scan-slim 'gitleaks' not found
xortim opened this issue · comments
I noticed that when using the scan-slim container, gitleaks doesn't appear to be installed
[19:01:22] INFO Scanning /app using plugins ['credscan', 'terraform', 'yaml']
DEBUG ⚡︎ Executing credscan "gitleaks --config-path=/usr/local/src/lib/../credscan-config.toml --path=/app --leaks-exit-code=0
--no-git --report=/app/reports/credscan-report.json"
DEBUG [Errno 2] No such file or directory: 'gitleaks'
Is this expected?
Hi @xortim , that is correct scan-slim doesn't include many tools. This is the dockerfile used - https://github.com/ShiftLeftSecurity/sast-scan/blob/master/ci/Dockerfile-dynamic-lang .
@xortim gitleaks is now included in the scan-slim image. Could you kindly give it a try and let me know if it works for you?
Yup! Gitleaks works now, thank you!
Only one suggestion. The terraform lockfile is picked up by gitleaks due to the high entropy. Perhaps adjusting the default configuration to allow this and other common lockfiles.