Project description

Gitleaks configuration utilities

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

gitleaks-py provides a python library and CLI to manage Gitleaks rule configurations:

Compare configurations using sort and diff
Verify rules against fixture files containing secrets
Merge rules from multiple files into a single file

Sort

Sort Gitleaks config file by case-insensitive rule ID.

python -m gitleaks_py.cli sort [OPTIONS] CONFIG_FILE

CONFIG_FILE File or URL to sort
-d, --dst Output destination file. Writes to std-out if omitted

Diff

Diff two config files.

python -m gitleaks_py.cli diff [OPTIONS] CONFIG_FILE [DEFAULT_CONFIG_FILE]

CONFIG_FILE File or URL to diff
DEFAULT_CONFIG_FILE File or URL to diff against. Defaults to gitleaks default config file
-d, --dst Output destination file. Writes to std-out if omitted
-o, --omissions Display omissions (rules from default config, not found in config)
-a, --additions Display additions (rule from config, not found in default config)

Verify

Verify config file against secrets held in sample files.

python -m gitleaks_py.cli verify [OPTIONS] CONFIG_FILE

CONFIG_FILE File or URL to verify
-d, --dst Output destination file. Writes to std-out if omitted
-s, --secrets Folder with secrets to test rules. Defaults to ./secrets

Files should be in YAML named as the rule id. e.g. uk-gov-notify.yml

The yaml should be structured as key-value pairs under two groupings, secrets and allowed. The key is an identifier for failures, and the value contains the secret or allowed value to be tested. e.g.

secrets:
  api-key: "gitleakstest-af3bb117-d149-4b23-ab1d-8d19ab184094-68a09f80-1f89-4d98-bd9e-ec431e970940"
  api-key-upper: "GITLEAKSTEST-AF3BB117-D149-4B23-AB1D-8D19AB184094-68A09F80-1F89-4D98-BD9E-EC431E970940"
  api-key-no-delim: "gitleakstest-af3bb117d1494b23ab1d8d19ab18409468a09f801f894d98bd9eec431e970940"
allowed:
  test-api-key: "gitleakstest-aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa-aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"

When allowing patterns for test data, choose something that is obviously not a real secret, such as all letter 'a'. The chances of this being generated in production should be low.

Merge

Merge multiple config files into one

python -m gitleaks_py.cli merge [OPTIONS] [CONFIG_FILES]...

CONFIG_FILES A space separated list of files to merge. Glob patterns may be used. e.g. toml/*.toml
-t, --title Output config title. Joins titles from files if omitted
-d, --dst Output destination file. Writes to std-out if omitted

Project details

These details have not been verified by PyPI

GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Release history Release notifications | RSS feed

This version

0.3.1

Oct 25, 2022

0.2.0

Oct 23, 2022

0.1.1

Oct 22, 2022

0.1.0

Oct 22, 2022

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gitleaks_py-0.3.1.tar.gz (7.9 kB view hashes)

Uploaded Oct 25, 2022 Source

Built Distribution

gitleaks_py-0.3.1-py3-none-any.whl (9.3 kB view hashes)

Uploaded Oct 25, 2022 Python 3

Hashes for gitleaks_py-0.3.1.tar.gz

Hashes for gitleaks_py-0.3.1.tar.gz
Algorithm	Hash digest
SHA256	`5aa3de9d64a73096ff57531be12271761d64db16774018f77e7ece0b418b716a`
MD5	`91b7634d44ccefe20700fd498e12139f`
BLAKE2b-256	`4e5a054475a12118b38740e70ada5ed70979ff0ccff70044b550911899bd2326`

Hashes for gitleaks_py-0.3.1-py3-none-any.whl

Hashes for gitleaks_py-0.3.1-py3-none-any.whl
Algorithm	Hash digest
SHA256	`ac36123b5f52ddba8daa3bae44abdc33e3bb5aa2749b24b29493a1d0dd19cfa9`
MD5	`02b64613d4c6b5b74bef2949f97072ab`
BLAKE2b-256	`fc1dd50674ae81f2c7042782a197d2222399f90a2aeff247d6e4088d07cf505b`