secureCodeBox · rfelber · Apr 11, 2021 · Mar 6, 2021 · Mar 6, 2021 · Mar 6, 2021
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -660,6 +660,7 @@ jobs:
 
       - name: "gitleaks Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           helm -n integration-tests install gitleaks ./scanners/gitleaks/ \
             --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-gitleaks" \
             --set="image.tag=sha-$(git rev-parse --short HEAD)" \
@@ -700,6 +701,7 @@ jobs:
 
       - name: "ncrack Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           helm -n integration-tests install ncrack ./scanners/ncrack/ \
             --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-ncrack" \
             --set="image.tag=sha-$(git rev-parse --short HEAD)" \
@@ -712,6 +714,7 @@ jobs:
 
       - name: "nikto Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           helm -n integration-tests install nikto ./scanners/nikto/ \
             --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nikto" \
             --set="image.tag=sha-$(git rev-parse --short HEAD)" \
@@ -724,6 +727,7 @@ jobs:
 
       - name: "nmap Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           helm -n integration-tests install nmap ./scanners/nmap/ \
             --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nmap" \
             --set="image.tag=sha-$(git rev-parse --short HEAD)" \
@@ -736,6 +740,7 @@ jobs:
 
       - name: "ssh-scan Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           helm -n integration-tests install ssh-scan ./scanners/ssh-scan/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
             --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-ssh-scan"
           cd tests/integration/
@@ -745,6 +750,7 @@ jobs:
 
       - name: "sslyze Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           helm -n integration-tests install sslyze ./scanners/sslyze/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
             --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-sslyze"
           cd tests/integration/
@@ -754,6 +760,7 @@ jobs:
 
       - name: "zap Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           helm -n integration-tests install zap ./scanners/zap/ --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \
             --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-zap"
           cd tests/integration/
@@ -763,6 +770,7 @@ jobs:
 
       - name: "cascading Scans ncrack Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           # We'll run these in a separate namespace so that only the cascadingRules we want to test will be used
           kubectl create namespace cascading-tests
           # Install declarative-subsequent-scans hook
@@ -805,6 +813,7 @@ jobs:
 
       - name: "cascading Scans sslyze Integration Tests"
         run: |
+          kubectl -n integration-tests delete scans --all
           # We'll run these in a separate namespace so that only the cascadingRules we want to test will be used
           kubectl create namespace cascading-tests
           # Install declarative-subsequent-scans hook
@@ -835,9 +844,15 @@ jobs:
       - name: Inspect Post Failure
         if: failure()
         run: |
+          echo "HelmCharts in all namespaces"
+          helm list --all-namespaces
+          echo "Scans in all namespaces"
           kubectl -n integration-tests get scan -o wide --all-namespaces
+          echo "Jobs in all namespaces"
           kubectl -n integration-tests get jobs -o wide --all-namespaces
+          echo "Pods in all namespaces"
           kubectl -n integration-tests get pods -o wide --all-namespaces
+
       - name: "Inspect Operator"
         if: failure()
         run: |

diff --git a/scanners/gitleaks/Chart.yaml b/scanners/gitleaks/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for the gitleaks repository scanner that integrates wi
 type: application
 # version - gets automatically set to the secureCodeBox release version when the helm charts gets published
 version: v2.6.0-alpha1
-appVersion: v6.1.2
+appVersion: v7.3.0
 kubeVersion: ">=v1.11.0-0"
 
 keywords:

diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md
@@ -21,6 +21,7 @@ To learn more about gitleaks visit <https://github.com/zricethezav/gitleaks>
 The gitleaks scanner can be deployed with helm:
 
 ```bash
+# Install HelmChart (use -n to configure another namespace)
 helm upgrade --install gitleaks secureCodeBox/gitleaks
 ```
 
@@ -33,13 +34,52 @@ The only mandatory parameters are:
 - `-r`: The link to the repository you want to scan.
 - `--access-token`: Only for non-public repositories.
 - `--username` and `--password`: Only for non-public repositories.
-- `--config`: The ruleset you want to use.
+- `--config-path`: The ruleset you want to use.
 
 **Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing.
 
+## secureCodeBox extended GitLeaks Features
+
+:::info
+If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule.
+Instead of scanning all commits in the complete git history every day it would safe a lot of resources to scan only all commits of the last day.
+
+_Problem is: This is a feature and configuration option gitleaks is currently not supporting._
+
+That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that.
+If you like the idea, please vote for our issue and PR.
+
+If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image.
+:::
+
+```yaml
+# Corresponding HelmChart Configuration
+image:
+  # image.repository -- Container Image to run the scan
+  repository: docker.io/securecodebox/scanner-gitleaks
+  # image.tag -- defaults to the charts version
+  tag: v7.3.0
+```
+
+### Deployment with extended GitLeaks
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install gitleaks secureCodeBox/gitleaks \
+  --set="image.repository=docker.io/securecodebox/scanner-gitleaks" \
+  --set="image.tag=v7.3.0"
+```
+
+### Additional (Fork) Scanner configuration options
+```bash
+--commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each
+                               with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
+--commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with
+                               optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
+```
+
 #### Ruleset
 
-At this point we provide three rulesets which you can pass to the `--config` oprtion:
+At this point we provide three rulesets which you can pass to the `--config-path` oprtion:
 
 - `/home/config_all.toml`: Includes every rule.
 - `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions.

diff --git a/scanners/gitleaks/README.md.gotmpl b/scanners/gitleaks/README.md.gotmpl
@@ -21,6 +21,7 @@ To learn more about gitleaks visit <https://github.com/zricethezav/gitleaks>
 The gitleaks scanner can be deployed with helm:
 
 ```bash
+# Install HelmChart (use -n to configure another namespace)
 helm upgrade --install gitleaks secureCodeBox/gitleaks
 ```
 
@@ -33,13 +34,52 @@ The only mandatory parameters are:
 - `-r`: The link to the repository you want to scan.
 - `--access-token`: Only for non-public repositories.
 - `--username` and `--password`: Only for non-public repositories.
-- `--config`: The ruleset you want to use.
+- `--config-path`: The ruleset you want to use.
 
 **Do not** override the option `--report-format` or `--report`. It is already configured for automatic findings parsing.
 
+## secureCodeBox extended GitLeaks Features
+
+:::info
+If you run gitleaks based on a scheduledScan (e.g. one scan per day) it would be enough to scan all git-commits since the last executed schedule. 
+Instead of scanning all commits in the complete git history every day it would safe a lot of resources to scan only all commits of the last day.
+
+_Problem is: This is a feature and configuration option gitleaks is currently not supporting._
+
+That's why we created an [issue](https://github.com/zricethezav/gitleaks/issues/497) and a [pull request](https://github.com/zricethezav/gitleaks/pull/498) for that. 
+If you like the idea, please vote for our issue and PR.
+
+If you already want to use our implementation (fork) of this feature you can use our [gitleaks forked docker image](https://hub.docker.com/r/securecodebox/gitleaks) instead of the gitleaks original image.
+:::
+
+```yaml
+# Corresponding HelmChart Configuration
+image:
+  # image.repository -- Container Image to run the scan
+  repository: docker.io/securecodebox/scanner-gitleaks
+  # image.tag -- defaults to the charts version
+  tag: v7.3.0
+```
+
+### Deployment with extended GitLeaks
+```bash
+# Install HelmChart (use -n to configure another namespace)
+helm upgrade --install gitleaks secureCodeBox/gitleaks \
+  --set="image.repository=docker.io/securecodebox/scanner-gitleaks" \
+  --set="image.tag=v7.3.0"
+```
+
+### Additional (Fork) Scanner configuration options
+```bash
+--commit-since-duration= Scan commits more recent than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each
+                               with optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
+--commit-until-duration= Scan commits older than a specific date expresed by an duration (now + duration). A duration string is a possibly signed sequence of decimal numbers, each with
+                               optional fraction and a unit suffix, such as '300ms', '-1.5h' or '2h45m'. Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'.
+```
+
 #### Ruleset
 
-At this point we provide three rulesets which you can pass to the `--config` oprtion:
+At this point we provide three rulesets which you can pass to the `--config-path` oprtion:
 
 - `/home/config_all.toml`: Includes every rule.
 - `/home/config_filenames_only.toml`: Gitleaks scans only file names and extensions.
@@ -86,7 +126,6 @@ For more information on how to use cascades take a look at
 [Scanning Networks Example](https://docs.securecodebox.io/docs/how-tos/scanning-networks/)
 
 
-
 ## Chart Configuration
 
 {{ template "chart.valuesTable" . }}

diff --git a/scanners/gitleaks/helm2.Chart.yaml b/scanners/gitleaks/helm2.Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for the gitleaks repository scanner that integrates wi
 type: application
 # version - gets automatically set to the secureCodeBox release version when the helm charts gets published
 version: v2.6.0-alpha1
-appVersion: v6.1.2
+appVersion: v7.3.0
 kubeVersion: ">=v1.11.0-0"
 
 keywords:

diff --git a/scanners/gitleaks/parser/__testFiles__/test-null-report.json b/scanners/gitleaks/parser/__testFiles__/test-null-report.json
@@ -0,0 +1 @@
+null
diff --git a/scanners/gitleaks/parser/parser.js b/scanners/gitleaks/parser/parser.js
@@ -8,36 +8,42 @@ async function parse (fileContent, scan) {
 
   const commitUrl = prepareCommitUrl(scan)
 
-  return fileContent.map(finding => {
-
-    let severity = 'LOW';
-
-    if (containsTag(finding.tags, HIGH_TAGS)) {
-      severity = 'HIGH'
-    } else if (containsTag(finding.tags, MEDIUM_TAGS)) {
-      severity = 'MEDIUM'
-    }
-
-    return {
-      name: finding.rule,
-      description: 'The name of the rule which triggered the finding: ' + finding.rule,
-      osi_layer: 'APPLICATION',
-      severity: severity,
-      category: 'Potential Secret',
-      attributes: {
-        commit: commitUrl + finding.commit,
-        repo: finding.repo,
-        offender: finding.offender,
-        author: finding.author,
-        email: finding.email,
-        date: finding.date,
-        file: finding.file,
-        line_number: finding.lineNumber,
-        tags: finding.tags.split(',').map(tag => tag.trim()),
-        line: finding.line
+  if (fileContent) {
+    return fileContent.map(finding => {
+
+      let severity = 'LOW';
+
+      if (containsTag(finding.tags, HIGH_TAGS)) {
+        severity = 'HIGH'
+      } else if (containsTag(finding.tags, MEDIUM_TAGS)) {
+        severity = 'MEDIUM'
       }
-    }
-  });
+
+      return {
+        name: finding.rule,
+        description: 'The name of the rule which triggered the finding: ' + finding.rule,
+        osi_layer: 'APPLICATION',
+        severity: severity,
+        category: 'Potential Secret',
+        attributes: {
+          commit: commitUrl + finding.commit,
+          repo: finding.repo,
+          offender: finding.offender,
+          author: finding.author,
+          email: finding.email,
+          date: finding.date,
+          file: finding.file,
+          line_number: finding.lineNumber,
+          tags: finding.tags.split(',').map(tag => tag.trim()),
+          line: finding.line
+        }
+      }
+    });
+  }
+  else
+  {
+    return [];
+  }
 }
 
 function prepareCommitUrl (scan) {

diff --git a/scanners/gitleaks/parser/parser.test.js b/scanners/gitleaks/parser/parser.test.js
@@ -16,6 +16,16 @@ test("should properly parse empty gitleaks json file", async () => {
   expect(await parse(JSON.parse(jsonContent))).toMatchObject([]);
 });
 
+test("should properly parse gitleaks json file with null result", async () => {
+  const jsonContent = await readFile(
+    __dirname + "/__testFiles__/test-null-report.json",
+    {
+      encoding: "utf8"
+    }
+  );
+  expect(await parse(JSON.parse(jsonContent))).toMatchObject([]);
+});
+
 test("should properly parse gitleaks json file", async () => {
   const jsonContent = await readFile(
     __dirname + "/__testFiles__/test-report.json",

diff --git a/scanners/gitleaks/templates/gitleaks-scan-type.yaml b/scanners/gitleaks/templates/gitleaks-scan-type.yaml
@@ -22,7 +22,7 @@ spec:
                 - 'sh'
                 - '/wrapper.sh'
                 - "--verbose"
-                - "--report-format"
+                - "--format"
                 - "json"
                 - "--report"
                 - "/home/securecodebox/report.json"

diff --git a/tests/integration/scanner/gitleaks.test.js b/tests/integration/scanner/gitleaks.test.js
@@ -6,7 +6,7 @@ test(
     const {categories, severities, count} = await scan(
       'gitleaks-dummy-scan',
       'gitleaks',
-      ['-r', 'https://github.com/secureCodeBox/secureCodeBox', '--commit=ec0fe179ccf178b56fcd51d1730448bc64bb9ab5', '--config', '/home/config_all.toml'],
+      ['-r', 'https://github.com/secureCodeBox/secureCodeBox', '--commit=ec0fe179ccf178b56fcd51d1730448bc64bb9ab5', '--config-path', '/home/config_all.toml'],
       90
     );