v8.23.3

Changelog

• 3188ad6 Don't exit with error if git repacking is required (#1711)
• 7fc11bb refactor(config): use non-capture groups for allowlists (#1735)
• 36c52c6 chore: Enhance curl-auth-user to detect empty usernames or passwords (#1726)
• 1f323d8 fix(cmd): read log-opts before GitLogCmd (#1730)

v8.23.2

Changelog

• d88bc09 facebook keyword
• 3fdaefd fix(meraki): restrict keyword case (#1722)
• f3ae52e feat(generic-api-key): detect base64 (#1598)
• d6a828a great branch name (#1721)
• d2ffffe fix(git): remove .git suffix for links (#1716)
• a43dc0d chore: refine generic-api-key fps + trace logging (#1720)
• 69ed20e fix(generate): move newline out of char range (#1719)
• 52b895a newline literal (#1718)
• 3f4d91f build: support either stdlib or 3rd-party regexp (#1706)
• 049f5b2 chore(detect): update trace logging (#1713)
• 7a6183d feat(git): redact passwords from remote URL (#1709)
• 3c7f3f0 feat(git): include link in report (#1698)
• 0e3f4f7 chore: reduce generic-api-key fps (#1707)
• 3ed8567 blorp
• e977850 added new rule for cisco meraki api key (#1700)
• ad7a4fb feat: general fp tweaks (#1703)
• b2cf03c chore(generate): use \x60 instead of literal (#1702)
• a3f623c chore(regex): simplify secretPrefix, suffix (#1620)
• cc71bb1 update version for pre-commit in README.md (#1699)

v8.23.1

Changelog

• 7bad9f7 chore(gcp): add firebase example keys to the gcp-api-key allowlists (#1635)
• 977236c fix: unaligned 64-bit atomic operation panic (#1696)
• a211b16 force push to master everyday
• 0e5f644 feat(config): disable extended rule (#1535)
• f320a60 style: prevent globbing and word splitting (#1543)
• c4526b2 refactor(generic-api-key): remove hard-coded 'magic' (#1600)
• 748076d chore(generate): add failing test case (#1690)

v8.23.0

Changelog

• db8e5e6 feat(generate): use multiple allowlists (#1691)
• 973c794 chore(rules): include fps in reference (#1471)
• f0d4499 Add comma as operator for GenerateSemiGenericRegex (#1679)
• ab38a46 refactor: central logger (#1692)
• b022d1c friendship ended with tines

READ THIS!!! The default gitleaks config now uses [[rules.allowlists]]

    # ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.
    # This change was backwards-compatible: instances of `[rules.allowlist]` still  work.
    #
    # You can define multiple allowlists for a rule to reduce false positives.
    # A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.
    [[rules.allowlists]]
    description = "ignore commit A"
    # When multiple criteria are defined the default condition is "OR".
    # e.g., this can match on |commits| OR |paths| OR |stopwords|.
    condition = "OR"
    commits = [ "commit-A", "commit-B"]
    paths = [
      '''go\.mod''',
      '''go\.sum'''
    ]
    # note: stopwords targets the extracted secret, not the entire regex match
    # like 'regexes' does. (stopwords introduced in 8.8.0)
    stopwords = [
      '''client''',
      '''endpoint''',
    ]

    [[rules.allowlists]]
    # The "AND" condition can be used to make sure all criteria match.
    # e.g., this matches if |regexes| AND |paths| are satisfied.
    condition = "AND"
    # note: |regexes| defaults to check the _Secret_ in the finding.
    # Acceptable values for |regexTarget| are "secret" (default), "match", and "line".
    regexTarget = "match"
    regexes = [ '''(?i)parseur[il]''' ]
    paths = [ '''package-lock\.json''' ]

v8.22.1

Changelog

• b69b515 Entropy trace (#1659)
• 7357adc build: add 'toolchain' to go.mod (#1682)
• 4c3da6e refactor(detect): create readUntilSafeBoundary + add tests (#1676)
• dbe3746 twitter really does suck ass now
• 7edfc6b chore(tests): test cases for generate.go (#1623)
• efe40ca fix: only use non-empty secret groups (#1632)
• 7cb5f6f build: upgrade sprig v2->v3 (#1674)
• 2930537 fix: generate report file even if no findings (#1673)

v8.22.0

Changelog

• a91c671 replace std library regex engine with go-re2 (#1669)

---

This bumps the gitleaks binary size from around 8.5MB to 15MB but yields 2-4x speedup. Worth it imo. If you feel strongly against this change feel free to open an issue where we can discuss the tradeoffs in more depth. Credit to @ahrav

v8.21.4

Changelog

• 906085f Update golang version to 1.23 (#1672)
• 8a83062 log bytes (#1670)

v8.21.3

Changelog

• a9e6d8c go mod 1.23
• 2f73a3e Ensure keywords are downcased (#1633)
• f696605 feat: add settlemint api keys detection (#1663)
• 0bf13fc feat(dir): better chunking (#1665)
• 83e99ba feat(report): allow user-defined templates (#1650)
• e393d29 Add support for GitLab routable tokens (#1656)
• 263ce82 Add freemius secret key detection (#1611)
• 3c0e068 fix(kubernetes): only match 'kind: secret' (#1649)
• f3adda0 feat: use STDOUT when report file not specified (#1642)
• ed205a5 fix(dir): skip opening file&dir if allowlist matches (#1653)
• 6018012 fix: increase chunk size 10kb -> 100kb (#1652)
• 7f77987 feat: detect sentry.io tokens in the new format (#1640)
• 48a2e0e refactor: pre-commit hooks (#1627)
• 4e303d0 fix(easypost): only detect tokens of correct length (#1628)
• c1add1d feat(dir): continue on permission error (#1621)
• 202106a Add human readable description for curl rules (#1625)
• 8e94f98 Add option to include Line field in report (#1616)
• dbb42a7 hm (great comment)
• 2599460 Update README.md
• 8ffb980 nop for stupid build
• 4181ad6 Add new jira api token pattern (#1601)
• 48ea14b feat: update global & generic allowlist (#1618)
• 81f0002 fix(vault-service-token): ensure that TPS contains digits (#1614)
• c11adc9 Generate comprehensive secret samples (#1484)
• d1d9054 fix(aws): detect token in url (#1615)
• 5fe58bf fix(rules): entropy, uppercase in samples (#1593)
• 5c2e813 feat: tweak rules (#1608)

v8.21.2

Changelog

• 43fae35 feat(rules): create Octopus Deploy api key (#1602)
• a158e4f fix(aws-access-token): only match if correct length (#1584)
• b6e0eee fix(config): ignore jquery/swagger w/o version (#1607)
• 722e7d8 feat: add new GitLab tokens (#1560)
• 961f2e6 feat(generic-api-key): tune false positives (#1606)
• e734fcf Create .gitleaks.toml (#1605)
• 7206d6b feat(curl): tweak tps and fps (#1603)
• 2db25f1 feat(config): ignore swagger-ui assets (#1604)
• e97695b feat(generic-api-key): exclude keywords (#1587)
• 0afb525 feat(okta): bump entropy to 4 (#1599)
• 2068870 feat: update global allowlist (#1597)
• 8cf93b9 refactor(allowlist): deduplicate commits & keywords (#1596)
• 50c2818 feat(config): ignore jquery static assets (#1595)
• 455ae0a More rule fixes (#1586)
• 5407c44 chore: log skipped symlinks (#1591)
• d03d6c4 feat: match left side of identifier (#1585)
• 851c11a what secrets?
• 8cfa6b2 fix(rules): add entropy (#1580)
• 9152eaa feat(aws): add entropy & allowlist (#1582)
• 93acc6e feat(rules): add 1password token (#1583)
• 83a5724 feat(config): add curl header rule (#1576)

v8.21.1

Changelog

• cf5334f feat: add curl basic auth rule (#1575)
• d07b394 Update spelling in README.md (#1574)
• 5c03fa4 refactor(allowlist): use iota for condition (#1569)
• 12034a7 refactor(config): temporarily switch to [rules.allowlist] (#1573)