Description
Is there a defined pattern in the gitleaks community on how to manage custom rules?
The --config flag doesn't support remote download so there is an expectation that the rules file is already present in the local dir, or some path you provide, or it will fall back to the default. This requires a little more effort to make sure teammates are using the latest custom rules.
Extending the --config flag to support remote downloads is not efficient but would be interested to hear if it was considered? (Obvious reasons to not include this is It adds a runtime dependency, increases latency , and probably a redundant call the vast majority of executions.)
Potentially the CLI could include a new --download flag that could run independent of any scan and overwrite the local rules file if changes were detected. I don't see too many down sides with this and it saves having to maintain a separate script ( like the one I'm currently using included below) to periodically update the rules
import requests
import sys
import os
import hashlib
def calculate_hash(file_path):
b= hashlib.blake2b()
with open(file_path, 'rb') as f:
for chunk in iter(lambda: f.read(4096), b""):
b.update(chunk)
return b.hexdigest()
def download_file(url, local_path):
try:
response = requests.get(url)
response.raise_for_status()
remote_hash = hashlib.blake2b(response.content).hexdigest()
if os.path.exists(local_path):
local_hash = calculate_hash(local_path)
if remote_hash == local_hash:
print(f"No new version available. Local file is up to date.")
return
with open(local_path, 'wb') as file:
file.write(response.content)
print(f"Downloaded config file to {local_path}")
except requests.RequestException as e:
print(f"Failed to download config file: {e}")
sys.exit(1)
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Specify URL to the gitleaks.toml config")
sys.exit(2)
gitleaks_config_url = sys.argv[1]
gitleaks_config_path = "gitleaks.toml"
download_file(gitleaks_config_url, gitleaks_config_path)cc @zricethezav