-
Notifications
You must be signed in to change notification settings - Fork 3
/
gitleaks.sh
51 lines (43 loc) · 2.55 KB
/
gitleaks.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/bin/bash
echo "Script Execution Started!"
# remove Gitleaks reports if they exist already
echo "Removing Gitleaks reports if they exist already..."
rm -rf ${LOCAL_PATH_TO_GIT_REPO}/gitleaks-report-detailed.json
rm -rf ./gitleaks-report.json
# run Gitleaks to find secrets and generate a detailed report in JSON for the secrets found
echo "Running Gitleaks to find secrets and generating a detailed report in JSON for the secrets found..."
gitleaks detect -r ${LOCAL_PATH_TO_GIT_REPO}/gitleaks-report-detailed.json -f json -s ${LOCAL_PATH_TO_GIT_REPO} --redact --no-git
# create a final report in JSON using the detailed report having relevant information only
echo "Creating a final report in JSON using the detailed report having relevant information only..."
file_contents=$(cat ${LOCAL_PATH_TO_GIT_REPO}/gitleaks-report-detailed.json)
if [ "$file_contents" != "[]" ]; then
echo "[" > ./gitleaks-report.json
cat ${LOCAL_PATH_TO_GIT_REPO}/gitleaks-report-detailed.json | jq -c '.[]' | while read -r line; do
description=$(jq -r '.Description' <<< "$line")
start_line=$(jq -r '.StartLine' <<< "$line")
file=$(jq -r '.File' <<< "$line")
file=$(echo "$file" | sed "s|^${LOCAL_PATH_TO_GIT_REPO}/||")
secret_type=$(jq -r '.RuleID' <<< "$line")
# use 'git blame' to find the commit id and author for each finding
blame=$(cd ${LOCAL_PATH_TO_GIT_REPO} && git blame -L "$start_line","$start_line" ./"$file" --porcelain)
commit_id=$(echo "$blame" | awk 'NR==1' | awk -F ' ' '{print $1}')
author=$(echo "$blame" | awk 'NR==2' | awk -F 'author ' '{print $2}')
# append final JSON objects to the new report
jq -n \
--arg desc "$description" \
--arg file "$file" \
--arg line_no "$start_line" \
--arg url "${REMOTE_PATH_TO_GIT_REPO}/-/blob/${BRANCH_NAME}/${file}#L${start_line}" \
--arg type "$secret_type" \
--arg commit "$commit_id" \
--arg author "$author" \
'{"Description": $desc, "File": $file, "Line No.": $line_no, "Link": $url, "Secret Type": $type, "Commit": $commit, "Author": $author}' >> ./gitleaks-report.json
echo "," >> ./gitleaks-report.json
done
head -n $(($(wc -l < ./gitleaks-report.json) - 1)) ./gitleaks-report.json > ./temp.json && mv ./temp.json ./gitleaks-report.json
echo "]" >> ./gitleaks-report.json
cat ./gitleaks-report.json | jq > ./temp.json && mv ./temp.json ./gitleaks-report.json
else
echo "[]" > ./gitleaks-report.json
fi
echo "Script Execution Completed!"