Issue with Gitleaks 8.23.2

[scrocquesel-ml150]

I found this gitleaks/gitleaks#1504 because of an issue with 8.23.2

[JoostVoskuil]

Hi @scrocquesel-ml150 , What is the issue with 8.23.2?

[scrocquesel-ml150]

I think it is related to this issue gitleaks/gitleaks#1729

[JoostVoskuil]

@scrocquesel-ml150 Can you explain what the issue is? I am aware of the deprecation of the commands

[scrocquesel-ml150]

Since 8.23.2, gitleaks detects leaks in PR when it should not.

/opt/hostedtoolcache/gitleaks/8.23.2/x64/gitleaks detect --source=/home/vsts/work/1/s --log-opts=9e3d48df6c37a31b80d2452ce0d9b9f5a1648c3c^! 9e3d48df6c37a31b80d2452ce0d9b9f5a1648c3c --redact --report-format=json


12:45AM INF Unknown SCM platform. Use --platform to include links in findings. host=dev.azure.com
12:45AM INF 36 commits scanned.
12:45AM INF scanned ~2796506 bytes (2.80 MB) in 557ms
12:45AM WRN leaks found: 1

The reported file is not modified in the one commit of this PR.

[scrocquesel-ml150]

I just tried setting version to 8.23.1 but the latest version is forced.

The latest version of Gitleaks (8.23.2) must be downloaded...
Downloading: https://github.com/zricethezav/gitleaks/releases/download/v8.23.2/gitleaks_8.23.2_linux_x64.tar.gz

Task version is Version : 2.13.0

[JoostVoskuil]

Sorry it is not clear what the issue is.

Can you:

• Tell me what your settings are in the task
• Tell me what you expect
• Tell me what you found

[scrocquesel-ml150]

My settings are

- task: Gitleaks@2
        inputs:
          scanlocation: '$(Build.SourcesDirectory)'
          ${{ if ne('', parameters.rules) }}:
            configfile: "$(Build.SourcesDirectory)/${{ parameters.rules }}"
            configtype: custom
          ${{ else }}:
            configtype: default
          uploadresults: "true"
          reportartifactname: gitleaks-reports
          reportformat: 'json'
          reportfolder: $(Agent.TempDirectory)/.gitleaks/reports

Everything worked fine before the release of gitleaks 8.23.2.
Since then, PR pipeline starts reporting leaks for file not modified in the PR.

Starting: Gitleaks
==============================================================================
Task         : Gitleaks scan
Description  : Scan git repos (or files) for secrets using regex and entropy.
Version      : 2.13.0
Author       : Joost Voskuil ([email protected])
Help         : [More information](https://github.com/JoostVoskuil/azure-devops-gitleaks)
==============================================================================
Thanks to Zachary Rice (https://github.com/zricethezav) for creating and maintaining gitleaks.
Thanks to Jesse Houwing (https://github.com/jessehouwing) for providing a gitleaks config that has most of Microsoft's deprecated credscan rules ported to it.

Only commits belonging to this Pull Request are scanned.
Scanning for 1 Git commit(s) for this build. First commit is 1ac40b54c60cbb9eaa62541e428bd169ec543df5, Last commit is 1ac40b54c60cbb9eaa62541e428bd169ec543df5
Querying Gitleaks Latest Release GitHub Page.
The latest version of Gitleaks (8.23.1) must be downloaded...
Downloading: https://github.com/zricethezav/gitleaks/releases/download/v8.23.1/gitleaks_8.23.1_linux_x64.tar.gz
Extracting archive
/usr/bin/tar xC /home/vsts/work/_temp/907c660a-10ff-4bc8-964c-f874cd1ea26e -f /home/vsts/work/_temp/1e91ca6c-9979-4dfa-9f48-808ec484f2d3
Caching tool: gitleaks 8.23.1 x64
/opt/hostedtoolcache/gitleaks/8.23.1/x64/gitleaks detect --source=/home/vsts/work/1/s --log-opts=1ac40b54c60cbb9eaa62541e428bd169ec543df5^! 1ac40b54c60cbb9eaa62541e428bd169ec543df5 --redact --report-format=json --report-path=/home/vsts/work/_temp/.gitleaks/reports/gitleaks-report-790a4ef5-653f-56e7-b69c-d7785a74a6a4.json --exit-code=99

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

6:03AM INF 1 commits scanned.
6:03AM INF scanned ~73 bytes (73 bytes) in 5.56ms
6:03AM INF no leaks found
Finishing: Gitleaks

As expected only one commit is scanned with 8.23.1

Starting: Gitleaks
==============================================================================
Task         : Gitleaks scan
Description  : Scan git repos (or files) for secrets using regex and entropy.
Version      : 2.13.0
Author       : Joost Voskuil ([email protected])
Help         : [More information](https://github.com/JoostVoskuil/azure-devops-gitleaks)
==============================================================================
Thanks to Zachary Rice (https://github.com/zricethezav) for creating and maintaining gitleaks.
Thanks to Jesse Houwing (https://github.com/jessehouwing) for providing a gitleaks config that has most of Microsoft's deprecated credscan rules ported to it.

Only commits belonging to this Pull Request are scanned.
Scanning for 1 Git commit(s) for this build. First commit is 9e3d48df6c37a31b80d2452ce0d9b9f5a1648c3c, Last commit is 9e3d48df6c37a31b80d2452ce0d9b9f5a1648c3c
Querying Gitleaks Latest Release GitHub Page.
The latest version of Gitleaks (8.23.2) must be downloaded...
Downloading: https://github.com/zricethezav/gitleaks/releases/download/v8.23.2/gitleaks_8.23.2_linux_x64.tar.gz
Extracting archive
/usr/bin/tar xC /home/vsts/work/_temp/3334b3fd-fcf6-4a98-98d3-2aa5bcfdb8ce -f /home/vsts/work/_temp/880357e5-9cf4-406f-9c82-c75d849e88a9
Caching tool: gitleaks 8.23.2 x64
/opt/hostedtoolcache/gitleaks/8.23.2/x64/gitleaks detect --source=/home/vsts/work/1/s --log-opts=9e3d48df6c37a31b80d2452ce0d9b9f5a1648c3c^! 9e3d48df6c37a31b80d2452ce0d9b9f5a1648c3c --redact --report-format=json --report-path=/home/vsts/work/_temp/.gitleaks/reports/gitleaks-report-790a4ef5-653f-56e7-b69c-d7785a74a6a4.json --exit-code=99

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

12:45AM INF Unknown SCM platform. Use --platform to include links in findings. host=dev.azure.com
12:45AM INF 36 commits scanned.
12:45AM INF scanned ~2796506 bytes (2.80 MB) in 557ms
12:45AM WRN leaks found: 1
##[error]Leaks found. See log and report for details. See https://docs.github.com/en/github/authenticating-to-github/removing-sensitive-data-from-a-repository for information how to remove secrets.
Async Command Start: Upload Artifact
Uploading 1 files
File upload succeed.
Upload '/home/vsts/work/_temp/.gitleaks/reports/gitleaks-report-790a4ef5-653f-56e7-b69c-d7785a74a6a4.json' to file container: '#/41338235/Gitleaks'
Associated artifact 117929 with build 129020
Async Command End: Upload Artifact
Finishing: Gitleaks

36 commits instead of just one with 8.23.2.

[JoostVoskuil]

Specifying 8.23.1 works here, If there is an issue with 8.23.2 you can go back to version 8.23.1. I only maintain the extension, not Gitleaks itself

[scrocquesel-ml150]

Specifying 8.23.1 works here, If there is an issue with 8.23.2 you can go back to version 8.23.1. I only maintain the extension, not Gitleaks itself

Yes, sorry, doing many tests and retaining to older version worked as expected.

I know you are not maintainng GitLeaks itself and I'm glad you are aware of the deprecated stuff. Just guessing that if the extension was already using newer git command, we would not have to set version to 8.23.1. This was the main reason of creating this issue.

[JoostVoskuil]

Hi @scrocquesel-ml150 thank you for the notion of the deprecated stuff. I appreciate that. Yes unfortunately this issue pops up due to the deprecation and a bug. Reverting back to 8.23.1 is a good thing to do.

I've created a separated issue to track the deprecation. Will work on that when I have some spare time. Is it allright if I close this issue? I cannot do anything to help you at this moment, sorry.