gitleaks icon indicating copy to clipboard operation
gitleaks copied to clipboard
verified publisher icon gitleaks

Password environment variable example with empty value causes false-positive

Open mschoettle opened this issue 8 months ago • 2 comments

Describe the bug

We have an .env.sample in our repo to streamline configuring the application. We add sensible defaults to make it easier. However, the value for passwords are usually empty.

One such case is:

[...]
QUESTIONNAIRE_DB_PASSWORD=
QUESTIONNAIRE_DB_ENABLED=1
[...]

Running gitleaks on this causes the following detected leak:

Finding:     QUESTIONNAIRE_DB_PASSWORD=
                          QUESTIONNAIRE_DB_ENABLED=1
Secret:      QUESTIONNAIRE_DB_ENABLED=1
RuleID:      generic-api-key
Entropy:     3.825252
File:        .env.sample

Expected behavior

Ideally, this would not be detected as a secret.

Screenshots If applicable, add screenshots to help explain your problem.

Basic Info (please complete the following information):

  • OS: macOS 13.7.4
  • Gitleaks Version: 8.24.3

Additional context Add any other context about the problem here.

cc @zricethezav

mschoettle avatar Apr 14 '25 18:04 mschoettle

I just updated to gitleaks 8.20.1 -> 8.24.3. Now my results are loaded with any bit of source code that includes the word key or password even when calling functions or variables.

Did something change in the entropy settings? This is my config for the project which is .NET which normally excluded anything that wasn't random.

[[rules]]
description = "Generic API Key"
id = "generic-api-key"
regex = '''(?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([0-9a-z\-_.=]{10,150})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
secretGroup = 1
entropy = 3.5
keywords = [
    "key","api","token","secret","client","passwd","password","auth","access",
]
[rules.allowlist]

regexTarget = "line"
regexes = [
  '''PublicKeyToken''',
  '''publicKeyToken''',
  '''sqlite3_vtab_cursor''',
  '''JSONRPCHeader.JSONRPC1''',
  '''JSONRPCHeader.JSONRPC2''',
  '''Encoding.UTF8''',
  '''log4net.Internal.Debug''',
  '''System.UInt32''',
  '''log4net.Internal.Quiet''',
  '''sqlite3_version''',
  '''column_bytes16''',
  '''column_database_name16''',
  '''column_decltype16''',
  '''column_origin_name16''',
  '''column_table_name16''',
  '''column_text16''',
  '''create_collation16''',
  '''create_function16''',
  '''create_module_v2''',
  '''value_bytes16''',
  '''create_collation_v2''',
  '''create_function_v2''',
  '''soft_heap_limit64''',
  '''wal_checkpoint_v2''',
  '''FTS5_MAX_TOKEN_SIZE''',
  '''FTS5_AVERAGES_ROWID''',
  '''sqlite3_module''',
  '''fts5CreateTokenizer''',
  '''fts5FindTokenizer''',
  '''sqlite3_index_info''',
  '''sqlite3_vtab_cursor''',
  '''FTS5_PORTER_MAX_TOKEN''',
  '''default_rc==1''',
  '''default_rc==-1'''
]

mcx808 avatar Apr 15 '25 14:04 mcx808

@mcx808 It sounds like you're describing a different issue. Can you create a separate issue and provide some examples?

rgmz avatar Apr 15 '25 14:04 rgmz