diff --git a/.gitlab/merge_request_templates/new_feature.md b/.gitlab/merge_request_templates/new_feature.md index 74abae94c94dc0768bb5c51fe51ad253fce113fe..491b7f98ded7e0da03d18c95978eafcb7d86619f 100644 --- a/.gitlab/merge_request_templates/new_feature.md +++ b/.gitlab/merge_request_templates/new_feature.md @@ -8,8 +8,8 @@ Closes #999 ## Checklist * General: - * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced) - * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable) + * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced) + * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable) * Publicly usable: * [ ] untagged runners * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy` diff --git a/CHANGELOG.md b/CHANGELOG.md index 46805fa9703bdb305a42b9778e2ff0cbf6ed0384..6943b626f2af6379d59a206221876a77a9d3b74e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,11 @@ -# [2.7.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/gitleaks/compare/2.6.1...2.7.0) (2025-01-29) +## [2.7.1](https://gitlab.com/to-be-continuous/gitleaks/compare/2.7.0...2.7.1) (2025-04-02) + + +### Bug Fixes + +* analyse branch or MR commits only ([0ed44f1](https://gitlab.com/to-be-continuous/gitleaks/commit/0ed44f1c596e840cacc79f072e265714cd503a21)) + +# [2.7.0](https://gitlab.com/to-be-continuous/gitleaks/compare/2.6.1...2.7.0) (2025-01-27) ### Features diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4aacd2a081ad9db795dc2ec4558afd502bd2e8cb..1285f81c6f52eb8c10f21f1551470055417ab0fe 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -61,7 +61,7 @@ To contribute: 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template). 2. Make sure the issue has been reviewed and agreed. -3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation). +3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation). Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed. ### Git Commit Conventions diff --git a/README.md b/README.md index 85efdc9e8cc6e56a63a3b5410f13f8f13e49aad8..72dc2bc2781a88c6d37a5a03f55746315384a31d 100644 --- a/README.md +++ b/README.md @@ -3,14 +3,14 @@ This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your Git repository with [Gitleaks](https://github.com/zricethezav/gitleaks/wiki). -When run on the master branch, Gitleaks will audit all commits from all branches. +When run on merge requests, Gitleaks will run a quick analysis of added commits (i.e. the diff). -When run on other branches, Gitleaks will run a quick analysis on the current branch. +When run on branches, Gitleaks will run an analysis of all commits in the branch. ## Usage -This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) -or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax. +This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) +or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax. ### Use as a CI/CD component @@ -19,7 +19,7 @@ Add the following to your `.gitlab-ci.yml`: ```yaml include: # 1: include the component - - component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7.0 + - component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7.1 # 2: set/override component inputs inputs: args: "--no-banner" # ⚠ this is only an example @@ -33,7 +33,7 @@ Add the following to your `.gitlab-ci.yml`: include: # 1: include the template - project: 'to-be-continuous/gitleaks' - ref: '2.7.0' + ref: '2.7.1' file: '/templates/gitlab-ci-gitleaks.yml' variables: @@ -48,7 +48,7 @@ They use the following configuration. | Input / Variable | Description | Default value | | --------------------- | -------------------------------------- | ----------------- | -| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `registry.hub.docker.com/zricethezav/gitleaks:latest` | +| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `registry.hub.docker.com/zricethezav/gitleaks:latest` <br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-GITLEAKS_IMAGE) | | `rules` / `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) | | `args` / `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` | | `gitleaks-job-tags` / `GITLEAKS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` | @@ -59,4 +59,7 @@ Here is how this GitLab CI template chooses the Gitleaks rules to use: 1. It first looks for a `.gitleaks.toml` file at the root of your project repository. 2. If not found, it uses the `.toml` file specified with the `$GITLEAKS_RULES` variable. -3. If not specified, [default Gitleaks rules] (https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used. +3. If not specified, [default Gitleaks rules](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used. + + +Your Gitleaks rule file can extend the default rules by using `[extend]` + `useDefault = true` as explained in the [Gitleaks documentation](https://github.com/gitleaks/gitleaks/blob/master/README.md#configuration) diff --git a/templates/gitlab-ci-gitleaks.yml b/templates/gitlab-ci-gitleaks.yml index c6006f484a3ec93e5335a6bbcc35743598f97403..8c1b06179eb1e81fa96ee1e3762ff437c9cbab83 100644 --- a/templates/gitlab-ci-gitleaks.yml +++ b/templates/gitlab-ci-gitleaks.yml @@ -220,14 +220,14 @@ stages: # ENDSCRIPT -# full analysis on master and develop branches +# full analysis on main/master and develop branches gitleaks: image: name: $GITLEAKS_IMAGE entrypoint: [""] services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "gitleaks", "2.7.0"] + command: ["--service", "gitleaks", "2.7.1"] stage: test needs: [] variables: @@ -238,7 +238,17 @@ gitleaks: - install_gitleaks_rules - git config --global --add safe.directory "${CI_PROJECT_DIR}" script: - - gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --report-path reports/gitleaks.native.json $GITLEAKS_ARGS . + - | + log_opts="" + if [[ "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]] + then + log_info "Merge Request only analysis (\\e[33;1m${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}\\e[0m)" + log_opts="${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}" + else + log_info "Full branch analysis (\\e[33;1m${CI_COMMIT_SHA}\\e[0m and ancestors)" + log_opts="${CI_COMMIT_SHA}" + fi + - gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --log-opts "$log_opts" --report-path reports/gitleaks.native.json $GITLEAKS_ARGS . artifacts: name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" when: always