Allowlist seems broken post v7.0.* #482
Description
Describe the bug
The allowlisting does not appear to be working - either rules-level or global.
To Reproduce
I am using the docker 7.1.0 container, but believe I saw the same thing in 7.0.2
The command I'm using is of the form
docker run --rm -v $(git rev-parse --show-toplevel)/gitleaks.toml:/tmp/gitleaks.toml -v $(git rev-parse --show-toplevel):/toscan zricethezav/gitleaks:v7.1.0 gitleaks --config-path=/tmp/gitleaks.toml --verbose --no-git -p=/toscan --leaks-exit-code=2
The ruleset has the following rules (note, I tried .git and .git$ ... just to be sure):
[[rules]]
description = "Block dangerous filetypes"
file = '''(.*?)(pdf|doc|docx|zip|xls|tfplan|tfstate|tfvars|vault_pass|vagrant|pyc|key|cache)$'''
tags = ["key", "extensions"]
[rules.allowlist]
paths = ['''.git''']
description = "ignore known locations and files"
[allowlist]
description = "Allowlisted files"
paths = ['''.git$''']
Plus with --no-git the .git directory should be ignored globally.
However, gitleaks still reports leaks within the .git directory. Additionally, I've observed allowlisting to be broken not just with .git but seemingly completely. For example, without --no-git and instead with --files-at-commit I see allowlisted files and paths (globally and rules-level) still detected as leaks.
Expected behavior
I would expect gitleaks to allowlist the .git directory. In other cases, I would expect gitleaks to respect allowlisting.
Basic Info (please complete the following information):
- Docker
zricethezav/gitleaks:v7.1.0
Additional context
I'm very confused. Are all the test cases from the repo passing? I've done a lot of troubleshooting locally to see if I have borked my config - but the --no-git + .git allowlisted explicitly seems like the best minimal proof this is a bug
cc @zricethezav