security/gitlab-analyzers-secrets: added gitlab secret detection scanner

2025-11-15 17:29:50 +01:00
parent 5b72756e79
commit 6188917304
5 changed files with 98 additions and 0 deletions
--- a/security/Makefile
+++ b/security/Makefile
@@ -181,6 +181,7 @@
    SUBDIR += git-remote-gcrypt
    SUBDIR += git-secret
    SUBDIR += gitjacker
+    SUBDIR += gitlab-analyzers-secrets
    SUBDIR += globalprotect-openconnect
    SUBDIR += gnome-keyring
    SUBDIR += gnupg
--- a/security/gitlab-analyzers-secrets/Makefile
+++ b/security/gitlab-analyzers-secrets/Makefile
@@ -0,0 +1,66 @@
+PORTNAME=	secrets
+DISTVERSIONPREFIX=	v
+DISTVERSION=	7.20.1
+CATEGORIES=	security
+MASTER_SITES=	https://gitlab.com/api/v4/projects/60960406/packages/generic/secret-detection-rules/${SECRET_DETECTION_RULES_VERSION}/:rules \
+		https://gitlab.com/gitlab-org/security-products/post-analyzers/scripts/-/raw/v${POST_ANALYZER_SCRIPTS_VERSION}/:script
+PKGNAMEPREFIX=	gitlab-analyzers-
+DISTFILES=	secret-detection-rules-${SECRET_DETECTION_RULES_VERSION}.zip:rules \
+		start.sh:script
+EXTRACT_ONLY=	${DISTNAME}${EXTRACT_SUFX}
+
+MAINTAINER=	mfechner@FreeBSD.org
+COMMENT=	Secret detection scanner for Gitlab
+WWW=		https://gitlab.com/gitlab-org/security-products/analyzers/secrets
+
+LICENSE=	MIT
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+EXTRACT_DEPENDS=	${UNZIP_CMD}:archivers/unzip
+RUN_DEPENDS=	gitleaks:devel/gitleaks \
+		git>=0:devel/git
+
+USES=		go:modules,1.24 tar:bzip2
+
+USE_GITLAB=	yes
+GL_ACCOUNT=	gitlab-org/security-products/analyzers
+
+GO_MOD_DIST=	gitlab
+GO_MODULE=	gitlab.com/gitlab-org/security-products/analyzers/secrets/v6
+
+GO_TARGET=	${PORTNAME}:analyzer-binary
+GO_BUILDFLAGS=	-ldflags="-X '${GO_MODULE}/metadata.AnalyzerVersion=${DISTVERSIONFULL}'"
+
+DATADIR=	${PREFIX}/share/${PKGNAMEPREFIX}${PORTNAME}
+
+# Versions
+# These version can be found in https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/Dockerfile
+SECRET_DETECTION_RULES_VERSION=	v0.20.1
+POST_ANALYZER_SCRIPTS_VERSION=	0.3.0
+
+# Define where the rules should be extracted
+RULES_DIR=	${WRKDIR}/rules
+POSTSCRIPT_DIR=	${WRKDIR}/script
+
+post-extract:
+	# Create rules directory and extract the zip file there
+	${MKDIR} ${RULES_DIR}
+	${UNZIP_CMD} -q -d ${RULES_DIR} ${DISTDIR}/${DIST_SUBDIR}/secret-detection-rules-${SECRET_DETECTION_RULES_VERSION}.zip
+
+	# Gitlab pipeline integration script
+	${MKDIR} ${POSTSCRIPT_DIR}
+	${CP} ${DISTDIR}/${DIST_SUBDIR}/start.sh ${POSTSCRIPT_DIR}/analyzer
+	# the binary that is executed is locate in /usr/local/bin, replace this
+	${REINPLACE_CMD} -e 's|SCRIPT_BASE_DIR="\$${SCRIPT_BASE_DIR:=/}"|SCRIPT_BASE_DIR="\$${SCRIPT_BASE_DIR:=${PREFIX}/bin}"|' \
+		${POSTSCRIPT_DIR}/analyzer
+
+post-install:
+	${MKDIR} ${STAGEDIR}${DATADIR}
+	${INSTALL_DATA} ${WRKDIR}/rules/dist/all_rules.toml ${STAGEDIR}${DATADIR}/gitleaks.toml
+	${INSTALL} -m 0555 ${POSTSCRIPT_DIR}/analyzer ${STAGEDIR}${PREFIX}/bin
+
+PLIST_FILES=	bin/analyzer \
+		bin/analyzer-binary \
+		${DATADIR}/gitleaks.toml
+
+.include <bsd.port.mk>
--- a/security/gitlab-analyzers-secrets/distinfo
+++ b/security/gitlab-analyzers-secrets/distinfo
@@ -0,0 +1,9 @@
+TIMESTAMP = 1763217291
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secret-detection-rules-v0.20.1.zip) = a437defac99235166816b9d1b15e673524ea672a81de0fb3089b905a66496e8c
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secret-detection-rules-v0.20.1.zip) = 78238
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/start.sh) = 7c651c5fae95d29e9cddfb8df492218378f86789b49c4564eb25cbb97f12297d
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/start.sh) = 2904
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/go.mod) = 4e33dfef63cada7f5073ccea83c0cd949878d20ce0067966de79f3bb01e79176
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/go.mod) = 2208
+SHA256 (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secrets-v7.20.1.tar.bz2) = 99fe22f193b02f5a850a95c4a1aa3f2675d5af92ebb0073c780ff2cf573b18dc
+SIZE (go/security_gitlab-analyzers-secrets/secrets-v7.20.1/secrets-v7.20.1.tar.bz2) = 195376
--- a/security/gitlab-analyzers-secrets/files/patch-config_path.go
+++ b/security/gitlab-analyzers-secrets/files/patch-config_path.go
@@ -0,0 +1,11 @@
+--- config/path.go.orig	2025-11-15 14:06:29 UTC
+++ config/path.go
+@@ -9,7 +9,7 @@ import (
+ )
+ 
+ // DefaultPathGitleaksConfig is the default path for the Gitleaks configuration file.
+-const DefaultPathGitleaksConfig = "/gitleaks.toml"
+const DefaultPathGitleaksConfig = "/usr/local/share/gitlab-analyzers-secrets/gitleaks.toml"
+ 
+ // GitleaksPassthroughTarget is the target filename for Gitleaks configuration in passthrough scenarios.
+ const GitleaksPassthroughTarget = "gitleaks.toml"
--- a/security/gitlab-analyzers-secrets/pkg-descr
+++ b/security/gitlab-analyzers-secrets/pkg-descr
@@ -0,0 +1,11 @@
+secrets analyzer performs Secret Detection scanning. It reports possible secret
+leaks, like application tokens and cryptographic keys, in the source code and
+files contained in your project.
+The analyzer wraps Gitleaks tool, and is written in Go. It's structured
+similarly to other Static Analysis analyzers because it uses the shared
+command package.
+The analyzer is built and published as a Docker image in the GitLab Container
+Registry associated with this repository. You would typically use this analyzer
+in the context of a SAST, IaC, or Secret Detection job in your CI/CD pipeline.
+However, if you're contributing to the analyzer or you need to debug a problem,
+you can run, debug, and test locally using Docker.