scanners/boostsecurityio/gitleaks/module.yaml

api_version: 1.0

id: boostsecurityio/gitleaks
name: Gitleaks
namespace: boostsecurityio/gitleaks
scan_types:
  - secrets

config:
  support_diff_scan: true

setup:
- name: Download Gitleaks
  environment:
    VERSION: 8.18.2
    LINUX_X86_64_SHA: 6298c9235dfc9278c14b28afd9b7fa4e6f4a289cb1974bd27949fc1e9122bdee
    LINUX_ARM64_SHA: 4df25683f95b9e1dbb8cc71dac74d10067b8aba221e7f991e01cafa05bcbd030
    MACOS_ARM64_SHA: 7be53fa77d7ec10cb8a7085d6ebcf375d55dd4c71f2cf6e7e6bf11554847a095
    MACOS_X86_64_SHA: b2dc4f853128062856273d422e2f29791a036641c1655feb83192078970fbfc0
  run: |
    BINARY_URL="https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}"
    ARCH=$(uname -m)

    case "$(uname -sm)" in
      "Linux x86_64")
        BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_linux_x64.tar.gz"
        SHA="${LINUX_X86_64_SHA} gitleaks.tgz"
        ;;
      "Linux aarch64")
        BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_linux_arm64.tar.gz"
        SHA="${LINUX_ARM64_SHA} gitleaks.tgz"
        ;;
      "Darwin arm64")
        BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_darwin_arm64.tar.gz"
        SHA="${MACOS_ARM64_SHA} gitleaks.tgz"
        ;;
      "Darwin x86_64")
        BINARY_URL="${BINARY_URL}/gitleaks_${VERSION}_darwin_x64.tar.gz"
        SHA="${MACOS_X86_64_SHA} gitleaks.tgz"
        ;;
      *)
        echo "Unsupported machine: ${OPTARG}"
        exit 1
        ;;
    esac

    curl -o gitleaks.tgz -fsSL "${BINARY_URL}"
    echo "${SHA}" | sha256sum --check

    tar --no-same-owner -zxf gitleaks.tgz gitleaks
    rm gitleaks.tgz
    chmod +x gitleaks

steps:
  - scan:
      format: sarif
      command:
        environment:
          GITLEAKS_CONFIG: ${GITLEAKS_CONFIG:-}
        run: |
          $SETUP_PATH/gitleaks detect --no-banner --exit-code 0 --report-format sarif --no-git --report-path $SETUP_PATH/gitleaks-output.sarif --source .
          cat $SETUP_PATH/gitleaks-output.sarif

      post-processor:
        - docker:
            command: process
            image: public.ecr.aws/boostsecurityio/boost-scanner-gitleaks:a13a131@sha256:97321d82da1b4adfbc1cd7fddb23a2ef57b8f9c2db0ccbc007f15f7adefb0086
        - docker:
            command: process
            image: public.ecr.aws/boostsecurityio/boost-scanner-keyscope:458e3dd@sha256:6b611b085271e2c8ed15590f536fd4a29221a11752ef7525bbb60be9ad241902
            environment:
              VALIDATE_SECRET: ${GITLEAKS_VALIDATE_SECRETS:-}