Documentation
¶
Overview ¶
Command patterns derives value-shape secret patterns from a gitleaks config (gitleaks.toml) and emits a generated Go source file for package scanner.
Gitleaks gets its precision from four things that the scanner's value-only ValuePattern model does not have: a per-rule keyword pre-filter, a per-rule entropy threshold, secret-group extraction, and per-rule allowlists. Loading every rule as a bare regexp.MatchString would therefore regress precision badly. This generator keeps only the rules that are safe to match against an already-extracted value: those whose regex carries a distinctive *fixed token prefix* (e.g. ghp_, glpat-, ABSK), which is what makes a vendor token self-identifying without surrounding key/quote context. Generic, key-context, and short-prefix rules are dropped.
IDs already curated by hand in patterns.go are excluded so the hand-tuned versions win and nothing is double-listed. Per-rule allowlist regexes that target the secret/match (not the file path or whole line, which value-only matching cannot see) are carried through so example keys still suppress.
Regenerate with: go generate ./pkg/scanner