Update pds-gitleaks and gitleaks version #3487

- update default gitleaks version in env file
- update gitleaks.sh to use new command line options instead of deprecated ones
- add build arg parameter to docker compose yaml files

sechub-pds-solutions/gitleaks/docker-compose_gitleaks.yaml

@@ -7,6 +7,7 @@ services:
             args:
                 - BASE_IMAGE=${BASE_IMAGE}
                 - GITLEAKS_VERSION=${GITLEAKS_VERSION}
+                - SECRETVALIDATION_WRAPPER_VERSION=${SECRETVALIDATION_WRAPPER_VERSION}
             context: docker/
             dockerfile: Gitleaks.dockerfile
         container_name: pds-gitleaks

sechub-pds-solutions/gitleaks/docker-compose_pds_gitleaks_external-network.yaml

@@ -7,6 +7,7 @@ services:
             args:
                 - BASE_IMAGE=${BASE_IMAGE}
                 - GITLEAKS_VERSION=${GITLEAKS_VERSION}
+                - SECRETVALIDATION_WRAPPER_VERSION=${SECRETVALIDATION_WRAPPER_VERSION}
             context: docker/
             dockerfile: Gitleaks.dockerfile
         container_name: pds-gitleaks

sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh

@@ -24,32 +24,32 @@ scan_target_directory="$PDS_JOB_EXTRACTED_SOURCES_FOLDER"
 
 # It is important to specify the target source folder with the current directory ".", because gitleaks puts this path in the report.
 # The full path containing "$PDS_JOB_EXTRACTED_SOURCES_FOLDER" is not useful in the report.
-gitleaks_options="--log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml --source . --report-format sarif --report-path $PDS_JOB_RESULT_FILE --exit-code 0"
+gitleaks_options="--max-decode-depth 10 --log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml --report-format sarif --report-path $PDS_JOB_RESULT_FILE --exit-code 0"
 
 # If the history scan was disabled, a normal filesystem scan is performed.
 if [ "$GITLEAKS_HISTORY_SCAN_ENABLED" = "false" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "History scan was disabled by an administrator. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan-disabled.txt
 
 # If no '.git' directory was found we cannot scan the git history
 elif [ -z "$git_directory" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "No .git folder was uploaded for the secret scan. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/no-git.txt
 
 # If the value of 'git_directory' is not a valid directory there is more than a single result of the find command
 elif [ ! -d "$git_directory" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "Multiple .git folders were uploaded for the secret scan. This is not supported. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/multiple-git.txt
 
 # If exactly one '.git' directory was found we scan the git history
 else
-  scan_target_directory="$repository_root_directory"
+  cd "$repository_root_directory"
+  gitleaks_options="git . $gitleaks_options"
   echo ".git folder was uploaded for the secret scan. Perform secret scan with history deepscan." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan.txt
 fi
 
 echo "### Running Gitleaks"
-cd "$scan_target_directory"
-gitleaks detect $gitleaks_options
+gitleaks $gitleaks_options
 
 # Secret-Validation
 if [ "$SECRET_VALIDATOR_ENABLED" = "true" ] ; then

sechub-pds-solutions/gitleaks/env

@@ -5,7 +5,7 @@ BASE_IMAGE="ghcr.io/mercedes-benz/sechub/pds-base"
 
 # The gitleaks version to use
 # See: https://github.com/gitleaks/gitleaks/releases
-GITLEAKS_VERSION="8.18.4"
+GITLEAKS_VERSION="8.20.0"
 
 # The build type of the Secret-Validation-Wrapper
 # Possible values are: