add gitleaks

.families.yaml

@@ -1,5 +1,5 @@
 sbom:
-  enabled: true
+  enabled: false
   analyzers_list:
     - "syft"
     - "gomod"
@@ -26,7 +26,7 @@ sbom:
         token: "token"
 
 vulnerabilities:
-  enabled: true
+  enabled: false
   scanners_list:
     - "grype"
   inputs:
@@ -63,9 +63,9 @@ secrets:
   inputs:
     - input: "/dir"
       input_type: "dir"
-    - input: "/rootfs"
-      input_type: "rootfs"
+#    - input: "/rootfs"
+#      input_type: "rootfs"
   gitleaks_config:
-    foo: "bar"
-
-
+    binary_path: "/usr/local/bin/gitleaks"
+    source: "/Users/erezf/go/src/wwwin-github.cisco.com/eti/agent"
+    report_path: "/tmp/report.json"

Makefile

@@ -128,6 +128,7 @@ check: lint test ## Run tests and linters
 gomod-tidy:
 	cd backend && go mod tidy
 	cd runtime_scan && go mod tidy
+	cd shared && go mod tidy
 
 .PHONY: api
 api: ## Generating API code

cli/cmd/root.go

@@ -98,7 +98,7 @@ func init() {
 	// Here you will define your flags and configuration settings.
 	// Cobra supports persistent flags, which, if defined here,
 	// will be global for your application.
-	rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.vmclarity.yaml)")
+	rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.vmclarity/config.yaml)")
 	rootCmd.PersistentFlags().StringVar(&output, "output", "", "set file path output (default: stdout)")
 }
 

shared/pkg/families/manager.go

@@ -75,8 +75,8 @@ func New(logger *log.Entry, config *Config) *Manager {
 func (m *Manager) Run() (*results.Results, error) {
 	familiesResults := results.New()
 
-	for _, analyzer := range m.families {
-		ret, err := analyzer.Run(familiesResults)
+	for _, family := range m.families {
+		ret, err := family.Run(familiesResults)
 		if err != nil {
 			return nil, err
 		}

shared/pkg/families/sbom/family.go

@@ -27,15 +27,15 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	_interface "github.com/openclarity/vmclarity/shared/pkg/families/interface"
-	"github.com/openclarity/vmclarity/shared/pkg/families/results"
+	_results "github.com/openclarity/vmclarity/shared/pkg/families/results"
 )
 
 type SBOM struct {
 	logger *log.Entry
 	conf   Config
 }
 
-func (s SBOM) Run(res *results.Results) (_interface.IsResults, error) {
+func (s SBOM) Run(res *_results.Results) (_interface.IsResults, error) {
 	s.logger.Info("SBOM Run...")
 
 	if len(s.conf.Inputs) == 0 {

shared/pkg/families/secrets/config.go

@@ -16,9 +16,16 @@
 package secrets
 
 type Config struct {
-	Enabled      bool     `yaml:"enabled" mapstructure:"enabled"`
-	ScannersList []string `yaml:"scanners_list" mapstructure:"scanners_list"`
-	Inputs       []Inputs `yaml:"inputs" mapstructure:"inputs"`
+	Enabled        bool            `yaml:"enabled" mapstructure:"enabled"`
+	ScannersList   []string        `yaml:"scanners_list" mapstructure:"scanners_list"`
+	Inputs         []Inputs        `yaml:"inputs" mapstructure:"inputs"`
+	GitleaksConfig *GitleaksConfig `yaml:"gitleaks_config" mapstructure:"gitleaks_config"`
+}
+
+type GitleaksConfig struct {
+	BinaryPath string `yaml:"binary_path" mapstructure:"binary_path"`
+	Source     string `yaml:"source" mapstructure:"source"`
+	ReportPath string `yaml:"report_path" mapstructure:"report_path"`
 }
 
 type Inputs struct {

shared/pkg/families/secrets/family.go

@@ -16,6 +16,13 @@
 package secrets
 
 import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"os/exec"
+
 	log "github.com/sirupsen/logrus"
 
 	_interface "github.com/openclarity/vmclarity/shared/pkg/families/interface"
@@ -28,10 +35,45 @@ type Secrets struct {
 }
 
 func (s Secrets) Run(res *results.Results) (_interface.IsResults, error) {
-	//TODO implement me
 	s.logger.Info("Secrets Run...")
+
+	// validate that gitleaks binary exists
+	if _, err := os.Stat(s.conf.GitleaksConfig.BinaryPath); err != nil {
+		return nil, fmt.Errorf("failed to find binary in %v: %v", s.conf.GitleaksConfig.BinaryPath, err)
+	}
+
+	// ./gitleaks detect -v --source=<source> --no-git -r <report-path> -f json --exit-code 0
+	cmd := exec.Command(s.conf.GitleaksConfig.BinaryPath, "detect", fmt.Sprintf("--source=%v", s.conf.GitleaksConfig.Source), "--no-git", "-r", s.conf.GitleaksConfig.ReportPath, "-f", "json", "--exit-code", "0")
+	_, err := runCommand(cmd)
+	if err != nil {
+		return nil, fmt.Errorf("failed to run gitleaks command: %v", err)
+	}
+	out, err := os.ReadFile(s.conf.GitleaksConfig.ReportPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read report file from path: %v. %v", s.conf.GitleaksConfig.ReportPath, err)
+	}
+
+	log.Infof("gitleaks results: %s", out)
+
+	var retResults Results
+	if err := json.Unmarshal(out, &retResults.Findings); err != nil {
+		return nil, err
+	}
+
 	s.logger.Info("Secrets Done...")
-	return &Results{}, nil
+	return &retResults, nil
+}
+
+func runCommand(cmd *exec.Cmd) ([]byte, error) {
+	//cmd := exec.Command(name, arg)
+	var outb, errb bytes.Buffer
+	cmd.Stdout = &outb
+	cmd.Stderr = &errb
+	if err := cmd.Run(); err != nil {
+		err = errors.New(fmt.Sprintf("%v. %v", err, errb.String()))
+		return nil, fmt.Errorf("failed to run command: %v. %v", cmd.String(), err)
+	}
+	return outb.Bytes(), nil
 }
 
 // ensure types implement the requisite interfaces

shared/pkg/families/secrets/result.go

@@ -16,6 +16,43 @@
 package secrets
 
 type Results struct {
+	Findings []Findings
+}
+
+type Findings struct {
+	Description string
+	StartLine   int
+	EndLine     int
+	StartColumn int
+	EndColumn   int
+
+	Line string `json:"-"`
+
+	Match string
+
+	// Secret contains the full content of what is matched in
+	// the tree-sitter query.
+	Secret string
+
+	// File is the name of the file containing the finding
+	File        string
+	SymlinkFile string
+	Commit      string
+
+	// Entropy is the shannon entropy of Value
+	Entropy float32
+
+	Author  string
+	Email   string
+	Date    string
+	Message string
+	Tags    []string
+
+	// Rule is the name of the rule that was matched
+	RuleID string
+
+	// unique identifer
+	Fingerprint string
 }
 
 func (*Results) IsResults() {}