Merge pull request #3488 from mercedes-benz/feature-3487-update-pds-g…

…itleaks Update pds-gitleaks and gitleaks version #3487
mercedes-benz · Oct 7, 2024 · f59c9f0 · f59c9f0
2 parents f47ff0a + 007cd31
commit f59c9f0
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 7 deletions.
diff --git a/sechub-pds-solutions/gitleaks/README.adoc b/sechub-pds-solutions/gitleaks/README.adoc
@@ -5,7 +5,7 @@
 
 = Gitleaks + PDS
 
-https://github.com/zricethezav/gitleaks[Gitleaks] is a free and open source secret scanner tool. Gitleaks is a command line interface (CLI) tool. By combining Gitleaks  with the SecHub https://mercedes-benz.github.io/sechub/latest/sechub-product-delegation-server.html[Product Delegation Server (PDS)] in a container, Gitleaks can be used with SecHub. Another scenario is to use Gitleaks+PDS standalone.
+https://github.com/gitleaks/gitleaks[Gitleaks] is a free and open source secret scanner tool. Gitleaks is a command line interface (CLI) tool. By combining Gitleaks  with the SecHub https://mercedes-benz.github.io/sechub/latest/sechub-product-delegation-server.html[Product Delegation Server (PDS)] in a container, Gitleaks can be used with SecHub. Another scenario is to use Gitleaks+PDS standalone.
 
 As an addition we have developed the SecHub Secret-Validation Wrapper. With its help, you can try to validate found possible secrets.
 If the validation is successful the severity of that finding will be set to "critical" because the finding is confirmed.

diff --git a/sechub-pds-solutions/gitleaks/docker-compose_gitleaks.yaml b/sechub-pds-solutions/gitleaks/docker-compose_gitleaks.yaml
@@ -7,6 +7,7 @@ services:
             args:
                 - BASE_IMAGE=${BASE_IMAGE}
                 - GITLEAKS_VERSION=${GITLEAKS_VERSION}
+                - SECRETVALIDATION_WRAPPER_VERSION=${SECRETVALIDATION_WRAPPER_VERSION}
             context: docker/
             dockerfile: Gitleaks.dockerfile
         container_name: pds-gitleaks

diff --git a/sechub-pds-solutions/gitleaks/docker-compose_pds_gitleaks_external-network.yaml b/sechub-pds-solutions/gitleaks/docker-compose_pds_gitleaks_external-network.yaml
@@ -7,6 +7,7 @@ services:
             args:
                 - BASE_IMAGE=${BASE_IMAGE}
                 - GITLEAKS_VERSION=${GITLEAKS_VERSION}
+                - SECRETVALIDATION_WRAPPER_VERSION=${SECRETVALIDATION_WRAPPER_VERSION}
             context: docker/
             dockerfile: Gitleaks.dockerfile
         container_name: pds-gitleaks

diff --git a/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh b/sechub-pds-solutions/gitleaks/docker/scripts/gitleaks.sh
@@ -24,32 +24,33 @@ scan_target_directory="$PDS_JOB_EXTRACTED_SOURCES_FOLDER"
 
 # It is important to specify the target source folder with the current directory ".", because gitleaks puts this path in the report.
 # The full path containing "$PDS_JOB_EXTRACTED_SOURCES_FOLDER" is not useful in the report.
-gitleaks_options="--log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml --source . --report-format sarif --report-path $PDS_JOB_RESULT_FILE --exit-code 0"
+gitleaks_options="--max-decode-depth 10 --log-level debug --config $TOOL_FOLDER/custom-gitleaks.toml --report-format sarif --report-path $PDS_JOB_RESULT_FILE --exit-code 0"
 
 # If the history scan was disabled, a normal filesystem scan is performed.
 if [ "$GITLEAKS_HISTORY_SCAN_ENABLED" = "false" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "History scan was disabled by an administrator. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan-disabled.txt
 
 # If no '.git' directory was found we cannot scan the git history
 elif [ -z "$git_directory" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "No .git folder was uploaded for the secret scan. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/no-git.txt
 
 # If the value of 'git_directory' is not a valid directory there is more than a single result of the find command
 elif [ ! -d "$git_directory" ] ; then
-  gitleaks_options="$gitleaks_options --no-git"
+  gitleaks_options="directory . $gitleaks_options"
   echo "Multiple .git folders were uploaded for the secret scan. This is not supported. A secret scan on the filesystem without history deepscan will be done instead." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/multiple-git.txt
 
 # If exactly one '.git' directory was found we scan the git history
 else
   scan_target_directory="$repository_root_directory"
+  gitleaks_options="git . $gitleaks_options"
   echo ".git folder was uploaded for the secret scan. Perform secret scan with history deepscan." | tee "$PDS_JOB_USER_MESSAGES_FOLDER"/history-scan.txt
 fi
 
 echo "### Running Gitleaks"
 cd "$scan_target_directory"
-gitleaks detect $gitleaks_options
+gitleaks $gitleaks_options
 
 # Secret-Validation
 if [ "$SECRET_VALIDATOR_ENABLED" = "true" ] ; then

diff --git a/sechub-pds-solutions/gitleaks/env b/sechub-pds-solutions/gitleaks/env
@@ -5,7 +5,7 @@ BASE_IMAGE="ghcr.io/mercedes-benz/sechub/pds-base"
 
 # The gitleaks version to use
 # See: https://github.com/gitleaks/gitleaks/releases
-GITLEAKS_VERSION="8.18.4"
+GITLEAKS_VERSION="8.20.0"
 
 # The build type of the Secret-Validation-Wrapper
 # Possible values are: