diff --git a/templates/gitlab-ci-gitleaks.yml b/templates/gitlab-ci-gitleaks.yml index 1947851b260d41f281d8d4e964e935f7d7eae776..386d525b263cc24774c4a79cac77eb117cd150c4 100644 --- a/templates/gitlab-ci-gitleaks.yml +++ b/templates/gitlab-ci-gitleaks.yml @@ -69,6 +69,88 @@ stages: fi } + function unscope_variables() { + _scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort) + if [[ -z "$_scoped_vars" ]]; then return; fi + log_info "Processing scoped variables..." + for _scoped_var in $_scoped_vars + do + _fields=${_scoped_var//__/:} + _condition=$(echo "$_fields" | cut -d: -f3) + case "$_condition" in + if) _not="";; + ifnot) _not=1;; + *) + log_warn "... unrecognized condition \\e[1;91m$_condition\\e[0m in \\e[33;1m${_scoped_var}\\e[0m" + continue + ;; + esac + _target_var=$(echo "$_fields" | cut -d: -f2) + _cond_var=$(echo "$_fields" | cut -d: -f4) + _cond_val=$(eval echo "\$${_cond_var}") + _test_op=$(echo "$_fields" | cut -d: -f5) + case "$_test_op" in + defined) + if [[ -z "$_not" ]] && [[ -z "$_cond_val" ]]; then continue; + elif [[ "$_not" ]] && [[ "$_cond_val" ]]; then continue; + fi + ;; + equals|startswith|endswith|contains|in|equals_ic|startswith_ic|endswith_ic|contains_ic|in_ic) + # comparison operator + # sluggify actual value + _cond_val=$(echo "$_cond_val" | tr '[:punct:]' '_') + # retrieve comparison value + _cmp_val_prefix="scoped__${_target_var}__${_condition}__${_cond_var}__${_test_op}__" + _cmp_val=${_scoped_var#$_cmp_val_prefix} + # manage 'ignore case' + if [[ "$_test_op" == *_ic ]] + then + # lowercase everything + _cond_val=$(echo "$_cond_val" | tr '[:upper:]' '[:lower:]') + _cmp_val=$(echo "$_cmp_val" | tr '[:upper:]' '[:lower:]') + fi + case "$_test_op" in + equals*) + if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val" ]]; then continue; + elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val" ]]; then continue; + fi + ;; + startswith*) + if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val"* ]]; then continue; + elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val"* ]]; then continue; + fi + ;; + endswith*) + if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val" ]]; then continue; + elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val" ]]; then continue; + fi + ;; + contains*) + if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val"* ]]; then continue; + elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val"* ]]; then continue; + fi + ;; + in*) + if [[ -z "$_not" ]] && [[ "__${_cmp_val}__" != *"__${_cond_val}__"* ]]; then continue; + elif [[ "$_not" ]] && [[ "__${_cmp_val}__" == *"__${_cond_val}__"* ]]; then continue; + fi + ;; + esac + ;; + *) + log_warn "... unrecognized test operator \\e[1;91m${_test_op}\\e[0m in \\e[33;1m${_scoped_var}\\e[0m" + continue + ;; + esac + # matches + _val=$(eval echo "\$${_target_var}") + log_info "... apply \\e[32m${_target_var}\\e[0m from \\e[32m\$${_scoped_var}\\e[0m${_val:+ (\\e[33;1moverwrite\\e[0m)}" + _val=$(eval echo "\$${_scoped_var}") + export "${_target_var}"="${_val}" + done + log_info "... done" + } + function install_gitleaks_rules() { # If present, import gitleaks rules found inside the git repository (in place of the default + Orange rules) if [[ -f ".gitleaks.toml" ]] @@ -105,6 +187,7 @@ stages: } if [[ -z "$TEMPLATE_CHECK_UPDATE_DISABLED" ]]; then check_for_update gitleaks "1.0.0"; fi + unscope_variables # ENDSCRIPT