output git command to show context for finding #1626
Comments
|
Tangentially related, I was working on a PR to add links back to the report (at least for GitHub and GitLab scans.) |
Yeah, that was also on my mind, that would be quite helpful as well, just not for the nonpublic enterprise servers and such |
It should work for those, it takes the origin URL from the repository. My motivation is actually a private instance of GHES. |
I am curious about that. I know how to assemble a valid GHES link, but as far as I could tell there is no way to determine whether a repo server is github or gitlab, and the links are different? I suppose it would be possible to output both links. (Or simply pass the server type as a parameter, now that I think about it) edit: aaand, I see that is indeed what you did. I like it, that is probably a better solution than this idea of printing a git command to copy-paste |
GitHub and GitLab links are mostly identical. However, as you mentioned it's not possible to determine the type based on the remote URL — except for github.com, gitlab.com. My idea was to add an optional flag. master...rgmz:gitleaks:feat/link#diff-1563b4094b2fb798714582a4b5a327e38ba4efe16e02681b85b140373e48c2d9R22 |
|
👍 I like that solution more than my idea. |
Is your feature request related to a problem? Please describe.
To determine if a finding is a valid secret, some context of the found location is helpful.
When scanning a git repository, the file with the finding may have been removed, renamed, or the section with the finding removed or shifted. Opening the current version of the file often does not help to get the context
To get the context, the following git command can be used instead
All information for this command can be seen in the report from gitleaks. However, it can be a little annoying to assemble the command by hand
Describe the solution you'd like
Would it make sense to include this command in the console output for a finding, for quick copy/pasting?
Describe alternatives you've considered
It is of course entirely possible to make a shell script for generating this command from a json report. But it might be nice to include this functionality in gitleaks itself.
It took me quite a while to realize that this is actually easy to do with git. A short notice in the readme might suffice instead.
Instead of the git command, a link to github/gitlab would also be helpful. It is possible to link to a specific line in a specific revision of a file. However, the link format for github and gitlab are different, and there is no simple way to determine whether a given git remote might be an enterprise github or gitlab server, so this would only work for repositories hosted on the default github or gitlab
Additional context
cc @zricethezav
The text was updated successfully, but these errors were encountered: