Class: Zwischen::Scanner::Gitleaks

Inherits:
Base
  • Object
show all
Defined in:
lib/zwischen/scanner/gitleaks.rb

Constant Summary

Constants inherited from Base

Base::ZWISCHEN_BIN_DIR

Instance Attribute Summary

Attributes inherited from Base

#command, #name

Instance Method Summary collapse

Methods inherited from Base

#available?, #executable_path, #find_executable, #scan

Constructor Details

#initializeGitleaks

Returns a new instance of Gitleaks.



10
11
12
 
# File 'lib/zwischen/scanner/gitleaks.rb', line 10

def initialize
  super(name: "gitleaks", command: "gitleaks")
end

Instance Method Details

#build_command(project_root) ⇒ Object 



14
15
16
17
18
19
20
21
22
 
# File 'lib/zwischen/scanner/gitleaks.rb', line 14

def build_command(project_root)
  [
    executable_path, "detect",
    "--source", project_root,
    "--report-format", "json",
    "--report-path", "-",
    "--no-git"
  ]
end

#parse_output(output) ⇒ Object 



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/zwischen/scanner/gitleaks.rb', line 59

def parse_output(output)
  return [] if output.strip.empty?

  findings = []
  json_data = JSON.parse(output)

  # Gitleaks returns an array of findings
  Array(json_data).each do |finding|
    findings << Zwischen::Finding::Finding.new(
      type: "secret",
      scanner: "gitleaks",
      severity: map_severity(finding["RuleID"]),
      file: finding["File"],
      line: finding["StartLine"],
      message: finding["Description"] || finding["RuleID"] || "Secret detected",
      rule_id: finding["RuleID"],
      code_snippet: finding["Secret"],
      raw_data: finding
    )
  end

  findings
rescue JSON::ParserError => e
  warn "Failed to parse Gitleaks output: #{e.message}"
  []
end

#scan_files(files, project_root) ⇒ Object 



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
# File 'lib/zwischen/scanner/gitleaks.rb', line 24

def scan_files(files, project_root)
  return [] if files.empty?

  # Gitleaks doesn't have native multi-file support, so we scan each file individually
  # This is acceptable for pre-push since we typically have only a few changed files
  findings = []

  files.each do |file|
    file_path = File.join(project_root, file)
    next unless File.exist?(file_path)

    command = [
      executable_path, "detect",
      "--source", file_path,
      "--report-format", "json",
      "--report-path", "-",
      "--no-git"
    ]

    stdout, stderr, status = Open3.capture3(*command, chdir: project_root)

    # Gitleaks: exit 0 = clean, exit 1 = findings, exit 2+ = error
    if status.exitstatus <= 1
      findings.concat(parse_output(stdout)) unless stdout.strip.empty?
    elsif status.exitstatus > 1
      warn "Warning: #{@name} scan failed on #{file} (exit #{status.exitstatus}): #{stderr}" if ENV["DEBUG"]
    end
  end

  findings
rescue StandardError => e
  warn "Error running #{@name}: #{e.message}"
  []
end