Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md

Merge remote-tracking branch 'upstream/master'
436b4404 · Benguria Elguezabal, Gorka · ca558dbc · 703447c4 · 436b4404 · 436b4404
Commit 436b4404 authored 1 month ago by Benguria Elguezabal, Gorka
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist
 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [2.7.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/gitleaks/compare/2.6.1...2.7.0) (2025-01-29)
+## [2.7.1](https://gitlab.com/to-be-continuous/gitleaks/compare/2.7.0...2.7.1) (2025-04-02)
+### Bug Fixes
+* analyse branch or MR commits only ([0ed44f1](https://gitlab.com/to-be-continuous/gitleaks/commit/0ed44f1c596e840cacc79f072e265714cd503a21))
+# [2.7.0](https://gitlab.com/to-be-continuous/gitleaks/compare/2.6.1...2.7.0) (2025-01-27)
 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:
 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
@@ -3,14 +3,14 @@
 This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your 
 Git repository with [Gitleaks](https://github.com/zricethezav/gitleaks/wiki).
-When run on the master branch, Gitleaks will audit all commits from all branches.
+When run on merge requests, Gitleaks will run a quick analysis of added commits (i.e. the diff).
-When run on other branches, Gitleaks will run a quick analysis on the current branch.
+When run on branches, Gitleaks will run an analysis of all commits in the branch.
 ## Usage
-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) 
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) 
-or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.
 ### Use as a CI/CD component
@@ -19,7 +19,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7.1
    # 2: set/override component inputs
    inputs:
      args: "--no-banner" # ⚠ this is only an example
@@ -33,7 +33,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/gitleaks'
-    ref: '2.7.0'
+    ref: '2.7.1'
    file: '/templates/gitlab-ci-gitleaks.yml'
 variables:
@@ -48,7 +48,7 @@ They use the following configuration.
 | Input / Variable | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
-| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks  | `registry.hub.docker.com/zricethezav/gitleaks:latest` |
+| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks  | `registry.hub.docker.com/zricethezav/gitleaks:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GITLEAKS_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GITLEAKS_IMAGE) |
 | `rules` / `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
 | `args` / `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
 | `gitleaks-job-tags` / `GITLEAKS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
@@ -60,3 +60,6 @@ Here is how this GitLab CI template chooses the Gitleaks rules to use:
 1. It first looks for a `.gitleaks.toml` file at the root of your project repository.
 2. If not found, it uses the `.toml` file specified with the `$GITLEAKS_RULES` variable.
 3. If not specified, [default Gitleaks rules](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used.
+Your Gitleaks rule file can extend the default rules by using `[extend]` + `useDefault = true` as explained in the [Gitleaks documentation](https://github.com/gitleaks/gitleaks/blob/master/README.md#configuration)
--- a/templates/gitlab-ci-gitleaks.yml
+++ b/templates/gitlab-ci-gitleaks.yml
@@ -220,14 +220,14 @@ stages:
  # ENDSCRIPT
-# full analysis on master and develop branches
+# full analysis on main/master and develop branches
 gitleaks:
  image:
    name: $GITLEAKS_IMAGE
    entrypoint: [""]
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "gitleaks", "2.7.0"]
+      command: ["--service", "gitleaks", "2.7.1"]
  stage: test
  needs: []
  variables:
@@ -238,7 +238,17 @@ gitleaks:
    - install_gitleaks_rules
    - git config --global --add safe.directory "${CI_PROJECT_DIR}"
  script:
-    - gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --report-path reports/gitleaks.native.json $GITLEAKS_ARGS .
+    - |
+      log_opts=""
+      if [[ "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]]
+      then
+        log_info "Merge Request only analysis (\\e[33;1m${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}\\e[0m)"
+        log_opts="${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}"
+      else
+        log_info "Full branch analysis (\\e[33;1m${CI_COMMIT_SHA}\\e[0m and ancestors)"
+        log_opts="${CI_COMMIT_SHA}"
+      fi
+    - gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --log-opts "$log_opts" --report-path reports/gitleaks.native.json $GITLEAKS_ARGS .
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    when: always