Skip to content
Snippets Groups Projects
Commit 436b4404 authored by Benguria Elguezabal, Gorka's avatar Benguria Elguezabal, Gorka
Browse files

Merge remote-tracking branch 'upstream/master'

# Conflicts:
#	.gitlab-ci.yml
#	CHANGELOG.md
parents ca558dbc 703447c4
No related branches found
No related tags found
No related merge requests found
Pipeline #177667 passed
...@@ -8,8 +8,8 @@ Closes #999 ...@@ -8,8 +8,8 @@ Closes #999
## Checklist ## Checklist
* General: * General:
* [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced) * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
* [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable) * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
* Publicly usable: * Publicly usable:
* [ ] untagged runners * [ ] untagged runners
* [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy` * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`
......
# [2.7.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/gitleaks/compare/2.6.1...2.7.0) (2025-01-29) ## [2.7.1](https://gitlab.com/to-be-continuous/gitleaks/compare/2.7.0...2.7.1) (2025-04-02)
### Bug Fixes
* analyse branch or MR commits only ([0ed44f1](https://gitlab.com/to-be-continuous/gitleaks/commit/0ed44f1c596e840cacc79f072e265714cd503a21))
# [2.7.0](https://gitlab.com/to-be-continuous/gitleaks/compare/2.6.1...2.7.0) (2025-01-27)
### Features ### Features
......
...@@ -61,7 +61,7 @@ To contribute: ...@@ -61,7 +61,7 @@ To contribute:
1. Create an issue describing the bug or enhancement you want to propose (select the right issue template). 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
2. Make sure the issue has been reviewed and agreed. 2. Make sure the issue has been reviewed and agreed.
3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation). 3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed. Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
### Git Commit Conventions ### Git Commit Conventions
......
...@@ -3,14 +3,14 @@ ...@@ -3,14 +3,14 @@
This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your
Git repository with [Gitleaks](https://github.com/zricethezav/gitleaks/wiki). Git repository with [Gitleaks](https://github.com/zricethezav/gitleaks/wiki).
When run on the master branch, Gitleaks will audit all commits from all branches. When run on merge requests, Gitleaks will run a quick analysis of added commits (i.e. the diff).
When run on other branches, Gitleaks will run a quick analysis on the current branch. When run on branches, Gitleaks will run an analysis of all commits in the branch.
## Usage ## Usage
This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component)
or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax. or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.
### Use as a CI/CD component ### Use as a CI/CD component
...@@ -19,7 +19,7 @@ Add the following to your `.gitlab-ci.yml`: ...@@ -19,7 +19,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml ```yaml
include: include:
# 1: include the component # 1: include the component
- component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7.0 - component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7.1
# 2: set/override component inputs # 2: set/override component inputs
inputs: inputs:
args: "--no-banner" # ⚠ this is only an example args: "--no-banner" # ⚠ this is only an example
...@@ -33,7 +33,7 @@ Add the following to your `.gitlab-ci.yml`: ...@@ -33,7 +33,7 @@ Add the following to your `.gitlab-ci.yml`:
include: include:
# 1: include the template # 1: include the template
- project: 'to-be-continuous/gitleaks' - project: 'to-be-continuous/gitleaks'
ref: '2.7.0' ref: '2.7.1'
file: '/templates/gitlab-ci-gitleaks.yml' file: '/templates/gitlab-ci-gitleaks.yml'
variables: variables:
...@@ -48,7 +48,7 @@ They use the following configuration. ...@@ -48,7 +48,7 @@ They use the following configuration.
| Input / Variable | Description | Default value | | Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- | | --------------------- | -------------------------------------- | ----------------- |
| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `registry.hub.docker.com/zricethezav/gitleaks:latest` | | `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `registry.hub.docker.com/zricethezav/gitleaks:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GITLEAKS_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GITLEAKS_IMAGE) |
| `rules` / `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) | | `rules` / `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
| `args` / `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` | | `args` / `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
| `gitleaks-job-tags` / `GITLEAKS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | | `gitleaks-job-tags` / `GITLEAKS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
...@@ -60,3 +60,6 @@ Here is how this GitLab CI template chooses the Gitleaks rules to use: ...@@ -60,3 +60,6 @@ Here is how this GitLab CI template chooses the Gitleaks rules to use:
1. It first looks for a `.gitleaks.toml` file at the root of your project repository. 1. It first looks for a `.gitleaks.toml` file at the root of your project repository.
2. If not found, it uses the `.toml` file specified with the `$GITLEAKS_RULES` variable. 2. If not found, it uses the `.toml` file specified with the `$GITLEAKS_RULES` variable.
3. If not specified, [default Gitleaks rules](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used. 3. If not specified, [default Gitleaks rules](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used.
Your Gitleaks rule file can extend the default rules by using `[extend]` + `useDefault = true` as explained in the [Gitleaks documentation](https://github.com/gitleaks/gitleaks/blob/master/README.md#configuration)
...@@ -220,14 +220,14 @@ stages: ...@@ -220,14 +220,14 @@ stages:
# ENDSCRIPT # ENDSCRIPT
# full analysis on master and develop branches # full analysis on main/master and develop branches
gitleaks: gitleaks:
image: image:
name: $GITLEAKS_IMAGE name: $GITLEAKS_IMAGE
entrypoint: [""] entrypoint: [""]
services: services:
- name: "$TBC_TRACKING_IMAGE" - name: "$TBC_TRACKING_IMAGE"
command: ["--service", "gitleaks", "2.7.0"] command: ["--service", "gitleaks", "2.7.1"]
stage: test stage: test
needs: [] needs: []
variables: variables:
...@@ -238,7 +238,17 @@ gitleaks: ...@@ -238,7 +238,17 @@ gitleaks:
- install_gitleaks_rules - install_gitleaks_rules
- git config --global --add safe.directory "${CI_PROJECT_DIR}" - git config --global --add safe.directory "${CI_PROJECT_DIR}"
script: script:
- gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --report-path reports/gitleaks.native.json $GITLEAKS_ARGS . - |
log_opts=""
if [[ "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]]
then
log_info "Merge Request only analysis (\\e[33;1m${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}\\e[0m)"
log_opts="${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}"
else
log_info "Full branch analysis (\\e[33;1m${CI_COMMIT_SHA}\\e[0m and ancestors)"
log_opts="${CI_COMMIT_SHA}"
fi
- gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --log-opts "$log_opts" --report-path reports/gitleaks.native.json $GITLEAKS_ARGS .
artifacts: artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
when: always when: always
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment