584](https://github.com/gitleaks/gitleaks/issues/1584))
- [`b6e0eee`](https://github.com/gitleaks/gitleaks/commit/b6e0eee) fix(config): ignore jquery/swagger w/o version ([#&#8203;1607](https://github.com/gitleaks/gitleaks/issues/1607))
- [`722e7d8`](https://github.com/gitleaks/gitleaks/commit/722e7d8) feat: add new GitLab tokens ([#&#8203;1560](https://github.com/gitleaks/gitleaks/issues/1560))
- [`961f2e6`](https://github.com/gitleaks/gitleaks/commit/961f2e6) feat(generic-api-key): tune false positives ([#&#8203;1606](https://github.com/gitleaks/gitleaks/issues/1606))
- [`e734fcf`](https://github.com/gitleaks/gitleaks/commit/e734fcf) Create .gitleaks.toml ([#&#8203;1605](https://github.com/gitleaks/gitleaks/issues/1605))
- [`7206d6b`](https://github.com/gitleaks/gitleaks/commit/7206d6b) feat(curl): tweak tps and fps ([#&#8203;1603](https://github.com/gitleaks/gitleaks/issues/1603))
- [`2db25f1`](https://github.com/gitleaks/gitleaks/commit/2db25f1) feat(config): ignore swagger-ui assets ([#&#8203;1604](https://github.com/gitleaks/gitleaks/issues/1604))
- [`e97695b`](https://github.com/gitleaks/gitleaks/commit/e97695b) feat(generic-api-key): exclude keywords ([#&#8203;1587](https://github.com/gitleaks/gitleaks/issues/1587))
- [`0afb525`](https://github.com/gitleaks/gitleaks/commit/0afb525) feat(okta): bump entropy to 4 ([#&#8203;1599](https://github.com/gitleaks/gitleaks/issues/1599))
- [`2068870`](https://github.com/gitleaks/gitleaks/commit/2068870) feat: update global allowlist ([#&#8203;1597](https://github.com/gitleaks/gitleaks/issues/1597))
- [`8cf93b9`](https://github.com/gitleaks/gitleaks/commit/8cf93b9) refactor(allowlist): deduplicate commits & keywords ([#&#8203;1596](https://github.com/gitleaks/gitleaks/issues/1596))
- [`50c2818`](https://github.com/gitleaks/gitleaks/commit/50c2818) feat(config): ignore jquery static assets ([#&#8203;1595](https://github.com/gitleaks/gitleaks/issues/1595))
- [`455ae0a`](https://github.com/gitleaks/gitleaks/commit/455ae0a) More rule fixes ([#&#8203;1586](https://github.com/gitleaks/gitleaks/issues/1586))
- [`5407c44`](https://github.com/gitleaks/gitleaks/commit/5407c44) chore: log skipped symlinks ([#&#8203;1591](https://github.com/gitleaks/gitleaks/issues/1591))
- [`d03d6c4`](https://github.com/gitleaks/gitleaks/commit/d03d6c4) feat: match left side of identifier ([#&#8203;1585](https://github.com/gitleaks/gitleaks/issues/1585))
- [`851c11a`](https://github.com/gitleaks/gitleaks/commit/851c11a) what secrets?
- [`8cfa6b2`](https://github.com/gitleaks/gitleaks/commit/8cfa6b2) fix(rules): add entropy ([#&#8203;1580](https://github.com/gitleaks/gitleaks/issues/1580))
- [`9152eaa`](https://github.com/gitleaks/gitleaks/commit/9152eaa) feat(aws): add entropy & allowlist ([#&#8203;1582](https://github.com/gitleaks/gitleaks/issues/1582))
- [`93acc6e`](https://github.com/gitleaks/gitleaks/commit/93acc6e) feat(rules): add 1password token ([#&#8203;1583](https://github.com/gitleaks/gitleaks/issues/1583))
- [`83a5724`](https://github.com/gitleaks/gitleaks/commit/83a5724) feat(config): add curl header rule ([#&#8203;1576](https://github.com/gitleaks/gitleaks/issues/1576))

### [`v8.21.1`](https://github.com/gitleaks/gitleaks/releases/tag/v8.21.1)

[Compare Source](https://github.com/gitleaks/gitleaks/compare/v8.21.0...v8.21.1)

##### Changelog

- [`cf5334f`](https://github.com/gitleaks/gitleaks/commit/cf5334f) feat: add curl basic auth rule ([#&#8203;1575](https://github.com/gitleaks/gitleaks/issues/1575))
- [`d07b394`](https://github.com/gitleaks/gitleaks/commit/d07b394) Update spelling in README.md ([#&#8203;1574](https://github.com/gitleaks/gitleaks/issues/1574))
- [`5c03fa4`](https://github.com/gitleaks/gitleaks/commit/5c03fa4) refactor(allowlist): use iota for condition ([#&#8203;1569](https://github.com/gitleaks/gitleaks/issues/1569))
- [`12034a7`](https://github.com/gitleaks/gitleaks/commit/12034a7) refactor(config): temporarily switch to \[rules.allowlist] ([#&#8203;1573](https://github.com/gitleaks/gitleaks/issues/1573))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC42Mi4xIiwidXBkYXRlZEluVmVyIjoiNDAuNjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/79
Co-authored-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
Co-committed-by: APF Portal Bot <jgautier.webdev+apf-portal-bot@gmail.com>
2026-05-10 04:59:32 +02:00

221 lines
9.7 KiB
YAML

# Per ADR-0015 (CI/CD on Gitea Actions).
# Thin YAML — orchestration lives in package.json scripts (ci:check,
# ci:audit, ci:commits, ci:perf) and Nx targets. Any change to gate
# behaviour belongs in those scripts, not in this file.
#
# `cache: 'pnpm'` is intentionally NOT enabled on actions/setup-node
# below: act_runner's built-in GitHub-Actions-cache server is bound on
# the runner container and is unreachable from job containers (which
# run on Docker's default network, not the runners' compose network).
# Each request burns a ~2 min ETIMEDOUT on restore + another on save,
# for zero hit rate. Once the runner network/cache config is fixed
# (tracked in infra/README.md "Cache server"), re-add `cache: 'pnpm'`
# here.
name: CI
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
check:
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
# Derive NX_BASE / NX_HEAD for `nx affected`. Replaces
# nrwl/nx-set-shas@v4, which is GitHub-only (it queries the GitHub
# API to find the last successful workflow run, returning 404 on
# Gitea). HEAD~1 is a reasonable approximation for push events on
# a squash-merge trunk; pull_request uses the merge-base with the
# target branch.
- name: Derive Nx affected base and head
shell: bash
run: |
# `actions/checkout@v4` with fetch-depth: 0 already pulls every
# branch and tag, so origin/<base_ref> is present locally — no
# extra `git fetch` is needed (and `--depth=0` is invalid: git
# requires a positive integer).
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo "NX_BASE=$(git merge-base HEAD origin/${{ github.base_ref }})" >> "$GITHUB_ENV"
else
echo "NX_BASE=HEAD~1" >> "$GITHUB_ENV"
fi
echo "NX_HEAD=HEAD" >> "$GITHUB_ENV"
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:check
scan:
runs-on: [self-hosted, on-prem]
# Step ordering matters here: Trivy and gitleaks BOTH run before
# `pnpm install`. Reason: gitleaks scans the working tree
# (`--no-git --source .`), and after install, `node_modules/`
# and `.pnpm-store/` are full of upstream packages whose READMEs
# and test fixtures contain demo RSA keys / fake API tokens —
# gitleaks then false-positives on them by the hundreds (caught
# the hard way: 381 hits on the first run). Trivy reads
# `pnpm-lock.yaml` for its vuln scan, not `node_modules`, so it
# also doesn't need install. `pnpm ci:audit` does the same — it
# queries the advisory DB against the lockfile.
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
# Dependency vulnerability scan. Trivy is a Go binary, not an npm
# package, so it cannot live in package.json scripts as cleanly
# as audit/lint do.
#
# We deliberately avoid `aquasecurity/trivy-action`. On cache
# miss (our act_runner cache server is unreachable from job
# containers — see infra/README.md "Cache server (deferred)"),
# the action falls back to `git clone github.com/aquasecurity/
# trivy` to fetch its install script, using `actions/checkout`
# which defaults `with.token` to `${{ github.token }}` (Gitea's
# auto-token, useless for github.com). The clone hits the
# anonymous github.com rate limit and fails with "could not
# read Username". Passing GITHUB_TOKEN as an env var doesn't
# help — actions/checkout reads it from `inputs.token`, not env.
#
# Direct curl + tar is simpler, predictable, and gives us an
# explicit version pin instead of `@master`. GITHUBCOM_TOKEN is
# passed to handle the github.com rate limit on the release
# download in the worst case (release artefacts are usually
# unmetered, but auth is free insurance).
- name: Install Trivy
env:
# renovate: datasource=github-releases depName=aquasecurity/trivy
TRIVY_VERSION: '0.70.0'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/trivy.tar.gz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
tar -xzf /tmp/trivy.tar.gz -C /usr/local/bin trivy
trivy --version
- name: Run Trivy
# `--scanners vuln`: limit Trivy to vulnerability scanning. Its
# secret scanner false-positives on demo RSA keys embedded in
# the README/fixtures of cryptographic npm packages (which
# land under .pnpm-store/), and we already have gitleaks below
# as the dedicated secret-scan gate. Trivy's intent in this
# job, per ADR-0015, was always "dependency vulnerability
# scan" — restoring that scope.
run: |
trivy fs \
--scanners vuln \
--ignore-unfixed \
--skip-dirs node_modules \
--exit-code 1 \
--severity CRITICAL,HIGH \
.
# Secret scan. Same install pattern as Trivy: gitleaks is a Go
# binary, and the official `gitleaks/gitleaks-action@v2` wrapper
# is now paywalled for organisations (a GITLEAKS_LICENSE secret
# from gitleaks.io is required, otherwise the action errors out
# with `🛑 missing gitleaks license`). The binary itself stays
# MIT-licensed and free — installing it directly bypasses the
# wrapper and gives us version pinning for free.
- name: Install gitleaks
env:
# renovate: datasource=github-releases depName=gitleaks/gitleaks
GITLEAKS_VERSION: '8.30.1'
GITHUB_TOKEN: ${{ secrets.GITHUBCOM_TOKEN }}
run: |
curl -sfL \
-H "Authorization: Bearer ${GITHUB_TOKEN}" \
-o /tmp/gitleaks.tar.gz \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin gitleaks
gitleaks version
- name: Run gitleaks
# `--no-git --source .` scans the working tree only. The scan
# job uses a shallow checkout, so a git-history scan would not
# see beyond HEAD anyway; the weekly security-scheduled
# workflow does the deep history scan with a full clone.
# `--redact` masks any matched secret in the log output so we
# do not leak it via the CI logs themselves.
run: |
gitleaks detect \
--no-git \
--source . \
--redact \
--exit-code 1
# npm-advisory check (against pnpm-lock.yaml). Run last so
# `pnpm install` does not pollute the working tree before the
# scanners above.
- run: pnpm install --frozen-lockfile
- run: pnpm ci:audit
commits:
# PRs opened by Renovate (apf-portal-bot) carry commit messages
# generated from a vetted Conventional-Commits template — running
# commitlint on them is tautological. Per ADR-0017 amendment.
if: github.event_name == 'pull_request' && github.event.pull_request.user.login != 'apf-portal-bot'
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: COMMIT_LINT_FROM=origin/main pnpm ci:commits
perf:
# Skip the Lighthouse run on PRs opened by Renovate (apf-portal-bot):
# the per-PR perf signal on a dep bump is essentially zero (no
# routes yet, bundle is the static placeholder), and the Lighthouse
# round-trip burns several minutes per PR. Push events on `main`
# still run perf — we catch regressions immediately post-merge,
# not pre-merge. Per ADR-0017 amendment.
if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'apf-portal-bot'
runs-on: [self-hosted, on-prem]
# Lighthouse CI drives a real Chrome instance; the default act runner
# image (catthehacker/ubuntu:act-22.04) ships without one. The :full
# variant adds Chrome, Firefox, and the GUI-test toolchain — pinned
# to the same Ubuntu 22.04 base as the default labels for parity.
container:
image: catthehacker/ubuntu:full-22.04
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
- run: pnpm ci:perf
- uses: actions/upload-artifact@v7
if: always()
with:
name: lighthouseci-report
path: .lighthouseci/
retention-days: 30
a11y:
runs-on: [self-hosted, on-prem]
steps:
- uses: actions/checkout@v6
- uses: pnpm/action-setup@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: pnpm install --frozen-lockfile
# Placeholder until the e2e a11y suite (axe-core via Playwright,
# per ADR-0016) is wired with the first real screens. The job
# exists so branch protection can require it from day one - it
# currently no-ops with a clear message.
- run: echo "a11y gate placeholder - axe-core via Playwright wires up with the first real screens (ADR-0016)."