Skip to content

Extend default gitleaks config; add secretscan exception for K8s Sealed Secrets#2701

Open
RebeccaMahany wants to merge 3 commits intokolide:mainfrom
RebeccaMahany:becca/extend-gitleaks-config
Open

Extend default gitleaks config; add secretscan exception for K8s Sealed Secrets#2701
RebeccaMahany wants to merge 3 commits intokolide:mainfrom
RebeccaMahany:becca/extend-gitleaks-config

Conversation

@RebeccaMahany
Copy link
Copy Markdown
Contributor

@RebeccaMahany RebeccaMahany commented Apr 17, 2026

Updates our config generation so that we can extend the default config with our own overrides.

This was a bit difficult because of two issues with global state in upstream packages:

  • The viper global var, which we'd previously noted with a workaround -- but this workaround no longer works when we extend the default config: https://github.com/gitleaks/gitleaks/blob/master/config/config.go#L377. This results in data races in tests.
  • The config package var extendDepth, which quickly exceeds the maxExtendDepth of 2 across our test cases, despite parsing new config objects each time. This results in empty configs in every test except the first two that run, because gitleaks will no longer pull in the default config.

I solved this with a package-level config, configErr, and newConfigOnce sync.OnceFunc. I am not thrilled with the solution, but I couldn't come up with anything better. (Calling viper.MergeConfig didn't work -- it doesn't let us do partial rule overrides. I didn't want to re-implement config.extend here and write merge logic from scratch, either.)

This PR also adds an exception for K8s Sealed Secrets, as documented in gitleaks/gitleaks#1728, and test for same. Getting to add exceptions like these is the motivation for this PR. I plan to move isEmptyVariable and hopefully isEncryptedJWTFamilyValue to the config as well.

@RebeccaMahany RebeccaMahany added the features-improvements Features and Improvements label Apr 17, 2026
@RebeccaMahany RebeccaMahany marked this pull request as ready for review April 17, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

features-improvements Features and Improvements

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants