diff --git a/templates/gitlab-ci-gitleaks.yml b/templates/gitlab-ci-gitleaks.yml
index 1947851b260d41f281d8d4e964e935f7d7eae776..386d525b263cc24774c4a79cac77eb117cd150c4 100644
--- a/templates/gitlab-ci-gitleaks.yml
+++ b/templates/gitlab-ci-gitleaks.yml
@@ -69,6 +69,88 @@ stages:
fi
}
+ function unscope_variables() {
+ _scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)
+ if [[ -z "$_scoped_vars" ]]; then return; fi
+ log_info "Processing scoped variables..."
+ for _scoped_var in $_scoped_vars
+ do
+ _fields=${_scoped_var//__/:}
+ _condition=$(echo "$_fields" | cut -d: -f3)
+ case "$_condition" in
+ if) _not="";;
+ ifnot) _not=1;;
+ *)
+ log_warn "... unrecognized condition \\e[1;91m$_condition\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"
+ continue
+ ;;
+ esac
+ _target_var=$(echo "$_fields" | cut -d: -f2)
+ _cond_var=$(echo "$_fields" | cut -d: -f4)
+ _cond_val=$(eval echo "\$${_cond_var}")
+ _test_op=$(echo "$_fields" | cut -d: -f5)
+ case "$_test_op" in
+ defined)
+ if [[ -z "$_not" ]] && [[ -z "$_cond_val" ]]; then continue;
+ elif [[ "$_not" ]] && [[ "$_cond_val" ]]; then continue;
+ fi
+ ;;
+ equals|startswith|endswith|contains|in|equals_ic|startswith_ic|endswith_ic|contains_ic|in_ic)
+ # comparison operator
+ # sluggify actual value
+ _cond_val=$(echo "$_cond_val" | tr '[:punct:]' '_')
+ # retrieve comparison value
+ _cmp_val_prefix="scoped__${_target_var}__${_condition}__${_cond_var}__${_test_op}__"
+ _cmp_val=${_scoped_var#$_cmp_val_prefix}
+ # manage 'ignore case'
+ if [[ "$_test_op" == *_ic ]]
+ then
+ # lowercase everything
+ _cond_val=$(echo "$_cond_val" | tr '[:upper:]' '[:lower:]')
+ _cmp_val=$(echo "$_cmp_val" | tr '[:upper:]' '[:lower:]')
+ fi
+ case "$_test_op" in
+ equals*)
+ if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val" ]]; then continue;
+ elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val" ]]; then continue;
+ fi
+ ;;
+ startswith*)
+ if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val"* ]]; then continue;
+ elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val"* ]]; then continue;
+ fi
+ ;;
+ endswith*)
+ if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val" ]]; then continue;
+ elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val" ]]; then continue;
+ fi
+ ;;
+ contains*)
+ if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val"* ]]; then continue;
+ elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val"* ]]; then continue;
+ fi
+ ;;
+ in*)
+ if [[ -z "$_not" ]] && [[ "__${_cmp_val}__" != *"__${_cond_val}__"* ]]; then continue;
+ elif [[ "$_not" ]] && [[ "__${_cmp_val}__" == *"__${_cond_val}__"* ]]; then continue;
+ fi
+ ;;
+ esac
+ ;;
+ *)
+ log_warn "... unrecognized test operator \\e[1;91m${_test_op}\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"
+ continue
+ ;;
+ esac
+ # matches
+ _val=$(eval echo "\$${_target_var}")
+ log_info "... apply \\e[32m${_target_var}\\e[0m from \\e[32m\$${_scoped_var}\\e[0m${_val:+ (\\e[33;1moverwrite\\e[0m)}"
+ _val=$(eval echo "\$${_scoped_var}")
+ export "${_target_var}"="${_val}"
+ done
+ log_info "... done"
+ }
+
function install_gitleaks_rules() {
# If present, import gitleaks rules found inside the git repository (in place of the default + Orange rules)
if [[ -f ".gitleaks.toml" ]]
@@ -105,6 +187,7 @@ stages:
}
if [[ -z "$TEMPLATE_CHECK_UPDATE_DISABLED" ]]; then check_for_update gitleaks "1.0.0"; fi
+ unscope_variables
# ENDSCRIPT