chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/cache	action	digest	3624ceb -> 6849a64
actions/checkout	action	digest	eef6144 -> 11bd719
actions/checkout	action	patch	v4.2.1 -> v4.2.2
defenseunicorns/uds-cli		minor	0.17.0 -> 0.18.0
defenseunicorns/uds-cli		minor	v0.17.0 -> v0.18.0
defenseunicorns/uds-cli		minor	v0.16.0 -> v0.18.0
defenseunicorns/uds-common		minor	v1.1.0 -> v1.2.1
docker.io/nutanix/ntnx-csi		minor	3.0.0 -> 3.1.0
docker.io/nutanix/ntnx-csi-precheck		minor	3.0.0 -> 3.1.0
ghcr.io/defenseunicorns/packages/metallb		minor	0.0.5-amd64 -> 0.1.1-amd64
ghcr.io/defenseunicorns/packages/uds/core		patch	0.29.0-registry1 -> 0.29.1-registry1
ghcr.io/defenseunicorns/packages/uds/gitlab		minor	17.2.9-uds.0-registry1 -> 17.3.6-uds.0-registry1
ghcr.io/defenseunicorns/packages/uds/gitlab-runner		minor	17.1.0-uds.1-registry1 -> 17.2.1-uds.4-registry1
ghcr.io/defenseunicorns/packages/uds/jira		major	1.22.0-uds.0-registry1 -> 9.12.13-uds.0-registry1
ghcr.io/defenseunicorns/packages/uds/mattermost		minor	10.0.0-uds.1-registry1 -> 10.1.1-uds.0-registry1
ghcr.io/defenseunicorns/packages/uds/valkey		major	7.2.6-uds.0-upstream -> 8.0.1-uds.0-upstream
ghcr.io/zarf-dev/packages/init		minor	v0.39.0 -> v0.42.0
gitleaks/gitleaks	repository	minor	v8.18.0 -> v8.21.2
pre-commit/pre-commit-hooks	repository	major	v4.0.1 -> v5.0.0
registry1.dso.mil/ironbank/opensource/kubernetes/kubectl (source)		minor	v1.29.4 -> v1.30.6

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

actions/checkout (actions/checkout)

v4.2.2

Compare Source

• url-helper.ts now leverages well-known environment variables by @​jww3 in https://github.com/actions/checkout/pull/1941
• Expand unit test coverage for isGhes by @​jww3 in https://github.com/actions/checkout/pull/1946

defenseunicorns/uds-cli (defenseunicorns/uds-cli)

v0.18.0

Compare Source

What's Changed

• fix(deps): update module github.com/defenseunicorns/maru-runner to v0.4.0 by @​renovate in https://github.com/defenseunicorns/uds-cli/pull/977
• chore: update LICENSE to AGPL 3.0 by @​jalling97 in https://github.com/defenseunicorns/uds-cli/pull/970
• chore: refactor uds ui to use vendored runtime by @​TristanHoladay in https://github.com/defenseunicorns/uds-cli/pull/967
• fix: remove scorecard token by @​catsby in https://github.com/defenseunicorns/uds-cli/pull/979
• chore(deps): update dependency defenseunicorns/uds-runtime to v0.7.0 by @​renovate in https://github.com/defenseunicorns/uds-cli/pull/980
• chore(deps): update to uds-runtime v0.7.0 by @​catsby in https://github.com/defenseunicorns/uds-cli/pull/981
• fix: revert "fix: remove unused GitHub Action install-tools" by @​catsby in https://github.com/defenseunicorns/uds-cli/pull/982

New Contributors

• @​jalling97 made their first contribution in https://github.com/defenseunicorns/uds-cli/pull/970

Full Changelog: defenseunicorns/uds-cli@nightly-unstable...v0.18.0

defenseunicorns/uds-common (defenseunicorns/uds-common)

v1.2.1

Compare Source

Bug Fixes

• pull mv command to use latest version (#​324) (3512549)

Miscellaneous

• deps: update uds common support dependencies (#​320) (7dded2a)

v1.2.0

Compare Source

Features

• support gitlab (#​283) (9ac2019)

Bug Fixes

• don't fail if zarf.yaml not found in tag (#​322) (e4ef2ab)

Miscellaneous

• deps: update support-deps to v3.27.0 (#​318) (8b6e67e)
• update workflow permissions (#​321) (9f5c844)

v1.1.2

Compare Source

Miscellaneous

• docs: update CODEOWNERS example (#​302) (cf9959f)
• improve badge verification and dep installs (#​316) (047cc5b)

v1.1.1

Compare Source

Bug Fixes

• lint:deps producing unwanted file (#​297) (94db603)
• timeout too short on test workflows - allow adjustment on test/publish (#​314) (6ac1587)

Miscellaneous

• add if to only run the clean runner task on ubuntu-latest (#​309) (10377e8)
• adds check for addlicense (#​303) (4fef014)
• deps: update uds common support dependencies (#​305) (429058f)
• deps: update uds common support dependencies to v0.29.1 (#​313) (bd27cc8)
• docs: fix overwritten requirement for metadata (#​296) (07fd1d3)
• improve task checks/linting and allow more options on test/publish (#​311) (894a2ce)
• make yamllint easier to run locally (#​312) (f44b244)
• update uds-package-requirements.md (#​306) (b7a6f09)

gitleaks/gitleaks (gitleaks/gitleaks)

v8.21.2

Compare Source

Changelog

• 43fae35 feat(rules): create Octopus Deploy api key (#​1602)
• a158e4f fix(aws-access-token): only match if correct length (#​1584)
• b6e0eee fix(config): ignore jquery/swagger w/o version (#​1607)
• 722e7d8 feat: add new GitLab tokens (#​1560)
• 961f2e6 feat(generic-api-key): tune false positives (#​1606)
• e734fcf Create .gitleaks.toml (#​1605)
• 7206d6b feat(curl): tweak tps and fps (#​1603)
• 2db25f1 feat(config): ignore swagger-ui assets (#​1604)
• e97695b feat(generic-api-key): exclude keywords (#​1587)
• 0afb525 feat(okta): bump entropy to 4 (#​1599)
• 2068870 feat: update global allowlist (#​1597)
• 8cf93b9 refactor(allowlist): deduplicate commits & keywords (#​1596)
• 50c2818 feat(config): ignore jquery static assets (#​1595)
• 455ae0a More rule fixes (#​1586)
• 5407c44 chore: log skipped symlinks (#​1591)
• d03d6c4 feat: match left side of identifier (#​1585)
• 851c11a what secrets?
• 8cfa6b2 fix(rules): add entropy (#​1580)
• 9152eaa feat(aws): add entropy & allowlist (#​1582)
• 93acc6e feat(rules): add 1password token (#​1583)
• 83a5724 feat(config): add curl header rule (#​1576)

v8.21.1

Compare Source

Changelog

• cf5334f feat: add curl basic auth rule (#​1575)
• d07b394 Update spelling in README.md (#​1574)
• 5c03fa4 refactor(allowlist): use iota for condition (#​1569)
• 12034a7 refactor(config): temporarily switch to [rules.allowlist] (#​1573)

v8.21.0

Compare Source

Changelog

• aabe381 Define multiple allowlists per rule (#​1496)
• 8ea6085 build: upgrade gitleaks/go-gitdiff to v0.9.1 (#​1559)
• be9d0f8 Fix rule extension (#​1556)
• 9988e52 Update base config allowlist (#​1555)
• 8fb39ba feat(azure): detect Azure AD client secrets (#​1199)
• 14c924d chore: match gitleaks.toml anywhere (#​1553)

respect @​rgmz @​9999years

⚠️ Note: you may find some findings that were previously ignored if using .gitleaksignore pop up in your scans. This is due to a fix for a long standing bug where gitleaks would incorrectly report merge commit SHAs instead of the actual commit where a secret was introduced. See the following issues for more context:

• https://github.com/gitleaks/gitleaks/issues/1333
• https://github.com/gitleaks/gitleaks/pull/1559
• https://github.com/gitleaks/gitleaks/issues/1570#issuecomment-2413947146

v8.20.1

Compare Source

Changelog

• b2fbaeb feat(config): add placeholder regexes to global allowlist (#​1547)
• 00bb821 feat: add PrivateAI rule (#​1548)
• 445abe3 Bump golang verion used in docker build to match version specified in go.mod (#​1551)
• 1a2f656 feat: add cohere rule (#​1549)
• 82d737d feat(generate): generate global (#​1546)
• f6e5499 Feat/nuget config password rule (#​1540)

v8.20.0

Compare Source

Changelog

• bf8a49f Make private key check less greedy and include fifth dash (#​1440)
• 9c354f5 print tags if they exist
• 2278a2a Decode Base64 (#​1488)
• c5b15c9 refactor(config): keyword map (#​1538)
• a971a32 fix: use regexTarget for extend config (#​1536)
• a0f2f46 feat: bump go to 1.22 (#​1537)
• 4e8d7d3 fix: handle pre-commit and staged (#​1533)
• f8dcd83 Bugfix/1352 incorrect report multiple lines (#​1501)

Huge huge thanks to @​bplaxco for supporting b64 decoding, @​recreator66 for bug fixes, and to @​rgmz for his continued support of the project in the form of PRs and reviews. Thanks you!

New Feature: Decoding

Sometimes secrets are encoded in a way that can make them difficult to find
with just regex. Now you can tell gitleaks to automatically find and decode
encoded text. The flag --max-decode-depth enables this feature (the default
value "0" means the feature is disabled by default).

Recursive decoding is supported since decoded text can also contain encoded
text. The flag --max-decode-depth sets the recursion limit. Recursion stops
when there are no new segments of encoded text to decode, so setting a really
high max depth doesn't mean it will make that many passes. It will only make as
many as it needs to decode the text. Overall, decoding only minimally increases
scan times.

The findings for encoded text differ from normal findings in the following
ways:

• The location points the bounds of the encoded text
  • If the rule matches outside the encoded text, the bounds are adjusted to
    include that as well
• The match and secret contain the decoded value
• Two tags are added decoded:<encoding> and decode-depth:<depth>

Currently supported encodings:

• base64 (both standard and base64url)

v8.19.3

Compare Source

Changelog

• ed19c4e fix(config): extend allowlist & handle extend when validating (#​1524)
• 989ef19 refactor(kubernetes-secret): tweak variable chars (#​1520)
• 191eb43 Revert "remove validate config test temporarily" (#​1529)
• 78f7d3f feat: create fly.io rule (#​1528)
• 7098f6d fix: to many false-positive for gltf files, add gltf suffix to allowlist (#​1527)
• 97dbe1e Add support in .gitleaksignore file comment strings (#​1425) (#​1502)
• 9e06824 Restrict Etsy keywords (#​1491)
• db78260 feat(github): add entropy to rule (#​1489)
• df126a7 feat(gcp): update api key rule (#​1481)
• 75dd70e fix(hashicorp): ignore common fps (#​1498)
• 8510d39 fix(square): make prefix case sensitive (#​1469)
• 3698060 refactor(kubernetes-secret): collapse rules and update regex (#​1462)

v8.19.2

Compare Source

Changelog

• 128cd22 fix(rule): comment out errant validation case (#​1509)
• 1a6d2b0 remove validate config test temporarily
• 0874ebc Update README.md

v8.19.1

Compare Source

Changelog

• 9463ffa fix flag access (#​1506)

v8.19.0

Compare Source

Changelog

• 44ad62e Deprecate detect and protect. Add git, dir, stdin (#​1504) HEY THIS IS AN IMPORTANT CHANGE. If it breaks some stuff... sorry, I'll fix it asap, just open an issue and make sure to ping me. The change is meant to be backwards compatible.
• e93a7c0 Update Harness rules to add _ and - in the account ID part. (#​1503)
• 4e43d11 chore: fix gl workflow error (#​1487)
• bd81872 Make config generation utils public (#​1480)
• 3be7faa Update Hashicorp Vault token pattern (#​1483)
• 1aae66d feat(config): update rule validation (#​1466)
• 6dfcf5e Update .gitleaksignore
• f361c5e fix(detect): handle EOF with bytes (#​1472)
• 8a1ca9e Added poetry.lock to default allowlist paths (#​1474)
• 525c4b4 refactor(sarif): remove |name| and change |shortDescription| (#​1473)
• c0fda43 Use rule id for config validation error (#​1463)
• d3c4b90 Use first non-empty group if secretGroup isn't set (#​1459)
• b4009bf chore: remove unnecessary capture groups (#​1460)
• 80bd177 Return non-0 exit code from DetectGit (#​1461)
• 0334ec1 add gradle verification-metadata.xml to global allowlist (#​1446)
• c1345e1 feat(openshift): add user token (#​1449)
• 7697b3e (feat): Adding secret detection rule for Kubernetes secrets (#​1454)
• 26f3469 add version to default
• bc979de Add go.work and go.work.sum to global allowlist (#​1353)
• b899915 Add harness PAT and SAT rules (#​1406)
• 4c5195b Update README.md

v8.18.4

Compare Source

Changelog

• 02808f4 Limit hashicorp-tf-password to .tf/.hcl files (#​1420)
• 07e1c30 rm print
• db63fc1 reduce telegram... todo url and xml for later
• 9a4538c coderabbit.ai <3
• fe94ef9 Add NewRelic insert key detection (#​1417)
• bb4424d Improved Telegram bot token rule regex and added more test cases (#​1404)
• 575e923 Add intra42 client secret (#​1408)

Shout out to @​coderabbit for their sponsorship!

v8.18.3

Compare Source

Changelog

• 39947b0 extend FB access token discovery (#​1407)
• 79cac73 tests: scalingo validation consistent test (#​1359)
• 247f423 add real (test) standard and restricted keys (#​1375)
• 821b232 Add Cloudflare API and Origin CA keys (#​1374)
• 57ac4b3 Update "contributing guidelines" link (#​1390)
• db69e82 add update token from square (#​1370)
• 4b54328 feat: facebook secret, access token, and page access token rules (#​1372)
• 979f213 update mailchimp with new tokens (#​1376)
• 59c0cc7 Append ordered rules when extending (#​1304)
• 6c52f87 fix: age rule id with dashes (#​1349)
• 247a5e7 patching golang.org/x/text for CVE-2021-38561 and CVE-2022-32149 (#​1342)
• 8d23afd Use latest base images. (#​1334)

v8.18.2

Compare Source

Changelog

• ac4b514 removed gitleaks user from Dockerfile (#​1313)
• 76c9e31 Remove IAM identifiers for non-credential resources in the aws-access-token rule (#​1307)
• afe046b Update stripe rule to not alert on publishable keys (#​1320)
• 8b8920d --max-target-megabytes flag now supported for --no-git flag as well (#​1330)
• a59289c add pre-commit hook gitleaks-system (#​1225)
• 870194b fix errors when using protect and an external git diff tool (#​1318)
• 179c607 rename filesystem to directory (#​1317)
• 8de8938 Enhance Secret Descriptions (#​1300)
• ca7aa14 Small refactor detect and sources (#​1297)
• 01e60c8 chore(config): refactor to go generate; simplify configRules init (#​1295)
• 54f5f04 forgot symlinks
• 221d5c4 pretty apparent 'protect' and 'detect' should be merged into one command (#​1294)
• 128b50f style: sort the stopwords (#​1289)

v8.18.1

Compare Source

Changelog

• dab7d02 dont crash on 100gb files pls (#​1292)
• e63b657 remove secretgroup from default config (#​1288)
• 20fcf50 feat: Hashicorp Terraform fields for password (#​1237)
• b496677 perf: avoid allocations with (*regexp.Regexp).MatchString (#​1283)
• a3ab4e8 refactor: more explicit rules (#​1280)
• bd9a25a bugfix: reduce false positives for stripe tokens by using word boundaries in regex (#​1278)
• 6d0d8b5 add Infracost API rule (#​1273)
• 2959fc0 refactor: simplify test asserts (#​1271)
• d37b38f Update Makefile
• 14b1ca9 refactor: change detect tests to t.Fatal instead of log.Fatal (#​1270)
• d9f86d6 feat(rules): Add detection for Scalingo API Token (#​1262)
• ed34259 feat(jwt): detect base64-encoded tokens (#​1256)
• 0d5e46f feat: add --ignore-gitleaks-allow cmd flag (#​1260)
• a82ac29 switch out libs (#​1259)
• 0b84afa fix: no-color option should also affect zerolog output (#​1242)
• 8976539 Fixed lineEnd indexing if the match is the whole line (#​1223)
• 30c6117 feat: Add optional redaction value, default 100 (#​1229)
• e9135cf fix(jwt): longer segment lengths (#​1214)
• f65f915 Added yarn.lock file to default allowlist paths (#​1258)
• abfd0f3 Update README.md
• 18283bb feat(rules): make case insensitivity optional (#​1215)
• 9fb36b2 feat(rules): detect Hugging Face access tokens (#​1204)
• db4bc0f Resolve #​1170 - Enable selection of a single rule (#​1183)
• 3cbcda2 Update authress.go to include alternate form account dash (-) (#​1224)
• 46c6272 refactor: remove unnecessary removing temp files in tests (#​1255)
• 963a697 refactor: use os.ReadFile instead of os.Open + io.ReadAll (#​1254)
• 163ec21 fix(sumologic): improve patterns (#​1218)

pre-commit/pre-commit-hooks (pre-commit/pre-commit-hooks)

v5.0.0: pre-commit-hooks v5.0.0

Compare Source

Features

• requirements-txt-fixer: also remove pkg_resources==....
  • #​850 PR by @​ericfrederich.
  • #​1030 issue by @​ericfrederich.
• check-illegal-windows-names: new hook!
  • #​1044 PR by @​ericfrederich.
  • #​589 issue by @​ericfrederich.
  • #​1049 PR by @​Jeffrey-Lim.
• pretty-format-json: continue processing even if a file has a json error.
  • #​1039 PR by @​amarvin.
  • #​1038 issue by @​amarvin.

Fixes

• destroyed-symlinks: set stages to [pre-commit, pre-push, manual]
  • PR #​1085 by @​AdrianDC.

Migrating

• pre-commit-hooks now requires pre-commit>=3.2.0.
• use non-deprecated names for stages.
  • #​1093 PR by @​asottile.

v4.6.0: pre-commit-hooks v4.6.0

Compare Source

Features

• requirements-txt-fixer: remove duplicate packages.
  • #​1014 PR by @​vhoulbreque-withings.
  • #​960 issue @​csibe17.

Migrating

• fix-encoding-pragma: deprecated -- will be removed in 5.0.0. use
  pyupgrade or some other tool.
  • #​1033 PR by @​mxr.
  • #​1032 issue by @​mxr.

v4.5.0

Compare Source

v4.4.0: pre-commit-hooks v4.4.0

Compare Source

Features

• forbid-submodules: new hook which outright bans submodules.
  • #​815 PR by @​asottile.
  • #​707 issue by @​ChiefGokhlayeh.

v4.3.0: pre-commit-hooks v4.3.0

Compare Source

Features

• check-executables-have-shebangs: use git config core.fileMode to determine if it should query git.
  • #​730 PR by @​Kurt-von-Laven.
• name-tests-test: add --pytest-test-first test convention.
  • #​779 PR by @​asottile.

Fixes

• check-shebang-scripts-are-executable: update windows instructions.
  • #​774 PR by @​mdeweerd.
  • #​770 issue by @​mdeweerd.
• check-toml: use stdlib tomllib when available.
  • #​771 PR by @​DanielNoord.
  • #​755 issue by @​sognetic.
• check-added-large-files: don't run on non-file stages.
  • #​778 PR by @​asottile.
  • #​777 issue by @​skyj.

v4.2.0: pre-commit-hooks v4.2.0

Compare Source

Features

• name-tests-test: updated display text.
  • #​713 PR by @​asottile.
• check-docstring-first: make output more parsable.
  • #​748 PR by @​asottile.
• check-merge-conflict: make output more parsable.
  • #​748 PR by @​asottile.
• debug-statements: make output more parsable.
  • #​748 PR by @​asottile.

Fixes

• check-merge-conflict: fix detection of ====== conflict marker on windows.
  • #​748 PR by @​asottile.

Updating

• Drop python<3.7.
  • #​719 PR by @​asottile.
• Changed default branch from master to main.
  • #​744 PR by @​asottile.

v4.1.0: pre-commit-hooks v4.1.0

Compare Source

Features

• debug-statements: add pdbr debugger.
  • #​614 PR by @​cansarigol.
• detect-private-key: add detection for additional key types.
  • #​658 PR by @​ljmf00.
• check-executables-have-shebangs: improve messaging on windows.
  • #​689 PR by @​pujitm.
  • #​686 issue by @​jmerdich.
• check-added-large-files: support --enforce-all with git-lfs.
  • #​674 PR by @​amartani.
  • #​560 issue by @​jeremy-coulon.

Fixes

• check-case-conflict: improve performance.
  • #​626 PR by @​guykisel.
  • #​625 issue by @​guykisel.
• forbid-new-submodules: fix false-negatives for pre-push.
  • #​619 PR by @​m-khvoinitsky.
  • #​609 issue by @​m-khvoinitsky.
• check-merge-conflict: fix execution in git worktrees.
  • #​662 PR by @​errsyn.
  • #​638 issue by @​daschuer.

Misc.

• Normalize case of hook names and descriptions.
  • #​671 PR by @​dennisroche.
  • #​673 PR by @​revolter.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.