diff options
Diffstat (limited to 'security/gitlab-analyzers-secrets')
| -rw-r--r-- | security/gitlab-analyzers-secrets/Makefile | 66 | ||||
| -rw-r--r-- | security/gitlab-analyzers-secrets/distinfo | 9 | ||||
| -rw-r--r-- | security/gitlab-analyzers-secrets/files/patch-config_path.go | 11 | ||||
| -rw-r--r-- | security/gitlab-analyzers-secrets/pkg-descr | 11 |
4 files changed, 97 insertions, 0 deletions
diff --git a/security/gitlab-analyzers-secrets/Makefile b/security/gitlab-analyzers-secrets/Makefile new file mode 100644 index 000000000000..d393955e070d --- /dev/null +++ b/security/gitlab-analyzers-secrets/Makefile @@ -0,0 +1,66 @@ +PORTNAME= secrets +DISTVERSIONPREFIX= v +DISTVERSION= 7.20.1 +CATEGORIES= security +MASTER_SITES= https://gitlab.com/api/v4/projects/60960406/packages/generic/secret-detection-rules/${SECRET_DETECTION_RULES_VERSION}/:rules \ + https://gitlab.com/gitlab-org/security-products/post-analyzers/scripts/-/raw/v${POST_ANALYZER_SCRIPTS_VERSION}/:script +PKGNAMEPREFIX= gitlab-analyzers- +DISTFILES= secret-detection-rules-${SECRET_DETECTION_RULES_VERSION}.zip:rules \ + start.sh:script +EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} + +MAINTAINER= mfechner@FreeBSD.org +COMMENT= Secret detection scanner for Gitlab +WWW= https://gitlab.com/gitlab-org/security-products/analyzers/secrets + +LICENSE= MIT +LICENSE_FILE= ${WRKSRC}/LICENSE + +EXTRACT_DEPENDS= ${UNZIP_CMD}:archivers/unzip +RUN_DEPENDS= gitleaks:devel/gitleaks \ + git>=0:devel/git + +USES= go:modules,1.24 tar:bzip2 + +USE_GITLAB= yes +GL_ACCOUNT= gitlab-org/security-products/analyzers + +GO_MOD_DIST= gitlab +GO_MODULE= gitlab.com/gitlab-org/security-products/analyzers/secrets/v6 + +GO_TARGET= ${PORTNAME}:analyzer-binary +GO_BUILDFLAGS= -ldflags="-X '${GO_MODULE}/metadata.AnalyzerVersion=${DISTVERSIONFULL}'" + +DATADIR= ${PREFIX}/share/${PKGNAMEPREFIX}${PORTNAME} + +# Versions +# These version can be found in https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/Dockerfile +SECRET_DETECTION_RULES_VERSION= v0.20.1 +POST_ANALYZER_SCRIPTS_VERSION= 0.3.0 + +# Define where the rules should be extracted +RULES_DIR= ${WRKDIR}/rules +POSTSCRIPT_DIR= ${WRKDIR}/script + +post-extract: + # Create rules directory and extract the zip file there + ${MKDIR} ${RULES_DIR} + ${UNZIP_CMD} -q -d ${RULES_DIR} ${DISTDIR}/${DIST_SUBDIR}/secret-detection-rules-${SECRET_DETECTION_RULES_VERSION}.zip + + # Gitlab pipeline integration script + ${MKDIR} ${POSTSCRIPT_DIR} + ${CP} ${DISTDIR}/${DIST_SUBDIR}/start.sh ${POSTSCRIPT_DIR}/analyzer + # the binary that is executed is locate in /usr/local/bin, replace this + ${REINPLACE_CMD} -e 's|SCRIPT_BASE_DIR="\$${SCRIPT_BASE_DIR:=/}"|SCRIPT_BASE_DIR="\$${SCRIPT_BASE_DIR:=${PREFIX}/bin}"|' \ + ${POSTSCRIPT_DIR}/analyzer + +post-install: + ${MKDIR} ${STAGEDIR}${DATADIR} + ${INSTALL_DATA} ${WRKDIR}/rules/dist/all_rules.toml ${STAGEDIR}${DATADIR}/gitleaks.toml + ${INSTALL} -m 0555 ${POSTSCRIPT_DIR}/analyzer ${STAGEDIR}${PREFIX}/bin + +PLIST_FILES= bin/analyzer \ + bin/analyzer-binary \ + ${DATADIR}/gitleaks.toml + +.include <bsd.port.mk> diff --git a/security/gitlab-analyzers-secrets/distinfo b/security/gitlab-analyzers-secrets/distinfo new file mode 100644 index 000000000000..512c1ff74030 --- /dev/null +++ b/security/gitlab-analyzers-secrets/distinfo @@ -0,0 +1,9 @@ +TIMESTAMP = 1763217291 +SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secret-detection-rules-v0.20.1.zip) = a437defac99235166816b9d1b15e673524ea672a81de0fb3089b905a66496e8c +SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secret-detection-rules-v0.20.1.zip) = 78238 +SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/start.sh) = 7c651c5fae95d29e9cddfb8df492218378f86789b49c4564eb25cbb97f12297d +SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/start.sh) = 2904 +SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/go.mod) = 4e33dfef63cada7f5073ccea83c0cd949878d20ce0067966de79f3bb01e79176 +SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/go.mod) = 2208 +SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secrets-v7.20.1.tar.bz2) = 99fe22f193b02f5a850a95c4a1aa3f2675d5af92ebb0073c780ff2cf573b18dc +SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secrets-v7.20.1.tar.bz2) = 195376 diff --git a/security/gitlab-analyzers-secrets/files/patch-config_path.go b/security/gitlab-analyzers-secrets/files/patch-config_path.go new file mode 100644 index 000000000000..419c0fb7ba4a --- /dev/null +++ b/security/gitlab-analyzers-secrets/files/patch-config_path.go @@ -0,0 +1,11 @@ +--- config/path.go.orig 2025-11-15 14:06:29 UTC ++++ config/path.go +@@ -9,7 +9,7 @@ import ( + ) + + // DefaultPathGitleaksConfig is the default path for the Gitleaks configuration file. +-const DefaultPathGitleaksConfig = "/gitleaks.toml" ++const DefaultPathGitleaksConfig = "/usr/local/share/gitlab-analyzers-secrets/gitleaks.toml" + + // GitleaksPassthroughTarget is the target filename for Gitleaks configuration in passthrough scenarios. + const GitleaksPassthroughTarget = "gitleaks.toml" diff --git a/security/gitlab-analyzers-secrets/pkg-descr b/security/gitlab-analyzers-secrets/pkg-descr new file mode 100644 index 000000000000..c14fd9a4ce4a --- /dev/null +++ b/security/gitlab-analyzers-secrets/pkg-descr @@ -0,0 +1,11 @@ +secrets analyzer performs Secret Detection scanning. It reports possible secret +leaks, like application tokens and cryptographic keys, in the source code and +files contained in your project. +The analyzer wraps Gitleaks tool, and is written in Go. It's structured +similarly to other Static Analysis analyzers because it uses the shared +command package. +The analyzer is built and published as a Docker image in the GitLab Container +Registry associated with this repository. You would typically use this analyzer +in the context of a SAST, IaC, or Secret Detection job in your CI/CD pipeline. +However, if you're contributing to the analyzer or you need to debug a problem, +you can run, debug, and test locally using Docker. |