gitleaks does not scan correct files with pre-commit run --files
krakeusz opened this issue · comments
Describe the bug
gitleaks
pre-commit hook scans the staged files instead of the files that pre-commit requests to scan.
To Reproduce
Steps to reproduce the behavior:
# assuming pre-commit 2.21.0, go 1.22.3
mkdir -p precommit-reproduce
rm -rf precommit-reproduce/*
cd precommit-reproduce
git init
cat > .pre-commit-config.yaml <<EOF
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.2
hooks:
- id: gitleaks
EOF
echo "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef" > leak.go
git add .pre-commit-config.yaml leak.go
git commit -m "Initial commit with a leak"
pre-commit install
pre-commit run --files leak.go # succeeds, but should not
echo "export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef" >> leak.go
git add leak.go
# This one fails as expected.
git commit -m "Add another leak"
Expected behavior
pre-commit run --files leak.go
should fail with a message about a leak
Screenshots
none
Basic Info (please complete the following information):
- OS: Ubuntu 20.04
- Gitleaks Version: 8.18.2
Additional context
pre-commit run --files
is a use case eg. in merge-gate scenario in CI. A generic way of running pre-commit on all changed files in a PR is to git diff
the changes between source and target branch, then feed the list to pre-commit.
The workaround is probably to use gitleaks-action or to write custom code which creates a scan baseline. But couldn't gitleaks
accept a list of files to scan, so that it integrates nicely with less-commonly-used commands of pre-commit
?
cc @zricethezav