Kubernetes Secrets Can Slip Through Detection in Git Mode #1647
Description
Describe the bug
Kubernetes Secrets may slip through detection if we use the git detection of gitleaks. I am aware that this might be a limit of git log - but maybe it can be solved ...
I think the main problem is, that new values added to a kubernetes secret won't be detected - or that I expected they would
To Reproduce
Here is the shell script to reproduce the specified behavior:
#!/bin/bash
# Step 1: Create a new folder named k8s-slip
mkdir k8s-slip
# Step 2: Navigate into the new folder
cd k8s-slip || exit
# Step 3: Initialize a git repository
git init
# Step 4: Create a file named yaml.yaml with specific content
cat <<EOL > yaml.yaml
apiVersion: v1
kind: Secret
metadata:
name: some-secret
namespace: default
data: {}
EOL
# Add changes to git and commit them
git add yaml.yaml
git commit -m "Add yaml.yaml with initial content"
# Step 5: Run gitleaks to scan the repository
gitleaks git . -v
# Step 6: Replace data: {} with specific base64 encoded content
cat <<EOL > yaml.yaml
apiVersion: v1
kind: Secret
metadata:
name: some-secret
namespace: default
data:
something: c29tZXRoaW5nZ2VoZWltZXMK
else: c29tZXRoaW5nZ2VoZWltZXMK
EOL
# Add changes to git and commit them
git add yaml.yaml
git commit -m "Update yaml.yaml with base64 encoded content"
# Step 7: Run gitleaks to scan the repository again
gitleaks git . -v
# Step 8: Run gitleaks to scan the directory
gitleaks dir . -v
Expected behavior
gitleaks should detect secrets
Basic Info (please complete the following information):
- OS: mac
- Gitleaks Version: 8.21.2
cc @zricethezav