perf(loki.secretfilter): Change secretfilter implementation to use Gitleaks

[kleimkuhler]

This PR refactors the loki.secretfilter component to use the Gitleaks library instead of a custom implementation.

Changes

• Replaced custom regex-based secret detection with Gitleaks' detect.Detector
• Arguments:
  • Kept:
    • forward_to
    • origin_label
    • gitleaks_config (path to custom Gitleaks TOML)
    • redact_with (template with $SECRET_NAME / $SECRET_HASH)
  • Added:
    • redact_percent (1–100, default 80; Gitleaks-style partial redaction)
  • Removed:
    • partial_mask (replaced with redact_percent)
    • allowlist (controlled with custom gitleaks config)
    • enable_entropy (always enabled)
    • include_generic (controlled with custom gitleaks config)
    • types (controlled with custom gitleaks config)
• Redaction: If redact_with is set, it is used as the placeholder; otherwise redaction is percentage-based via redact_percent (default 80%; 100% = full "REDACTED")
• Metrics: keeping secrets_redacted_total, secrets_redacted_by_rule_total, secrets_redacted_by_origin (when origin_label is set), processing_duration_seconds. Removed secrets_allowlisted_total and secrets_skipped_entropy_by_rule_total as they are not efficient to determine with new library.
• Docs: Reference updated for the new arguments and metrics

BREAKING-CHANGE: Some config options are removed entirely:

• partial_mask (replaced with redact_percent)
• allowlist (now controlled with custom gitleaks config)
• enable_entropy
• include_generic (now controlled with custom gitleaks config)
• types (now controlled with custom gitleaks config)

BEGIN_COMMIT_OVERRIDE
feat(loki.secretfilter)!: Change secretfilter implementation to use Gitleaks (#5503)

BREAKING-CHANGE: Some config options are removed entirely:

• partial_mask (replaced with redact_percent)
• allowlist (now controlled with custom gitleaks config)
• enable_entropy
• include_generic (now controlled with custom gitleaks config)
• types (now controlled with custom gitleaks config)

END_COMMIT_OVERRIDE

[CLAassistant]

All committers have signed the CLA.

[github-actions]

🔍 Dependency Review

No existing dependency versions were upgraded in this PR. The changes to go.mod files only add new (mostly indirect) dependencies and make one existing dependency (github.com/BurntSushi/toml v1.5.0) indirect in the root module without changing its version. Per the review rules, net‑new dependencies are not assessed for upgrade impact.

Therefore, there are no upgrade-related code changes required for existing dependencies.

🗒️ Notes

• Net-new direct dependencies added in the root module (not assessed per rules):

  • github.com/spf13/viper v1.19.0
  • github.com/zricethezav/gitleaks/v8 v8.30.0

• Numerous net-new indirect dependencies were added across modules (collector/, extension/alloyengine/, and the root module) to support new functionality (for example around secret detection/redaction and archive handling). Examples include:

  • Detection/regex/WASM helpers: github.com/zricethezav/gitleaks/v8, github.com/gitleaks/go-gitdiff, github.com/wasilibs/go-re2, github.com/tetratelabs/wazero, github.com/wasilibs/wazero-helpers
  • Config and utilities: github.com/spf13/viper, github.com/pelletier/go-toml/v2, github.com/spf13/afero
  • Compression/archives: github.com/mholt/archives, github.com/therootcompany/xz, github.com/ulikunitz/xz, github.com/dsnet/compress, github.com/nwaples/rardecode/v2, github.com/sorairolake/lzip-go, github.com/STARRY-S/zip
  • Misc: github.com/h2non/filetype, github.com/BobuSumisu/aho-corasick, github.com/sourcegraph/conc, github.com/fatih/semgroup, github.com/lucasb-eyer/go-colorful, github.com/muesli/termenv, github.com/xo/terminfo

• One dependency changed from direct to indirect in the root module without a version change:

  • github.com/BurntSushi/toml v1.5.0 → now marked indirect
  • This does not require code changes.

If you intended to review upgrade impacts, please include diffs that change versions (old → new) for existing dependencies.

[kalleep]

(Breaking) Configuration options have been temporarily removed and will be added back in follow-up work

This component experimental so it's fine to make breaking changes. But if you plan to add back a all of a sub-set of the config I feel like there must be a better solution. If we merge this and the follow up work is not finished until next release we would make a release with breaking changes and then potentially add them back in a later release. That don't feel great for people using it.

As I said it's fine to make breaking changes but try to only do that if you have too. One option while not great is to keep the arguments for now and don't do anything. At least that won't break existing config even though the component internally have breaking changes

[kelnage]

Lots of comments - keeping the ability to specify a customer Gitleaks config is the key change, and replacing the Redact function with one that supports more of the secretfilter's functionality would also be a good idea

Better to reimplement again all features to maintain feature parity than risk a broken release

[github-actions]

💻 Deploy preview deleted (perf(loki.secretfilter): Change secretfilter implementation to use Gitleaks).

[kelnage]

Much better! A couple of minor points, I also noticed there was also a large reduction in the size of the unit tests, but I also noted the total code coverage increased, so I don't believe this is an issue.

[kelnage]

Note for other reviewers: this file is no longer required as it will take the default configuration (if used) directly from the Gitleaks package - so updating the github.com/zricethezav/gitleaks/v8 dependency will automatically update the default config to the latest version.

[kelnage]

LGTM!

[kelnage]

LGTM!

[kalleep]

LGTM but we do introduce breaking changes and we need to include that in changelog.

Read this to see how we can extend changelog entry beyond pr title

[clayton-cornell]

Doc changes look OK to me