chore(deps): update pre-commit hook gitleaks/gitleaks to v8.23.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
gitleaks/gitleaks	repository	minor	v8.18.4 -> v8.23.3

Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.

---

Release Notes

gitleaks/gitleaks (gitleaks/gitleaks)

v8.23.3

Compare Source

Changelog

• 3188ad6 Don't exit with error if git repacking is required (#​1711)
• 7fc11bb refactor(config): use non-capture groups for allowlists (#​1735)
• 36c52c6 chore: Enhance curl-auth-user to detect empty usernames or passwords (#​1726)
• 1f323d8 fix(cmd): read log-opts before GitLogCmd (#​1730)

v8.23.2

Compare Source

Changelog

• d88bc09 facebook keyword
• 3fdaefd fix(meraki): restrict keyword case (#​1722)
• f3ae52e feat(generic-api-key): detect base64 (#​1598)
• d6a828a great branch name (#​1721)
• d2ffffe fix(git): remove .git suffix for links (#​1716)
• a43dc0d chore: refine generic-api-key fps + trace logging (#​1720)
• 69ed20e fix(generate): move newline out of char range (#​1719)
• 52b895a newline literal (#​1718)
• 3f4d91f build: support either stdlib or 3rd-party regexp (#​1706)
• 049f5b2 chore(detect): update trace logging (#​1713)
• 7a6183d feat(git): redact passwords from remote URL (#​1709)
• 3c7f3f0 feat(git): include link in report (#​1698)
• 0e3f4f7 chore: reduce generic-api-key fps (#​1707)
• 3ed8567 blorp
• e977850 added new rule for cisco meraki api key (#​1700)
• ad7a4fb feat: general fp tweaks (#​1703)
• b2cf03c chore(generate): use \x60 instead of literal (#​1702)
• a3f623c chore(regex): simplify secretPrefix, suffix (#​1620)
• cc71bb1 update version for pre-commit in README.md (#​1699)

v8.23.1

Compare Source

Changelog

• 7bad9f7 chore(gcp): add firebase example keys to the gcp-api-key allowlists (#​1635)
• 977236c fix: unaligned 64-bit atomic operation panic (#​1696)
• a211b16 force push to master everyday
• 0e5f644 feat(config): disable extended rule (#​1535)
• f320a60 style: prevent globbing and word splitting (#​1543)
• c4526b2 refactor(generic-api-key): remove hard-coded 'magic' (#​1600)
• 748076d chore(generate): add failing test case (#​1690)

v8.23.0

Compare Source

Changelog

• db8e5e6 feat(generate): use multiple allowlists (#​1691)
• 973c794 chore(rules): include fps in reference (#​1471)
• f0d4499 Add comma as operator for GenerateSemiGenericRegex (#​1679)
• ab38a46 refactor: central logger (#​1692)
• b022d1c friendship ended with tines

READ THIS!!! The default gitleaks config now uses [[rules.allowlists]]

##### ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.
##### This change was backwards-compatible: instances of `[rules.allowlist]` still  work.
    #

##### You can define multiple allowlists for a rule to reduce false positives.
##### A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.
    [[rules.allowlists]]
    description = "ignore commit A"

##### When multiple criteria are defined the default condition is "OR".
##### e.g., this can match on |commits| OR |paths| OR |stopwords|.
    condition = "OR"
    commits = [ "commit-A", "commit-B"]
    paths = [
      '''go\.mod''',
      '''go\.sum'''
    ]

##### note: stopwords targets the extracted secret, not the entire regex match
##### like 'regexes' does. (stopwords introduced in 8.8.0)
    stopwords = [
      '''client''',
      '''endpoint''',
    ]

    [[rules.allowlists]]

##### The "AND" condition can be used to make sure all criteria match.
##### e.g., this matches if |regexes| AND |paths| are satisfied.
    condition = "AND"

##### note: |regexes| defaults to check the _Secret_ in the finding.
##### Acceptable values for |regexTarget| are "secret" (default), "match", and "line".
    regexTarget = "match"
    regexes = [ '''(?i)parseur[il]''' ]
    paths = [ '''package-lock\.json''' ]

v8.22.1

Compare Source

Changelog

• b69b515 Entropy trace (#​1659)
• 7357adc build: add 'toolchain' to go.mod (#​1682)
• 4c3da6e refactor(detect): create readUntilSafeBoundary + add tests (#​1676)
• dbe3746 twitter really does suck ass now
• 7edfc6b chore(tests): test cases for generate.go (#​1623)
• efe40ca fix: only use non-empty secret groups (#​1632)
• 7cb5f6f build: upgrade sprig v2->v3 (#​1674)
• 2930537 fix: generate report file even if no findings (#​1673)

v8.22.0

Compare Source

Changelog

• a91c671 replace std library regex engine with go-re2 (#​1669)

---

This bumps the gitleaks binary size from around 8.5MB to 15MB but yields 2-4x speedup. Worth it imo. If you feel strongly against this change feel free to open an issue where we can discuss the tradeoffs in more depth. Credit to @​ahrav

v8.21.4

Compare Source

Changelog

• 906085f Update golang version to 1.23 (#​1672)
• 8a83062 log bytes (#​1670)

v8.21.3

Compare Source

Changelog

• a9e6d8c go mod 1.23
• 2f73a3e Ensure keywords are downcased (#​1633)
• f696605 feat: add settlemint api keys detection (#​1663)
• 0bf13fc feat(dir): better chunking (#​1665)
• 83e99ba feat(report): allow user-defined templates (#​1650)
• e393d29 Add support for GitLab routable tokens (#​1656)
• 263ce82 Add freemius secret key detection (#​1611)
• 3c0e068 fix(kubernetes): only match 'kind: secret' (#​1649)
• f3adda0 feat: use STDOUT when report file not specified (#​1642)
• ed205a5 fix(dir): skip opening file&dir if allowlist matches (#​1653)
• 6018012 fix: increase chunk size 10kb -> 100kb (#​1652)
• 7f77987 feat: detect sentry.io tokens in the new format (#​1640)
• 48a2e0e refactor: pre-commit hooks (#​1627)
• 4e303d0 fix(easypost): only detect tokens of correct length (#​1628)
• c1add1d feat(dir): continue on permission error (#​1621)
• 202106a Add human readable description for curl rules (#​1625)
• 8e94f98 Add option to include Line field in report (#​1616)
• dbb42a7 hm (great comment)
• 2599460 Update README.md
• 8ffb980 nop for stupid build
• 4181ad6 Add new jira api token pattern (#​1601)
• 48ea14b feat: update global & generic allowlist (#​1618)
• 81f0002 fix(vault-service-token): ensure that TPS contains digits (#​1614)
• c11adc9 Generate comprehensive secret samples (#​1484)
• d1d9054 fix(aws): detect token in url (#​1615)
• 5fe58bf fix(rules): entropy, uppercase in samples (#​1593)
• 5c2e813 feat: tweak rules (#​1608)

v8.21.2

Compare Source

Changelog

• 43fae35 feat(rules): create Octopus Deploy api key (#​1602)
• a158e4f fix(aws-access-token): only match if correct length (#​1584)
• b6e0eee fix(config): ignore jquery/swagger w/o version (#​1607)
• 722e7d8 feat: add new GitLab tokens (#​1560)
• 961f2e6 feat(generic-api-key): tune false positives (#​1606)
• e734fcf Create .gitleaks.toml (#​1605)
• 7206d6b feat(curl): tweak tps and fps (#​1603)
• 2db25f1 feat(config): ignore swagger-ui assets (#​1604)
• e97695b feat(generic-api-key): exclude keywords (#​1587)
• 0afb525 feat(okta): bump entropy to 4 (#​1599)
• 2068870 feat: update global allowlist (#​1597)
• 8cf93b9 refactor(allowlist): deduplicate commits & keywords (#​1596)
• 50c2818 feat(config): ignore jquery static assets (#​1595)
• 455ae0a More rule fixes (#​1586)
• 5407c44 chore: log skipped symlinks (#​1591)
• d03d6c4 feat: match left side of identifier (#​1585)
• 851c11a what secrets?
• 8cfa6b2 fix(rules): add entropy (#​1580)
• 9152eaa feat(aws): add entropy & allowlist (#​1582)
• 93acc6e feat(rules): add 1password token (#​1583)
• 83a5724 feat(config): add curl header rule (#​1576)

v8.21.1

Compare Source

Changelog

• cf5334f feat: add curl basic auth rule (#​1575)
• d07b394 Update spelling in README.md (#​1574)
• 5c03fa4 refactor(allowlist): use iota for condition (#​1569)
• 12034a7 refactor(config): temporarily switch to [rules.allowlist] (#​1573)

v8.21.0

Compare Source

Changelog

• aabe381 Define multiple allowlists per rule (#​1496)
• 8ea6085 build: upgrade gitleaks/go-gitdiff to v0.9.1 (#​1559)
• be9d0f8 Fix rule extension (#​1556)
• 9988e52 Update base config allowlist (#​1555)
• 8fb39ba feat(azure): detect Azure AD client secrets (#​1199)
• 14c924d chore: match gitleaks.toml anywhere (#​1553)

respect @​rgmz @​9999years

⚠️ Note: you may find some findings that were previously ignored if using .gitleaksignore pop up in your scans. This is due to a fix for a long standing bug where gitleaks would incorrectly report merge commit SHAs instead of the actual commit where a secret was introduced. See the following issues for more context:

• https://github.com/gitleaks/gitleaks/issues/1333
• https://github.com/gitleaks/gitleaks/pull/1559
• https://github.com/gitleaks/gitleaks/issues/1570#issuecomment-2413947146

v8.20.1

Compare Source

Changelog

• b2fbaeb feat(config): add placeholder regexes to global allowlist (#​1547)
• 00bb821 feat: add PrivateAI rule (#​1548)
• 445abe3 Bump golang verion used in docker build to match version specified in go.mod (#​1551)
• 1a2f656 feat: add cohere rule (#​1549)
• 82d737d feat(generate): generate global (#​1546)
• f6e5499 Feat/nuget config password rule (#​1540)

v8.20.0

Compare Source

Changelog

• bf8a49f Make private key check less greedy and include fifth dash (#​1440)
• 9c354f5 print tags if they exist
• 2278a2a Decode Base64 (#​1488)
• c5b15c9 refactor(config): keyword map (#​1538)
• a971a32 fix: use regexTarget for extend config (#​1536)
• a0f2f46 feat: bump go to 1.22 (#​1537)
• 4e8d7d3 fix: handle pre-commit and staged (#​1533)
• f8dcd83 Bugfix/1352 incorrect report multiple lines (#​1501)

Huge huge thanks to @​bplaxco for supporting b64 decoding, @​recreator66 for bug fixes, and to @​rgmz for his continued support of the project in the form of PRs and reviews. Thanks you!

New Feature: Decoding

Sometimes secrets are encoded in a way that can make them difficult to find
with just regex. Now you can tell gitleaks to automatically find and decode
encoded text. The flag --max-decode-depth enables this feature (the default
value "0" means the feature is disabled by default).

Recursive decoding is supported since decoded text can also contain encoded
text. The flag --max-decode-depth sets the recursion limit. Recursion stops
when there are no new segments of encoded text to decode, so setting a really
high max depth doesn't mean it will make that many passes. It will only make as
many as it needs to decode the text. Overall, decoding only minimally increases
scan times.

The findings for encoded text differ from normal findings in the following
ways:

• The location points the bounds of the encoded text
  • If the rule matches outside the encoded text, the bounds are adjusted to
    include that as well
• The match and secret contain the decoded value
• Two tags are added decoded:<encoding> and decode-depth:<depth>

Currently supported encodings:

• base64 (both standard and base64url)

v8.19.3

Compare Source

Changelog

• ed19c4e fix(config): extend allowlist & handle extend when validating (#​1524)
• 989ef19 refactor(kubernetes-secret): tweak variable chars (#​1520)
• 191eb43 Revert "remove validate config test temporarily" (#​1529)
• 78f7d3f feat: create fly.io rule (#​1528)
• 7098f6d fix: to many false-positive for gltf files, add gltf suffix to allowlist (#​1527)
• 97dbe1e Add support in .gitleaksignore file comment strings (#​1425) (#​1502)
• 9e06824 Restrict Etsy keywords (#​1491)
• db78260 feat(github): add entropy to rule (#​1489)
• df126a7 feat(gcp): update api key rule (#​1481)
• 75dd70e fix(hashicorp): ignore common fps (#​1498)
• 8510d39 fix(square): make prefix case sensitive (#​1469)
• 3698060 refactor(kubernetes-secret): collapse rules and update regex (#​1462)

v8.19.2

Compare Source

Changelog

• 128cd22 fix(rule): comment out errant validation case (#​1509)
• 1a6d2b0 remove validate config test temporarily
• 0874ebc Update README.md

v8.19.1

Compare Source

Changelog

• 9463ffa fix flag access (#​1506)

v8.19.0

Compare Source

Changelog

• 44ad62e Deprecate detect and protect. Add git, dir, stdin (#​1504) HEY THIS IS AN IMPORTANT CHANGE. If it breaks some stuff... sorry, I'll fix it asap, just open an issue and make sure to ping me. The change is meant to be backwards compatible.
• e93a7c0 Update Harness rules to add _ and - in the account ID part. (#​1503)
• 4e43d11 chore: fix gl workflow error (#​1487)
• bd81872 Make config generation utils public (#​1480)
• 3be7faa Update Hashicorp Vault token pattern (#​1483)
• 1aae66d feat(config): update rule validation (#​1466)
• 6dfcf5e Update .gitleaksignore
• f361c5e fix(detect): handle EOF with bytes (#​1472)
• 8a1ca9e Added poetry.lock to default allowlist paths (#​1474)
• 525c4b4 refactor(sarif): remove |name| and change |shortDescription| (#​1473)
• c0fda43 Use rule id for config validation error (#​1463)
• d3c4b90 Use first non-empty group if secretGroup isn't set (#​1459)
• b4009bf chore: remove unnecessary capture groups (#​1460)
• 80bd177 Return non-0 exit code from DetectGit (#​1461)
• 0334ec1 add gradle verification-metadata.xml to global allowlist (#​1446)
• c1345e1 feat(openshift): add user token (#​1449)
• 7697b3e (feat): Adding secret detection rule for Kubernetes secrets (#​1454)
• 26f3469 add version to default
• bc979de Add go.work and go.work.sum to global allowlist (#​1353)
• b899915 Add harness PAT and SAT rules (#​1406)
• 4c5195b Update README.md

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.