GitLeaks is erroring on an unsafe repository

[emmahsax]

Describe the bug
Since upgrading to GitLeaks 8.7+, running GitLeaks on CI gets the following error:

v8.7.1: Pulling from zricethezav/gitleaks
a0d0a0d46f8b: Pulling fs layer
c5009b1581c7: Pulling fs layer
49809964c881: Pulling fs layer
a0d0a0d46f8b: Verifying Checksum
a0d0a0d46f8b: Download complete
49809964c881: Verifying Checksum
49809964c881: Download complete
c5009b1581c7: Verifying Checksum
a0d0a0d46f8b: Pull complete
c5009b1581c7: Pull complete
49809964c881: Pull complete
Digest: sha256:3215af553cbb25a8f037549c1ed70364c
Status: Downloaded newer image for zricethezav/gitleaks:v8.7.1

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks 

4:52PM ERR fatal: unsafe repository ('/app' is owned by someone else)
4:52PM ERR To add an exception for this directory, call:
4:52PM ERR 
4:52PM ERR 	git config --global --add safe.directory /app

This is easily fixed by inserting that suggested line into our CI files:

cd /app
git config --global --add safe.directory /app
gitleaks detect --verbose --source='./' --config='.github/workflows/config.toml' --log-opts='^origin/main ${{ github.SHA }}'

But I didn't see anything in the documentation about intentional changes to gitleaks that would cause this. So, I wanted to bring awareness to it just in case nobody knew this was coming up. So far, I've run into this issue with all of my GitLab pipelines and all of my GitHub workflows.

To Reproduce
Here's what my CI workflow looked like when it was breaking:

jobs:
  gitleaks:
    if: github.EVENT_NAME == 'pull_request'
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
      with:
        fetch-depth: 0
    - run: |
        curl -H "Accept: application/vnd.github.v3.raw" \
          -L "https://api.github.com/repos/zricethezav/gitleaks/contents/config/gitleaks.toml?ref=${{ env.GITLEAKS_VERSION }}" \
          >> ${{ github.WORKSPACE }}/.github/workflows/config.toml
        if [[ ${{ github.REF }} == 'refs/heads/main' ]]; then
          CURRENT_COMMIT="${{ github.SHA }}"
        else
          CURRENT_COMMIT="${{ github.EVENT.PULL_REQUEST.HEAD.SHA }}"
        fi
        echo "LOG_OPTS='^origin/main $CURRENT_COMMIT'" >> $GITHUB_ENV
    - uses: addnab/docker-run-action@v3
      with:
        image: zricethezav/gitleaks:${{ env.GITLEAKS_VERSION }}
        options: -v ${{ github.WORKSPACE }}:/app
        run: |
          cd /app
          gitleaks detect --verbose --source='./' --config='.github/workflows/config.toml' --log-opts=${{ env.LOG_OPTS }}

You should be able to just create a new workflow with this code, and be able to see it throwing that error above.

Expected behavior
The scan works as expected without needing to specify the git directory is safe:

v8.7.1: Pulling from zricethezav/gitleaks
a0d0a0d46f8b: Pulling fs layer
c5009b1581c7: Pulling fs layer
49809964c881: Pulling fs layer
a0d0a0d46f8b: Verifying Checksum
a0d0a0d46f8b: Download complete
49809964c881: Verifying Checksum
49809964c881: Download complete
c5009b1581c7: Verifying Checksum
c5009b1581c7: Download complete
a0d0a0d46f8b: Pull complete
c5009b1581c7: Pull complete
49809964c881: Pull complete
Digest: sha256:3215af553cbb25a8f037549c1ed70364c
Status: Downloaded newer image for zricethezav/gitleaks:v8.7.1

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks 

5:02PM INF scan completed in 54.910108ms
5:02PM INF no leaks found

Screenshots
If applicable, add screenshots to help explain your problem.

Basic Info (please complete the following information):

• OS:
• Gitleaks Version:

Additional context
Add any other context about the problem here.

cc @zricethezav

[zricethezav]

Thanks @emmahsax, looks like this is similar to actions/checkout#760. I'm not sure what a solution would look like at the moment unfortunately.

[bpo]

You can avoid this issue by running git config --global --add safe.directory /app before launching gitleaks, assuming you know that the target directory is safe. Or ensure that the directory has the same owner before starting.

In my fork of the GitHub action I had to work around it slightly further by modifying the user of the Docker container to root so that they would have the permissions necessary to do a global Git config before running gitleaks. safe.directory can only be set globally, not per repo or at the command line.

[zricethezav]

Thanks @bpo, I think this is more of an environment issue rather than something that should be fixed in Gitleaks. I suppose Gitleaks could shell out git config --global --add safe.directory {source dir} but that seems like a bad idea...

I originally was gonna update the docker file with some default paths to make safe but am holding off on that: https://github.com/zricethezav/gitleaks/blob/82f7d61593dd880f40dabb915f993da1c4416edc/Dockerfile#L12-L22

[bpo]

My comment was unclear: I agree that this is environmental, not for gitleaks to fix. Gitleaks won't be guaranteed to have appropriate permissions to declare a safe directory. I'm not sure modifying the config within the Dockerfile would even help because the volume isn't yet mounted.

An approach that might work for Docker is to set the safe directory from a dedicated entrypoint script, then step down to the gitleaks user to run the gitleaks binary.

[emmahsax]

Interesting. I figured it was environment-based, but I guess assumed that maybe there should be more documentation on how to avoid this issue if it arises. In another workflow, I run this command:

docker run --rm -v $(pwd):/app -i --entrypoint /bin/bash zricethezav/gitleaks:v8.7.1 -c "gitleaks detect ..."

So, I believe, I am setting the volume.... how is that different than mounting?

[bpo]

how is that different than mounting?

Not different. The action where you attach your volume (docker run) happens after the Dockerfile is processed by docker build. So the git config --global --add safe.directory command in the Dockerfile would be declaring a path to be "safe" before it exists, which might not cause an error but is at least strange-looking.

I guess assumed that maybe there should be more documentation on how to avoid this issue if it arises

Yes. This is caused by a very recent change in Git.

[zricethezav]

Happy to accept a PR if someone wants to write up a little blurb about this in the README. If not I can get to it after work today. In either case, thanks for the help @bpo @emmahsax!

[emmahsax]

Happy to accept a PR if someone wants to write up a little blurb about this in the README. If not I can get to it after work today. In either case, thanks for the help @bpo @emmahsax!

Thanks!

[the-maux]

Just a quick fix i wanted share with you
echo "git config --global --add safe.directory /path && cd /path && gitleaks detect --no-git --redact /path -v " > cmd docker run -i -v "${PWD}":/path --entrypoint /bin/bash zricethezav/gitleaks:latest < cmd

[electriquo]

@zricethezav #846 (comment) would solve the issue for every one. What do you think of un-commenting these lines? https://github.com/zricethezav/gitleaks/blob/82e409a434924a39db90d844ffe8861b0d04f172/Dockerfile#L21-L22

in Git v2.35.3, it is better to use a wildcard

git config --global --add safe.directory '*'

and seems to pose no security risk.

Git v2.35.3 is not available for alpine-3.15 https://github.com/zricethezav/gitleaks/blob/82e409a434924a39db90d844ffe8861b0d04f172/Dockerfile#L7 but it is available for alpine-3.16

[zricethezav]

@foolioo thank you for the PR and supporting documentation for your change. I agree with what is proposed here and will include it in the next release. 🙇🏻