Support reading .gitleaksignore using git show

[savely-krasovsky]

Description:

Gitleaks is a cool utility to use as pre-receive hook. It works nice out of box (--log-opts option is very handy in this case!), but if developer wants to push some false-positive anyway, there is no way to do it currently. Because Gitleaks trying to read .gitleaksignore only from current work tree.

My patch also allows to read .gitleaksignore using git show ... command. Now developer can push both commit with false-positive secret and .gitleaksignore fix and Giteleaks will omit the problem.

Also it introduces new option (only for detect command): --gitleaks-ignore-rev. By default it will point to HEAD, but in case of pre-receive hooks we could not have HEAD or any other branch yet (totally new, empty repo, or new branch). This option will allow to pass it:

#!/bin/bash

zero_commit='0000000000000000000000000000000000000000'

while read -r oldrev newrev refname; do
  echo "$oldrev $newrev"
  branch=${refname/#refs\/heads\/}

  # Branch or tag got deleted, ignore the push
  if [[ $newrev = "$zero_commit" ]]; then
    continue
  fi

  tmpfile=$(mktemp --suffix gitleaks)
  cmd="gitleaks detect --verbose --gitleaks-ignore-rev=$newrev --log-opts"

  # Scan only pushed commits
  if [[ $oldrev = "$zero_commit" ]]; then
    if [[ $GL_PROTOCOL = "web" ]]; then
      $cmd "$newrev --not --all" --no-color --redact |& sed 's/^/GL-HOOK-ERR: /'
    else
      $cmd "$newrev --not --all"
    fi
  else
    if [[ $GL_PROTOCOL = "web" ]]; then
      $cmd "$oldrev..$newrev --not --all" --no-color --redact |& sed 's/^/GL-HOOK-ERR: /'
    else
      $cmd "$oldrev..$newrev --not --all"
    fi
  fi
fi

I didn't write any additions tests for now, so it's DRAFT. Want to hear some feedback.

Checklist:

• Does your PR pass tests?
• Have you written new tests for your changes?
• Have you lint your code locally prior to submission?

[savely-krasovsky]

@zricethezav ask humbly to review it 😃

[savely-krasovsky]

I guess it's better to merge after #1250.

[savely-krasovsky]

Will rework it accordingly.

[savely-krasovsky]

@zricethezav I've added tests for bare repository, commited .gitleaksignore file to small test repo in both main and foo branches, extracted small.git repo from small/dotGit and changed in config core.bare to true.

With this patch developers now can get an error from git push with false-positive, copy secret fingerprint, add it to .gitleaksignore, commit and push again. Gitleaks will see new .gitleaksignore using git show. Currently it tries to open it from FS, but remote repos don't have working tree.

#1260 is a nice addition to this MR.

[savely-krasovsky]

@zricethezav humbly want to bring your attention here again :)