Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan only PR commits for Gitleaks instead of whole codebase #2487

Closed
DariuszPorowski opened this issue Mar 27, 2023 · 6 comments · Fixed by #2504
Closed

Scan only PR commits for Gitleaks instead of whole codebase #2487

DariuszPorowski opened this issue Mar 27, 2023 · 6 comments · Fixed by #2504
Labels
enhancement New feature or request

Comments

@DariuszPorowski
Copy link
Contributor

Is your feature request related to a problem? Please describe.

Scan only PR commits for Gitleaks instead of whole codebase, when VALIDATE_ALL_CODEBASE is set to false

Describe the solution you'd like

When VALIDATE_ALL_CODEBASE is set to false, and megalinter runs on PR then Gitleaks scans only PR commits.

Describe alternatives you've considered

Described scenarios is achievable by passing REPOSITORY_GITLEAKS_ARGUMENTS env contains gitleaks flag --log-opts, but nice to have out-of-the-box support (using VALIDATE_ALL_CODEBASE) without extra configuration.

- name: MegaLinter
  if: ${{ github.event_name == 'pull_request' }}
  id: megalinter
  uses: oxsecurity/megalinter/flavors/documentation@v6
  env:
    VALIDATE_ALL_CODEBASE: false
    REPOSITORY_GITLEAKS_ARGUMENTS: --log-opts '--no-merges --first-parent ${{ github.event.pull_request.base.sha }}^..${{ github.event.pull_request.head.sha }}'

Downside - to scan only PR commits with proposed gitleaks config, git checkout has to be set with fetch-depth: 0

- name: Checkout
  uses: actions/checkout@v3
  with:
    fetch-depth: 0

Additional context

N/A
@DariuszPorowski DariuszPorowski added the enhancement New feature or request label Mar 27, 2023
@nvuillam
Copy link
Member

nvuillam commented Mar 28, 2023
edited by Kurt-von-Laven
Loading

That could be doable here -> https://github.com/oxsecurity/megalinter/blob/main/megalinter/linters/GitleaksLinter.py

Before the call to cmd = super().build_lint_command(file), do something like:

if config.get("VALIDATE_ALL_CODEBASE", "true") == "false":
    self.cli_lint_extra_args +=  ['--log-opts', '--no-merges', '--first-parent', '${{ github.event.pull_request.base.sha }}^..${{ github.event.pull_request.head.sha }}']

(GitHub Actions variables should be replaced by appropriate ENV vars.)

Would you like to make a PR ? :)

@bdovaz
Copy link
Collaborator

bdovaz commented Mar 28, 2023

@nvuillam but we have to take into account other CI like Azure Pipelines, in the linter script we can't hardcode those variables that only exist in GitHub.

@DariuszPorowski
Copy link
Contributor Author

@nvuillam @bdovaz already working on PR and conditions for multi-orchestrators + local executions are on my todo list.

@nvuillam
Copy link
Member

@bdovaz indeed :)

@DariuszPorowski DariuszPorowski mentioned this issue Mar 31, 2023
Merged
4 tasks
@github-actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity.
It will be closed in 14 days if no further activity occurs.
Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

@github-actions github-actions bot added the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Apr 30, 2023
@DariuszPorowski
Copy link
Contributor Author

wip #2504

@github-actions github-actions bot removed the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label May 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Scan only PR commits for Gitleaks instead of whole codebase
3 participants
@bdovaz @DariuszPorowski @nvuillam