Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: unknown option "staged" when running pre-commit with docker_image language #1022

Open
kbroughton opened this issue Oct 20, 2022 · 3 comments
Open

Error: unknown option "staged" when running pre-commit with docker_image language #1022

kbroughton opened this issue Oct 20, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@kbroughton
Copy link

Describe the bug
I'm seeing the unsafe directory bug
but I'm using the most recent container
zricethezav/gitleaks:v8.15.0
344cf751f79b 7 days ago 36.1MB

To Reproduce
Use the .pre-commit-config.yaml as suggested here

echo '-----BEGIN RSA PRIVATE KEY-----' > dirty
git add .
pre-commit

Expected behavior
The hook should run the same when using "language" docker_image as when run using golang (or system).

Screenshots
Screen Shot 2022-10-20 at 11 31 34 AM

Basic Info (please complete the following information):

  • OS: osx monterrey 12.6
  • Gitleaks Version: v8.15.0

Additional context
The above output comes when I have the following .pre-commit-config.yaml

repos:
- repo: https://github.com/zricethezav/gitleaks
  rev: v8.15.0
  hooks:
    - id: gitleaks
      name: gitleaks via dockerized system call
      language: system
      entry: gitleaks

# I would prefer to use the docker_image language but
# it seems that the required -v mount is only available
# for "docker" language which doesn't require user installs

- repo: local
  hooks:
  # - id: gitleaks
  #   name: Detect hardcoded secrets
  #   description: Detect hardcoded secrets using Gitleaks
  #   entry: gitleaks protect --verbose --redact --staged
  #   language: golang
  #   pass_filenames: false
  #   verbose: true
  - id: gitleaks-docker2
    name: Detect hardcoded secrets via protect docker_image
    description: Detect hardcoded secrets using Gitleaks
    entry: zricethezav/gitleaks:v8.15.0 protect --verbose --staged --redact --source /src

The "system" call is made using a docker wrapper installed to /usr/local/bin/gitleaks

#!/bin/bash
docker run -v `pwd`:/path zricethezav/gitleaks:latest -c /path/.gitleaks.toml --source=/path protect  --staged --verbose

Oddly, using "system" and calling the same command I don't see the --staged problem.

I'm wondering if the -v path might not be mounting correctly, but looking at the source code for docker_image.py it
seems to be calling the docker_cmd which does mount PWD to /src.

cc @zricethezav
@kbroughton kbroughton added the bug Something isn't working label Oct 20, 2022
@peakematt
Copy link

I'm having the same issue. If I update things to remove the --staged flag from the gitleaks protect invocation and ask pre-commit to give me verbose output, it looks like git does not see /src as a git repo.

$ pre-commit run --verbose gitleaks-docker
Detect hardcoded secrets.................................................Passed
- hook id: gitleaks-docker
- duration: 1.26s

○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

9:52PM DBG no gitleaks config found in path .gitleaks.toml, using default gitleaks config
9:52PM DBG executing: /usr/bin/git -C . diff -U0 .
9:52PM ERR [git] warning: Not a git repository. Use --no-index to compare two paths outside a working tree
9:52PM ERR [git] usage: git diff --no-index [<options>] <path> <path>

However, if I mount the repo the same way as pre-commit is (or at least I believe the same way...) and exec into the container to run the same gitleaks command, it appears to work?

@jmherbst
Copy link

I've encountered this as well.

I believe the issue is due to pre-commit setting the -u for the docker run command.

That results in pre-commit running:

'docker', 'run', '--rm', '-u', '503:20', '-v', 'redacted-src:/src:rw,Z', '--workdir', '/src', 'zricethezav/gitleaks:latest', 'protect', '--source', '/src', '--verbose', '--redact', '--log-level', 'trace')

Which results in the following:

uid=503 gid=20(dialout) groups=20(dialout)
bash-5.1$ pwd
/src
bash-5.1$ ls -la
drwxr-xr-x   15 503      dialout        480 Jan 23 20:43 .git

bash-5.1$ git status
fatal: detected dubious ownership in repository at '/src'
To add an exception for this directory, call:

	git config --global --add safe.directory /src


bash-5.1$ git config --global --add safe.directory /src
error: could not lock config file //.gitconfig: Permission denied

bash-5.1$ /usr/bin/git -C /src diff -U0 .
warning: Not a git repository. Use --no-index to compare two paths outside a working tree
...

To fix, I changed my pre-commit config to be:

- id: gitleaks-docker
    name: Detect hardcoded secrets
    description: Detect hardcoded secrets using Gitleaks
    entry: --user gitleaks zricethezav/gitleaks:latest protect --staged --verbose --redact
    language: docker_image
    verbose: true

Happy to help resolve if someone has a good suggested fix?

@aokomorowski
Copy link

We've encountered this issue in our repositories as well. The issue doesn't occur while using Orbstack for Mac.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmherbst @peakematt @kbroughton @aokomorowski