Documentation
¶
Index ¶
- Constants
- func IsNew(finding report.Finding, redact uint, baseline []report.Finding) bool
- func LoadBaseline(baselinePath string) ([]report.Finding, error)
- func RedactFindings(findings []report.Finding, percent uint)
- type ContextMode
- type Detector
- func (d *Detector) AddBaseline(baselinePath string, source string) error
- func (d *Detector) AddFinding(finding report.Finding)
- func (d *Detector) AddGitleaksIgnore(gitleaksIgnorePath string) error
- func (d *Detector) Detect(fragment sources.Fragment) []report.Findingdeprecated
- func (d *Detector) DetectContext(ctx context.Context, fragment sources.Fragment) []report.Findingdeprecated
- func (d *Detector) DetectSource(ctx context.Context, source sources.Source) ([]report.Finding, error)
- func (d *Detector) DetectString(content string) []report.Finding
- func (d *Detector) FilterByStatus(findings []report.Finding) []report.Finding
- func (d *Detector) Findings() []report.Finding
- func (d *Detector) Run(ctx context.Context, source sources.Source) iter.Seq[Result]
- func (d *Detector) SkipFunc() sources.SkipFunc
- func (d *Detector) Tokenizer() *tiktoken.Tiktoken
- type Location
- type MatchContextSpec
- type Result
- type TiktokenLoader
- type ValidationOptions
Constants ¶
const ( // SlowWarningThreshold is the amount of time to wait before logging that a file is slow. // This is useful for identifying problematic files and tuning the allowlist. SlowWarningThreshold = 5 * time.Second )
Variables ¶
This section is empty.
Functions ¶
func RedactFindings ¶ added in v1.4.1
Types ¶
type ContextMode ¶ added in v1.1.1
type ContextMode int
ContextMode determines how match context is extracted.
const ( ContextModeNone ContextMode = iota ContextModeCols // offset-based (characters/columns before/after) ContextModeBox // line-based; optional C clips each line to a column window around the match )
type Detector ¶
type Detector struct {
// Config is the configuration for the detector
Config *config.Config
// MaxDecodeDepths limits how many recursive decoding passes are allowed
MaxDecodeDepth int
// MatchContext specifies how much context to extract around a match.
MatchContext MatchContextSpec
// ValidationStatusFilter, when non-empty, restricts which findings are
// printed in verbose mode. Parsed from --validation-status.
ValidationStatusFilter map[string]struct{}
// ValidationPool is the expression validation worker pool.
ValidationPool *validate.Pool
// ValidationCounts tracks how many findings were returned for each
// ValidationStatus value. Populated by the Run/DetectSource consumer;
// safe to read after the scan returns.
ValidationCounts map[report.ValidationStatus]int
// ValidationExtractEmpty controls whether empty values from extractors
// are included in validation output.
ValidationExtractEmpty bool
// IgnoreGitleaksAllow is a flag to ignore gitleaks:allow comments.
IgnoreGitleaksAllow bool
TotalBytes atomic.Uint64
// TODO remove this in v2
// SkipFindingAppend skips populating the deprecated detector-level findings
// slice while consuming results from Run.
//
// This keeps Run callers from retaining a second compatibility copy of the
// same findings when they are already consuming results directly.
//
// DetectSource intentionally ignores this flag to preserve its historical
// return contract.
SkipFindingAppend bool
// ----------------------------------------------------------------
// DEPRECATED fields below, to be removed in the next major version
//
//
// report-related settings.
// Deprecated: detect should not handle reporting
ReportPath string
// Deprecated: detect should not handle reporting
Reporter report.Reporter
// Redact is a flag to redact findings. This is exported
// so users using gitleaks as a library can set this flag
// without calling `detector.Start(cmd *cobra.Command)`
Redact uint
// verbose is a flag to print findings
Verbose bool
// MaxArchiveDepth limits how deep the sources will explore nested archives
MaxArchiveDepth int
// files larger than this will be skipped
MaxTargetMegaBytes int
// followSymlinks is a flag to enable scanning symlink files
FollowSymlinks bool
// NoColor is a flag to disable color output
NoColor bool
// LegacyPrint uses the legacy key/value verbose format (typically with Verbose=true).
LegacyPrint bool
// Sema (https://github.com/fatih/semgroup) controls the concurrency
// Deprecated: this is only used for git log workers and can be removed when the legacy git scan is removed in v2.
Sema *semgroup.Group
// contains filtered or unexported fields
}
Detector is the main detector struct
func NewDetector
deprecated
func NewDetectorContext ¶
func NewDetectorContext(ctx context.Context, cfg *config.Config, valOpts ValidationOptions) *Detector
NewDetectorContext creates a new Detector. It compiles global expressions and, when valOpts.Enabled is true, creates the validation worker pool. Per-rule expressions compile lazily on first use.
func NewDetectorDefaultConfig ¶
NewDetectorDefaultConfig creates a new detector with the default config
func (*Detector) AddBaseline ¶
func (*Detector) AddFinding ¶
AddFinding adds a finding to the pipeline. Findings needing validation are submitted to the pool; all others go directly to findingsCh. Deprecated: only used in deprecated calls. New code calls routeFinding directly.
func (*Detector) AddGitleaksIgnore ¶
func (*Detector) DetectSource ¶
func (d *Detector) DetectSource(ctx context.Context, source sources.Source) ([]report.Finding, error)
DetectSource scans the given source and returns a list of findings Deprecated: use Run instead for more flexible and efficient processing of findings.
func (*Detector) DetectString ¶
DetectString scans the given string and returns a list of findings
func (*Detector) FilterByStatus ¶ added in v1.1.0
FilterByStatus returns findings whose ValidationStatus is in d.ValidationStatusFilter. If the filter is empty, all findings are returned. The pseudo-status "none" matches findings with no ValidationStatus set.
func (*Detector) Findings ¶
Findings returns the findings added to the detector. Deprecated: this is only used in deprecated calls. New code should access findings directly from the channel or ValidationPool. Report redaction is applied in cmd.findingSummaryAndExit via RedactFindings.
func (*Detector) Run ¶ added in v1.2.0
Run executes the pipeline on the given source and yields results as they are found. It returns an iterator of Results, which can be consumed by the caller. We return an iterator to make the API clean. You can do things like:
for result := range detector.Run(ctx, source) {
// do something
}
The context can be used to cancel the scan. Internally uses a channel to send results from the scanning goroutine to the caller, allowing for concurrent processing of findings as they are discovered.
type Location ¶
type Location struct {
// contains filtered or unexported fields
}
Location represents a location in a file
type MatchContextSpec ¶ added in v1.1.1
type MatchContextSpec struct {
Mode ContextMode
ColsBefore int // cols mode: context window; box mode: per-line column clip before match
ColsAfter int // cols mode: context window; box mode: per-line column clip after match
LinesBefore int
LinesAfter int
}
MatchContextSpec describes how much context to extract around a match.
func ParseMatchContext ¶ added in v1.1.1
func ParseMatchContext(s string) (MatchContextSpec, error)
ParseMatchContext parses a match-context specification string.
func (MatchContextSpec) IsZero ¶ added in v1.1.1
func (m MatchContextSpec) IsZero() bool
IsZero returns true if no context extraction is configured.
type TiktokenLoader ¶ added in v1.1.2
type TiktokenLoader struct{}
TikTokenLoader implements the tiktoken.BpeLoader interface
func (*TiktokenLoader) LoadTiktokenBpe ¶ added in v1.1.2
func (l *TiktokenLoader) LoadTiktokenBpe(file string) (map[string]int, error)
LoadTiktokenBpe parses the embedded BPE file into the expected map.
type ValidationOptions ¶ added in v1.2.0
type ValidationOptions struct {
Enabled bool
Debug bool
Workers int
Timeout time.Duration
ExtractEmpty bool
StatusFilter string // comma-separated list of statuses to include
// ValidationEnvVars lists environment variable names the validation Expr
// env(...) binding may read (see --validation-env-vars). Parsed into
// exprruntime.Runtime.AllowedEnv when the validation env is created.
ValidationEnvVars []string
}
ValidationOptions controls secret validation behavior. Zero value means validation is disabled.