Fix fingerprint generation and validation against .gitleaksignore files for detect no-git scans #1354
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
When the source parameter is set for
detect --no-git
scans, the fingerprint generated contains the full path of the files with findings, meaning that.gitleaksignore
will require full paths as well for the comparison to work.This is not useful when gitleaks is run on build agents where the path can change between scans.
To fix the issue, the DetectFiles function has been updated to use relative paths all the time. Since the function is only used in no-git scans there is no regression affecting other types of scans.
Considering the change, not sure whether the major version needs bumping, will leave that to the maintainer to decide.
This fixes #1287.
Checklist: