Merge branch 'feat/betterleaks' into 'main'

# GitLab CI template for Gitleaks

# GitLab CI template for Gitleaks / betterleaks

This project implements a GitLab CI/CD template to detect and prevent hardcoded secrets in your 

Git repository with [Gitleaks](https://github.com/zricethezav/gitleaks/wiki).

You could also use [betterleaks](https://github.com/betterleaks/betterleaks) *"A Better Secrets Scanner built for configurability and speed"* by Zach Rice; he's the same guy who originally wrote Gitleaks.

## Usage

This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component)

Once the secrets have been rotated or confirmed as false positives, you can mark the findings as resolved by adding a [`.gitleaksignore` file](https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore) to your repository. It should contain one fingerprint per line as reported in the job log.

## Choose engine `gitleaks` or `betterleaks`

Just provide a Docker image with the `gitleaks` or `betterleaks` installed. If both are available, the new `betterleaks` tool take priority. 

To choose define `image`:

- Gitleaks: keep the default Docker image below 

- betterleaks: use offical Docker image `ghcr.io/betterleaks/betterleaks:latest`

While maintaining full compatibility, `betterleaks` offers significant performance gains, including faster processing, increased scanning capacity, and more efficient detection algorithms.

- betterleaks [usage docs](https://github.com/betterleaks/betterleaks?tab=readme-ov-file#usage)

- Gitleaks [usage docs](https://github.com/gitleaks/gitleaks?tab=readme-ov-file#usage)

## `gitleaks` jobs configuration

Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).

| Input / Variable | Description                            | Default value     |

| --------------------- | -------------------------------------- | ----------------- |

| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks  | `docker.io/zricethezav/gitleaks:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GITLEAKS_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GITLEAKS_IMAGE) |

| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks / betterleaks  | `docker.io/zricethezav/gitleaks:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GITLEAKS_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GITLEAKS_IMAGE) |

| `rules` / `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |

| `args` / `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose --redact` |

Here is how this GitLab CI template chooses the Gitleaks rules to use:

1. It first looks for a `.gitleaks.toml` file at the root of your project repository.

2. If not found, it uses the `.toml` file specified with the `$GITLEAKS_RULES` variable.

3. If not specified, [default Gitleaks rules](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used.

1. It first looks for a `.betterleaks.toml` file at the root of your project repository.

2. It then looks for a `.gitleaks.toml` file at the root of your project repository.

3. If not found, it uses the `.toml` file specified with the `$GITLEAKS_RULES` variable.

4. If not specified, [default Gitleaks rules](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) are used.

Your Gitleaks rule file can extend the default rules by using `[extend]` + `useDefault = true` as explained in the [Gitleaks documentation](https://github.com/gitleaks/gitleaks/blob/master/README.md#configuration)

Your Gitleaks rule file can extend the default rules by using `[extend]` + `useDefault = true` as explained in the [Gitleaks documentation](https://github.com/gitleaks/gitleaks/blob/master/README.md#configuration) or [betterleaks documentation](https://github.com/betterleaks/betterleaks?tab=readme-ov-file#configuration).

  "variables": [

    {

      "name": "GITLEAKS_IMAGE",

      "description": "The Docker image used to run Gitleaks",

      "description": "The Docker image used to run Gitleaks / betterleaks (official image: `ghcr.io/betterleaks/betterleaks:latest`)",

      "default": "docker.io/zricethezav/gitleaks:latest"

    },

    {

  }

  function install_gitleaks_rules() {

    if [[ -f ".gitleaks.toml" ]]

    if [[ -f ".betterleaks.toml" ]]

    then

      log_info "Using custom betterleaks rules from project (\\e[33;1m.betterleaks.toml\\e[0m)"

    elif [[ -f ".gitleaks.toml" ]]

    then

      log_info "Using custom Gitleaks rules from project (\\e[33;1m.gitleaks.toml\\e[0m)"

    elif [[ "$GITLEAKS_RULES" ]]

        log_info "Full branch analysis (\\e[33;1m${CI_COMMIT_SHA}\\e[0m and ancestors)"

        log_opts="${CI_COMMIT_SHA}"

      fi

    - gitleaks git ${TRACE+--log-level debug} $gitleaks_rule_opts --log-opts "$log_opts" --platform gitlab --report-path reports/gitleaks.native.json $GITLEAKS_ARGS .

    - | 

      if command -v betterleaks > /dev/null; then

        log_info "Using betterleaks" 

        GITLEAKS_CMD=betterleaks

      else

        log_info "Using gitleaks"

        GITLEAKS_CMD=gitleaks

      fi

    - $GITLEAKS_CMD git ${TRACE+--log-level debug} $gitleaks_rule_opts --log-opts "$log_opts" --platform gitlab --report-path reports/gitleaks.native.json $GITLEAKS_ARGS .

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    when: always