gitleaks binary is detected as leaked secrets #795
Description
Describe the bug
The change to remove godoc text filtering seems to allow the gitleaks binary to be caught as a leaked secret.
To Reproduce
Part of our CI steps download the gitleaks binary and run it locally. This allows us to cache the binary on machines inside the git repository.
Expected behavior
The gitleaks binary should not be detected as a secret.
A quick dump of the binary shows the embedded text.
hexdump -C ./bin/gitleaks | grep -C1 "PRIVATE"
003d5820 65 67 65 78 20 3d 20 27 27 27 2d 2d 2d 2d 2d 42 |egex = '''-----B|
003d5830 45 47 49 4e 20 50 52 49 56 41 54 45 20 4b 45 59 |EGIN PRIVATE KEY|
003d5840 2d 2d 2d 2d 2d 27 27 27 0a 0a 5b 5b 72 75 6c 65 |-----'''..[[rule|
--
--
003d5960 27 27 27 2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 47 |'''-----BEGIN PG|
003d5970 50 20 50 52 49 56 41 54 45 20 4b 45 59 20 42 4c |P PRIVATE KEY BL|
003d5980 4f 43 4b 2d 2d 2d 2d 2d 27 27 27 0a 0a 5b 5b 72 |OCK-----'''..[[r|
--
--
003d5ab0 27 2d 2d 2d 2d 2d 42 45 47 49 4e 20 44 53 41 20 |'-----BEGIN DSA |
003d5ac0 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d |PRIVATE KEY-----|
003d5ad0 27 27 27 0a 0a 5b 5b 72 75 6c 65 73 5d 5d 0a 69 |'''..[[rules]].i|
Basic Info (please complete the following information):
- OS: macOS 11.6.1
- Gitleaks Version: v8.2.7
Additional context
Here's the full output:
gitleaks version: 8.2.7
○
│╲
│ ○
○ ░
░ gitleaks
{
"Description": "PKCS8 private key",
"StartLine": 6432,
"EndLine": 6432,
"StartColumn": 13,
"EndColumn": 39,
"Match": "-----BEGIN PRIVATE KEY-----",
"Secret": "-----BEGIN PRIVATE KEY-----",
"File": "bin/gitleaks",
"Commit": "",
"Entropy": 0,
"Author": "",
"Email": "",
"Date": "",
"Message": "",
"Tags": [],
"RuleID": "PKCS8-PK"
}
{
"Description": "RSA private key",
"StartLine": 6437,
"EndLine": 6437,
"StartColumn": 13,
"EndColumn": 43,
"Match": "-----BEGIN RSA PRIVATE KEY-----",
"Secret": "-----BEGIN RSA PRIVATE KEY-----",
"File": "bin/gitleaks",
"Commit": "",
"Entropy": 0,
"Author": "",
"Email": "",
"Date": "",
"Message": "",
"Tags": [],
"RuleID": "RSA-PK"
}
{
"Description": "SSH private key",
"StartLine": 6442,
"EndLine": 6442,
"StartColumn": 13,
"EndColumn": 47,
"Match": "-----BEGIN OPENSSH PRIVATE KEY-----",
"Secret": "-----BEGIN OPENSSH PRIVATE KEY-----",
"File": "bin/gitleaks",
"Commit": "",
"Entropy": 0,
"Author": "",
"Email": "",
"Date": "",
"Message": "",
"Tags": [],
"RuleID": "OPENSSH-PK"
}
{
"Description": "PGP private key",
"StartLine": 6447,
"EndLine": 6447,
"StartColumn": 13,
"EndColumn": 49,
"Match": "-----BEGIN PGP PRIVATE KEY BLOCK-----",
"Secret": "-----BEGIN PGP PRIVATE KEY BLOCK-----",
"File": "bin/gitleaks",
"Commit": "",
"Entropy": 0,
"Author": "",
"Email": "",
"Date": "",
"Message": "",
"Tags": [],
"RuleID": "PGP-PK"
}
{
"Description": "SSH (DSA) private key",
"StartLine": 6462,
"EndLine": 6462,
"StartColumn": 13,
"EndColumn": 43,
"Match": "-----BEGIN DSA PRIVATE KEY-----",
"Secret": "-----BEGIN DSA PRIVATE KEY-----",
"File": "bin/gitleaks",
"Commit": "",
"Entropy": 0,
"Author": "",
"Email": "",
"Date": "",
"Message": "",
"Tags": [],
"RuleID": "SSH-DSA-PK"
}
{
"Description": "SSH (EC) private key",
"StartLine": 6467,
"EndLine": 6467,
"StartColumn": 13,
"EndColumn": 42,
"Match": "-----BEGIN EC PRIVATE KEY-----",
"Secret": "-----BEGIN EC PRIVATE KEY-----",
"File": "bin/gitleaks",
"Commit": "",
"Entropy": 0,
"Author": "",
"Email": "",
"Date": "",
"Message": "",
"Tags": [],
"RuleID": "SSH-EC-PK"
}
{
"Description": "Discord client secret",
"StartLine": 6399,
"EndLine": 6399,
"StartColumn": 6,
"EndColumn": 63,
"Match": "discord_client_secret = \"8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ\"",
"Secret": "8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ",
"File": "bin/gitleaks",
"Commit": "",
"Entropy": 0,
"Author": "",
"Email": "",
"Date": "",
"Message": "",
"Tags": [],
"RuleID": "discord-client-secret"
}
cc @zricethezav