scan-slim 'gitleaks' not found

Question

scan-slim 'gitleaks' not found

xortim opened this issue 3 years ago · comments

I noticed that when using the scan-slim container, gitleaks doesn't appear to be installed

[19:01:22] INFO     Scanning /app using plugins ['credscan', 'terraform', 'yaml']                                                           
           DEBUG    ⚡︎ Executing credscan "gitleaks --config-path=/usr/local/src/lib/../credscan-config.toml --path=/app --leaks-exit-code=0
                    --no-git --report=/app/reports/credscan-report.json"                                                                                                                                                                                
           DEBUG    [Errno 2] No such file or directory: 'gitleaks'

Is this expected?

prabhu · Answer 1 · Thu Apr 29 2021 03:43:41 GMT+0800 (China Standard Time)

Hi @xortim , that is correct scan-slim doesn't include many tools. This is the dockerfile used - https://github.com/ShiftLeftSecurity/sast-scan/blob/master/ci/Dockerfile-dynamic-lang .

prabhu · Answer 2 · Thu Apr 29 2021 18:53:08 GMT+0800 (China Standard Time)

@xortim gitleaks is now included in the scan-slim image. Could you kindly give it a try and let me know if it works for you?

Tim Earle · Answer 3 · Thu Apr 29 2021 20:24:01 GMT+0800 (China Standard Time)

Yup! Gitleaks works now, thank you!

Tim Earle · Answer 4 · Thu Apr 29 2021 20:27:31 GMT+0800 (China Standard Time)

Only one suggestion. The terraform lockfile is picked up by gitleaks due to the high entropy. Perhaps adjusting the default configuration to allow this and other common lockfiles.

Tim Earle · Answer 5 · Thu Apr 29 2021 20:40:15 GMT+0800 (China Standard Time)

I took a stab at it here #305

prabhu · Answer 6 · Thu Apr 29 2021 20:57:57 GMT+0800 (China Standard Time)

Great PR! Thanks @xortim !