git: a2eb5fe554b1 - 2025Q4 - security/gitlab-analyzers-secrets: added gitlab secret detection scanner

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Matthias Fechner <mfechner_at_FreeBSD.org>
Date: Thu, 27 Nov 2025 19:06:03 UTC
The branch 2025Q4 has been updated by mfechner:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a2eb5fe554b17f832ba0de9ba117a04d443bf24e

commit a2eb5fe554b17f832ba0de9ba117a04d443bf24e
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2025-11-15 16:29:50 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2025-11-27 11:50:22 +0000

    security/gitlab-analyzers-secrets: added gitlab secret detection scanner
    
    (cherry picked from commit 618891730427c23d3e0efb8aa92d9f7239fbc508)
---
 security/Makefile                                  |  1 +
 security/gitlab-analyzers-secrets/Makefile         | 66 ++++++++++++++++++++++
 security/gitlab-analyzers-secrets/distinfo         |  9 +++
 .../files/patch-config_path.go                     | 11 ++++
 security/gitlab-analyzers-secrets/pkg-descr        | 11 ++++
 5 files changed, 98 insertions(+)

diff --git a/security/Makefile b/security/Makefile
index 3a1c01a20c89..e9ae314ef37b 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -181,6 +181,7 @@
     SUBDIR += git-remote-gcrypt
     SUBDIR += git-secret
     SUBDIR += gitjacker
+    SUBDIR += gitlab-analyzers-secrets
     SUBDIR += globalprotect-openconnect
     SUBDIR += gnome-keyring
     SUBDIR += gnupg
diff --git a/security/gitlab-analyzers-secrets/Makefile b/security/gitlab-analyzers-secrets/Makefile
new file mode 100644
index 000000000000..d393955e070d
--- /dev/null
+++ b/security/gitlab-analyzers-secrets/Makefile
@@ -0,0 +1,66 @@
+PORTNAME=	secrets
+DISTVERSIONPREFIX=	v
+DISTVERSION=	7.20.1
+CATEGORIES=	security
+MASTER_SITES=	https://gitlab.com/api/v4/projects/60960406/packages/generic/secret-detection-rules/${SECRET_DETECTION_RULES_VERSION}/:rules \
+		https://gitlab.com/gitlab-org/security-products/post-analyzers/scripts/-/raw/v${POST_ANALYZER_SCRIPTS_VERSION}/:script
+PKGNAMEPREFIX=	gitlab-analyzers-
+DISTFILES=	secret-detection-rules-${SECRET_DETECTION_RULES_VERSION}.zip:rules \
+		start.sh:script
+EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
+
+MAINTAINER=	mfechner@FreeBSD.org
+COMMENT=	Secret detection scanner for Gitlab
+WWW=		https://gitlab.com/gitlab-org/security-products/analyzers/secrets
+
+LICENSE=	MIT
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+EXTRACT_DEPENDS=	${UNZIP_CMD}:archivers/unzip
+RUN_DEPENDS=	gitleaks:devel/gitleaks \
+		git>=0:devel/git
+
+USES=		go:modules,1.24 tar:bzip2
+
+USE_GITLAB=	yes
+GL_ACCOUNT=	gitlab-org/security-products/analyzers
+
+GO_MOD_DIST=	gitlab
+GO_MODULE=	gitlab.com/gitlab-org/security-products/analyzers/secrets/v6
+
+GO_TARGET=	${PORTNAME}:analyzer-binary
+GO_BUILDFLAGS=	-ldflags="-X '${GO_MODULE}/metadata.AnalyzerVersion=${DISTVERSIONFULL}'"
+
+DATADIR=	${PREFIX}/share/${PKGNAMEPREFIX}${PORTNAME}
+
+# Versions
+# These version can be found in https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/Dockerfile
+SECRET_DETECTION_RULES_VERSION=	v0.20.1
+POST_ANALYZER_SCRIPTS_VERSION=	0.3.0
+
+# Define where the rules should be extracted
+RULES_DIR=	${WRKDIR}/rules
+POSTSCRIPT_DIR=	${WRKDIR}/script
+
+post-extract:
+	# Create rules directory and extract the zip file there
+	${MKDIR} ${RULES_DIR}
+	${UNZIP_CMD} -q -d ${RULES_DIR} ${DISTDIR}/${DIST_SUBDIR}/secret-detection-rules-${SECRET_DETECTION_RULES_VERSION}.zip
+
+	# Gitlab pipeline integration script
+	${MKDIR} ${POSTSCRIPT_DIR}
+	${CP} ${DISTDIR}/${DIST_SUBDIR}/start.sh ${POSTSCRIPT_DIR}/analyzer
+	# the binary that is executed is locate in /usr/local/bin, replace this
+	${REINPLACE_CMD} -e 's|SCRIPT_BASE_DIR="\$${SCRIPT_BASE_DIR:=/}"|SCRIPT_BASE_DIR="\$${SCRIPT_BASE_DIR:=${PREFIX}/bin}"|' \
+		${POSTSCRIPT_DIR}/analyzer
+
+post-install:
+	${MKDIR} ${STAGEDIR}${DATADIR}
+	${INSTALL_DATA} ${WRKDIR}/rules/dist/all_rules.toml ${STAGEDIR}${DATADIR}/gitleaks.toml
+	${INSTALL} -m 0555 ${POSTSCRIPT_DIR}/analyzer ${STAGEDIR}${PREFIX}/bin
+
+PLIST_FILES=	bin/analyzer \
+		bin/analyzer-binary \
+		${DATADIR}/gitleaks.toml
+
+.include <bsd.port.mk>
diff --git a/security/gitlab-analyzers-secrets/distinfo b/security/gitlab-analyzers-secrets/distinfo
new file mode 100644
index 000000000000..512c1ff74030
--- /dev/null
+++ b/security/gitlab-analyzers-secrets/distinfo
@@ -0,0 +1,9 @@
+TIMESTAMP = 1763217291
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secret-detection-rules-v0.20.1.zip) = a437defac99235166816b9d1b15e673524ea672a81de0fb3089b905a66496e8c
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secret-detection-rules-v0.20.1.zip) = 78238
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/start.sh) = 7c651c5fae95d29e9cddfb8df492218378f86789b49c4564eb25cbb97f12297d
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/start.sh) = 2904
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/go.mod) = 4e33dfef63cada7f5073ccea83c0cd949878d20ce0067966de79f3bb01e79176
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/go.mod) = 2208
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secrets-v7.20.1.tar.bz2) = 99fe22f193b02f5a850a95c4a1aa3f2675d5af92ebb0073c780ff2cf573b18dc
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secrets-v7.20.1.tar.bz2) = 195376
diff --git a/security/gitlab-analyzers-secrets/files/patch-config_path.go b/security/gitlab-analyzers-secrets/files/patch-config_path.go
new file mode 100644
index 000000000000..419c0fb7ba4a
--- /dev/null
+++ b/security/gitlab-analyzers-secrets/files/patch-config_path.go
@@ -0,0 +1,11 @@
+--- config/path.go.orig	2025-11-15 14:06:29 UTC
++++ config/path.go
+@@ -9,7 +9,7 @@ import (
+ )
+ 
+ // DefaultPathGitleaksConfig is the default path for the Gitleaks configuration file.
+-const DefaultPathGitleaksConfig = "/gitleaks.toml"
++const DefaultPathGitleaksConfig = "/usr/local/share/gitlab-analyzers-secrets/gitleaks.toml"
+ 
+ // GitleaksPassthroughTarget is the target filename for Gitleaks configuration in passthrough scenarios.
+ const GitleaksPassthroughTarget = "gitleaks.toml"
diff --git a/security/gitlab-analyzers-secrets/pkg-descr b/security/gitlab-analyzers-secrets/pkg-descr
new file mode 100644
index 000000000000..c14fd9a4ce4a
--- /dev/null
+++ b/security/gitlab-analyzers-secrets/pkg-descr
@@ -0,0 +1,11 @@
+secrets analyzer performs Secret Detection scanning. It reports possible secret
+leaks, like application tokens and cryptographic keys, in the source code and
+files contained in your project.
+The analyzer wraps Gitleaks tool, and is written in Go. It's structured
+similarly to other Static Analysis analyzers because it uses the shared
+command package.
+The analyzer is built and published as a Docker image in the GitLab Container
+Registry associated with this repository. You would typically use this analyzer
+in the context of a SAST, IaC, or Secret Detection job in your CI/CD pipeline.
+However, if you're contributing to the analyzer or you need to debug a problem,
+you can run, debug, and test locally using Docker.