Can I reproduce the entropy property of gitleaks?
tomyam2020 opened this issue · comments
Summary
Is there any way to reproduce the entropy property of gitleaks using only regular expressions?
Or is there a ruleset in secretlint that is equivalent to the generic-api-keys rule in gitleaks?
Background of the question
I am now trying to migrate from gitleaks to secretlint.
I was able to migrate the regular expression, but I am unable to reproduce the contents of the entropy property of gitleaks, so I get errors even in areas that are not secret.
Specifically, the contents of the generic-api-keys rule in gitleaks.toml were described in .secretlintrc.json according to the @secretlint-rule-pattern format.
gitleaks.toml
:
[[rules]]
id = "generic-api-key"
description = "Generic API Key"
regex = '''(?i)((key|api[^Version]|token|secret|password|auth)[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z\-_=]{8,64})['\"]'''
entropy = 3.7
secretGroup = 4
keywords = [
"key",
"api",
"token",
"secret",
"password",
"auth",
]
to
.secretlintrc.json
:
{
"rules": [
{
"id": "@secretlint/secretlint-rule-pattern",
"options": {
"patterns": [
{
"name": "Generic API key",
"pattern": "/((key|api[^Version]|token|secret|password|auth)[a-z0-9_ .,-]{0,25})(=|>|:=|||:|<=|=>|:).{0,5}['\"]([0-9a-zA-Z_=-]{8,64})['\"]/i"
}
]
}
}
]
}
No, curretly.
Entropy-mechanism will make false-positve and It conflict with secretlint's Philosophy.
I will not implement entropy into recommened preset or core.
It free to imlement entropy as plugin/rule.
@secretlint/secretlint-rule-pattern might have to support entopy-like mecanism.
📝 Previously I've implemented regexp patterns in webextension.
It will be false-positive, but it is just warning.
https://github.com/secretlint/webextension/blob/main/app/scripts/secretlint/rule.patterns.ts