chore(deps): update tool dependencies

[ory-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
aquasecurity/trivy	minor	0.58.0 → 0.69.0
gitleaks/gitleaks	minor	8.21.2 → 8.30.0
securego/gosec	patch	2.22.0 → 2.22.11

---

Release Notes

aquasecurity/trivy (aquasecurity/trivy)

v0.69.0

Compare Source

👉 Trivy v0.69.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

🐳 New Docker Install option

• docker pull get.trivy.dev/image/trivy:0.69.0

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0690-2026-01-30

v0.68.2

Compare Source

Changelog

• 0c40a8d release: v0.68.2 [release/v0.68] (#​9950)
• db28945 fix(deps): bump alpine from 3.22.1 to 3.23.0 [backport: release/v0.68] (#​9949)

v0.68.1

Compare Source

👉 Trivy v0.68.1 release notes (click here)

[!NOTE]
v0.68.0 was skipped due to issues with the release.

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

🐳 Docker Install

• docker pull get.trivy.dev/image/trivy:0.68.1

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0680-2025-12-02

v0.67.2

Compare Source

Changelog

• 60c57ad release: v0.67.2 [release/v0.67] (#​9639)
• f3ee80c fix: Use fetch-level: 1 to check out trivy-repo in the release workflow [backport: release/v0.67] (#​9638)

v0.67.1

Compare Source

Changelog

• cbed239 release: v0.67.1 [release/v0.67] (#​9614)
• 1a84093 fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#​9631)
• 3bc1490 fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#​9629)
• 542eee7 fix: add buildInfo for BlobInfo in rpc package [backport: release/v0.67] (#​9615)
• f65dd05 fix(vex): don't use reused BOM [backport: release/v0.67] (#​9612)

v0.67.0

Compare Source

👉 Trivy v0.67.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

🐳 New Docker Install option

• docker pull get.trivy.dev/image/trivy:0.67.0

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0670-2025-09-30

v0.66.0

Compare Source

👉 Trivy v.66.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

Full changelog

v0.65.0

Compare Source

👉 Trivy v.65.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

Full changelog

v0.64.1

Compare Source

Changelog

• 86ee3c1 release: v0.64.1 [release/v0.64] (#​9122)
• 4e12722 fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#​9127)
• 9a7d384 fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#​9124)
• 53adfba fix(rootio): check full version to detect root.io packages [backport: release/v0.64] (#​9120)
• 8cf1bf9 fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#​9119)

v0.64.0

Compare Source

👉 Trivy v.64.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

Full changelog

v0.63.0

Compare Source

👉 Trivy v.63.0 release notes (click here)

⬇️ Download Trivy

• MacOS Apple Silicon
• MacOS Intel
• Linux Intel
• Linux ARM
• Windows Intel

Full changelog

v0.62.1

Compare Source

Changelog

• c75ed21 release: v0.62.1 [release/v0.62] (#​8825)
• aafebeb chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#​8831)
• 99485cf fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#​8826)
• b4fc9e8 fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#​8824)

v0.62.0

Compare Source

⚡Release highlights and summary⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/8801

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0620-2025-04-30

v0.61.1

Compare Source

Changelog

• 7d3b4ff release: v0.61.1 [release/v0.61] (#​8704)
• 80d120f fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#​8748)
• 9d6290b fix(k8s): correct compare artifact versions [backport: release/v0.61] (#​8699)
• 3799ebb test: use aquasecurity repository for test images [backport: release/v0.61] (#​8698)

v0.61.0

Compare Source

⚡Release highlights and summary⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/8639

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0610-2025-03-28

v0.60.0

Compare Source

⚡Release highlights and summary⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/8495

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0600-2025-03-05

v0.59.1

Compare Source

Changelog

• 9aabfd2 release: v0.59.1 [release/v0.59] (#​8334)
• 412c690 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#​8349)
• 98f9ba2 chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#​8343)
• 1741fdd fix(python): add poetry v2 support [backport: release/v0.59] (#​8335)
• 3fd8e27 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#​8333)

v0.59.0

Compare Source

⚡Release highlights and summary⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/8312

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0590-2025-01-30

v0.58.2

Compare Source

Changelog

• 936f06a release: v0.58.2 [release/v0.58] (#​8216)
• f72d2bc fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#​8238)
• 2896367 fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#​8237)
• b733ecc fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#​8215)

v0.58.1

Compare Source

⚡Release highlights and summary⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/8171

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.58/CHANGELOG.md#0581-2024-12-24

gitleaks/gitleaks (gitleaks/gitleaks)

v8.30.0

Compare Source

Changelog

• 6eaad03 0 to 5 - notes on recursive decoding (#​1994)
• 09242ce Add new Looker client ID and client secret rules (#​1947)
• c98e5e0 feat: add Airtable Personnal Access Token detection (#​1952)
• 4ed0ca4 build: upgrade Go & alpine version (#​1989)

v8.29.1

Compare Source

Changelog

• fb5d707 thats a paddlin
• 50493db feat: document stdout report path (#​1990)

v8.29.0

Compare Source

Changelog

• ed65b65 Add trace log for skipped archive file when not enabled (#​1961)
• c5ccbb9 Respect contexts with timeouts (#​1948)
• 3821f30 Config min version (#​1955)
• d223718 fix(config): validate rules when [extend] is used (#​1592)
• 87d9629 feat: add Amazon Bedrock API key detection (#​1935)
• 228396b Add GitHub Sponsors section and Discord link
• a82bc53 feat: improve regex to detect Sonar tokens with prefixes (#​1931)

v8.28.0

Compare Source

Changelog

• 4fb4382 cant count
• b1c9c7e Composite rules (#​1905)
• 72977e4 feat: add Anthropic API key detection (#​1910)
• 7b02c98 fix(git): handle port (#​1912)
• 2a7bcff dont prematurely calculate fragment newlines (#​1909)
• bd79c3e feat(allowlist): promote optimizations (#​1908)
• 7fb4eda Fix: CVEs on go and go crypto (#​1868)
• a044b81 feat: add artifactory reference token and api key detection (#​1906)
• bf380d4 silly
• f487f85 Update gitleaks.yml
• 958f55a add just like that, no leaks

Optimizations

#​1909 waits to find newlines until a match. This ends up saving a boat load of time since before we were finding newlines for every fragment regardless if a rule matched or not.
#​1908 promoted @​rgmz excellent stopword optimization

Composite Rules (Multi-part or required Rules) #​1905

In v8.28.0 Gitleaks introduced composite rules, which are made up of a single "primary" rule and one or more auxiliary or required rules. To create a composite rule, add a [[rules.required]] table to the primary rule specifying an id and optionally withinLines and/or withinColumns proximity constraints. A fragment is a chunk of content that Gitleaks processes at once (typically a file, part of a file, or git diff), and proximity matching instructs the primary rule to only report a finding if the auxiliary required rules also find matches within the specified area of the fragment.

Proximity matching: Using the withinLines and withinColumns fields instructs the primary rule to only report a finding if the auxiliary required rules also find matches within the specified proximity. You can set:

• withinLines: N - required findings must be within N lines (vertically)
• withinColumns: N - required findings must be within N characters (horizontally)
• Both - creates a rectangular search area (both constraints must be satisfied)
• Neither - fragment-level matching (required findings can be anywhere in the same fragment)

Here are diagrams illustrating each proximity behavior:

p = primary captured secret
a = auxiliary (required) captured secret
fragment = section of data gitleaks is looking at

    *Fragment-level proximity*               
    Any required finding in the fragment
          ┌────────┐                       
   ┌──────┤fragment├─────┐                 
   │      └──────┬─┤     │ ┌───────┐       
   │             │a│◀────┼─│✓ MATCH│       
   │          ┌─┐└─┘     │ └───────┘       
   │┌─┐       │p│        │                 
   ││a│    ┌─┐└─┘        │ ┌───────┐       
   │└─┘    │a│◀──────────┼─│✓ MATCH│       
   └─▲─────┴─┴───────────┘ └───────┘       
     │    ┌───────┐                        
     └────│✓ MATCH│                        
          └───────┘                        
                                           
                                           
   *Column bounded proximity*
   `withinColumns = 3`                    
          ┌────────┐                       
   ┌────┬─┤fragment├─┬───┐                 
   │      └──────┬─┤     │ ┌───────────┐   
   │    │        │a│◀┼───┼─│+1C ✓ MATCH│   
   │          ┌─┐└─┘     │ └───────────┘   
   │┌─┐ │     │p│    │   │                 
┌──▶│a│  ┌─┐  └─┘        │ ┌───────────┐   
│  │└─┘ ││a│◀────────┼───┼─│-2C ✓ MATCH│   
│  │       ┘             │ └───────────┘   
│  └── -3C ───0C─── +3C ─┘                 
│  ┌─────────┐                             
│  │ -4C ✗ NO│                             
└──│  MATCH  │                             
   └─────────┘                             
                                           
                                           
   *Line bounded proximity*
   `withinLines = 4`                      
         ┌────────┐                        
   ┌─────┤fragment├─────┐                  
  +4L─ ─ ┴────────┘─ ─ ─│                  
   │                    │                  
   │              ┌─┐   │ ┌────────────┐   
   │         ┌─┐  │a│◀──┼─│+1L ✓ MATCH │   
   0L  ┌─┐   │p│  └─┘   │ ├────────────┤   
   │   │a│◀──┴─┴────────┼─│-1L ✓ MATCH │   
   │   └─┘              │ └────────────┘   
   │                    │ ┌─────────┐      
  -4L─ ─ ─ ─ ─ ─ ─ ─┌─┐─│ │-5L ✗ NO │      
   │                │a│◀┼─│  MATCH  │      
   └────────────────┴─┴─┘ └─────────┘      
                                           
                                           
   *Line and column bounded proximity*
   `withinLines = 4`                      
   `withinColumns = 3`                    
         ┌────────┐                        
   ┌─────┤fragment├─────┐                  
  +4L   ┌└────────┴ ┐   │                  
   │            ┌─┐     │ ┌───────────────┐
   │    │       │a│◀┼───┼─│+2L/+1C ✓ MATCH│
   │         ┌─┐└─┘     │ └───────────────┘
   0L   │    │p│    │   │                  
   │         └─┘        │                  
   │    │           │   │ ┌────────────┐   
  -4L    ─ ─ ─ ─ ─ ─┌─┐ │ │-5L/+3C ✗ NO│   
   │                │a│◀┼─│   MATCH    │   
   └───-3C────0L───+3C┴─┘ └────────────┘   

v8.27.2

Compare Source

Changelog

• c7acf33 Merge branch 'master' of github.com:gitleaks/gitleaks
• 9faaa4a Add experimental allowlist optimizations (#​1731)
• 79068b3 Detect Notion Public API Keys #​1889 (#​1890)

v8.27.1

Compare Source

Changelog

• 80468ef Merge branch 'master' of github.com:gitleaks/gitleaks
• ef82237 fix(atlassian): reduce false-positives for v1 pattern (#​1892)
• 2463f11 Fix log suppresion issue (#​1887)
• 6f251ee Added Heroku API Key New Version (#​1883)
• 20f9a1d Add Platform Bitbucket (#​1886)
• 722ce82 Add Platform Gitea (#​1884)
• 79780b8 Merge branch 'master' of github.com:gitleaks/gitleaks
• c5683ca prevent default warn message when max-archive-depth not set (#​1881)
• 0357c3c prevent default warn message when max-archive-depth not set

v8.27.0

Compare Source

Changelog

• 782f310 Archive support (#​1872)
• 489d13c Update README.md
• d29ee55 Reduce aws-access-token false positives (#​1876)
• 611db65 Set pass_filenames to false for Docker hook (#​1850)
• 0589ae0 unicode decoding (#​1854)
• 82f7e32 Diagnostics (#​1856)
• f97a9ee chore: include decoder in debug log (#​1853)

Got another @​bplaxco release. Cheers!

Archive Scanning

Sometimes secrets are packaged within archive files like zip files or tarballs,
making them difficult to discover. Now you can tell gitleaks to automatically
extract and scan the contents of archives. The flag --max-archive-depth
enables this feature for both dir and git scan types. The default value of
"0" means this feature is disabled by default.

Recursive scanning is supported since archives can also contain other archives.
The --max-archive-depth flag sets the recursion limit. Recursion stops when
there are no new archives to extract, so setting a very high max depth just
sets the potential to go that deep. It will only go as deep as it needs to.

The findings for secrets located within an archive will include the path to the
file inside the archive. Inner paths are separated with !.

Example finding (shortened for brevity):

Finding:     DB_PASSWORD=8ae31cacf141669ddfb5da
...
File:        testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod
Line:        4
Commit:      6e6ee6596d337bb656496425fb98644eb62b4a82
...
Fingerprint: 6e6ee6596d337bb656496425fb98644eb62b4a82:testdata/archives/nested.tar.gz!archives/files.tar!files/.env.prod:generic-api-key:4
Link:        https://github.com/leaktk/gitleaks/blob/6e6ee6596d337bb656496425fb98644eb62b4a82/testdata/archives/nested.tar.gz

This means a secret was detected on line 4 of files/.env.prod. which is in
archives/files.tar which is in testdata/archives/nested.tar.gz.

Currently supported formats:

The compression
and archive
formats supported by mholt's archives package
are supported.

v8.26.0

Compare Source

Changelog

• 78eebac Percent/URL Decoding Support (#​1831)
• 6f967ca fix(kubernetes): remove slow element from pat (#​1848)
• 88f56d3 feat: identify slow file (#​1479)
• 9609928 rm 1password detect test since we test it in cfg gen
• 23cb69f feat(rules): Add 1Password secret key detection (#​1834)

Calling this one @​bplaxco's release as he introduced a really clever method for mixed decoding without sacrificing too much performance. As I stated in his PR, I think he's either a wizard or some time traveling AI. Dude is wicked smaht

Anyways, Gitleaks now supports the following decoders: hex, percent(url enconding), and b64. It's relatively straight forward to add a new decoder so if you're motivated, community contributions are welcomed!

Here's an example:

~/code/gitleaks-org/gitleaks (master) cat decode.txt
text below
aGVsbG8sIHdvcmxkIQ%3D%3D%0A
text above
~/code/gitleaks-org/gitleaks (master) ./gitleaks dir decode.txt --max-decode-depth=2 --log-level=debug

    ○
    │╲
    │ ○
    ○ ░
    ░    gitleaks

4:08PM DBG using stdlib regex engine
4:08PM DBG unable to load gitleaks config from decode.txt/.gitleaks.toml since --source=decode.txt is a file, using default config
4:08PM DBG found .gitleaksignore file: .gitleaksignore
4:08PM DBG segment found: original=[29,38] pos=[29,38]: "%3D%3D%0A" -> "==\n"
4:08PM DBG segment found: original=[11,38] pos=[11,31]: "aGVsbG8sIHdvcmxkIQ==" -> "hello, world!"
4:08PM INF scanned ~50 bytes (50 bytes) in 1.5ms
4:08PM INF no leaks found

v8.25.1

Compare Source

Changelog

• d1c7759 fix(detect): test all allowlists (#​1845)

Big thanks @​rgmz

v8.25.0

Compare Source

Changelog

• 4451b45 feat(config): define multiple global allowlists (#​1777) (cause for the minor bump change)
• 7fb21a4 feat(rules): Add Perplexity AI API key detection (#​1825)
• f6193bc feat(gcp): increase rule entropy (#​1840)
• 9bc7257 Adding clickhouse scanner (#​1826)
• b6cc71a fix(baseline): work with --redact (#​1741)
• cfdeb0d feat(rule): validate & sort rule when generating (#​1817)

v8.24.3

Compare Source

Changelog

• 107a418 Add support for GitLab Runner Tokens (Routable) (#​1820)
• 7fac002 bump repo version in pre-commit example (#​1815)
• 4b54104 Fix currentLine out of bounds error (#​1810)
• af7d5bc add support for Azure DevOps platform in SCM detection and link (#​1807)
• 3e8cd2d Add MaxMind license key rule (#​1771)
• ddcc753 implement new openai regex pattern (#​1780)
• 9708e65 A first attempt adding hooks.slack.com/triggers/ (#​1792)
• 198e410 feat(generic): tweak false-positives (#​1803)
• e273a97 chore: tweak logging and readme for GITLEAKS_CONFIG_TOML feature (#​1802)
• a503b58 feat: add option to set config from env var with toml content (#​1662)

v8.24.2

Compare Source

What's Changed

• Fix platform flag being ignored with gitleaks detect by @​rgmz in #​1765
• Make AddFinding public by @​bplaxco in #​1767
• FIX upgrade x/crypto to 0.31.0 to get rid of CVE-2024-45337 by @​cgoessen in #​1768
• Upgrade rs/zerolog, spf13/cobra, and spf13/viper by @​rgmz in #​1769
• Infer report-format from report-path extension if no value is provided by @​rgmz in #​1776
• generic-api-key: ignore csrf-tokens by @​rgmz in #​1779
• Prevent Yocto/BitBake false positives with generic-api-key rule by @​Okeanos in #​1783
• Fix decoded line allowlist by @​zricethezav in #​1788
• Readme badge revisions by @​jessp01 in #​1744
• feat(regexp): use standard regexp by default, make go-re2 opt-in by @​twpayne in #​1798
• gore2 release tags by @​zricethezav in #​1801

New Contributors

• @​cgoessen made their first contribution in #​1768
• @​Okeanos made their first contribution in #​1783
• @​jessp01 made their first contribution in #​1744
• @​twpayne made their first contribution in #​1798

Full Changelog: gitleaks/gitleaks@v8.24.0...v8.24.2

v8.24.0

Compare Source

Changelog

• c2afd56 Make paths and fingerprints platform-agnostic (#​1622)
• 818e32f Add Sonar rule (#​1756)
• 3fa5a3a Minor false positive improvements (#​1758)
• 2020e6a Add support for streaming DetectReader (#​1760)
• 9122a2d chore: Update github.com/wasilibs/go-re2 to v1.9.0 (#​1763)
• 398d0c4 docs: describe extended rules take precedence over base rules (#​1563)
• ae26eff feat(git): disable link generation (#​1748)
• c6424a6 added sourcegraph token rule (#​1736)
• 6411402 feat(config): add rule for .p12 files (#​1738)
• d71d95d add deno.lock to default exclusions (#​1740)

v8.23.3

Compare Source

Changelog

• 3188ad6 Don't exit with error if git repacking is required (#​1711)
• 7fc11bb refactor(config): use non-capture groups for allowlists (#​1735)
• 36c52c6 chore: Enhance curl-auth-user to detect empty usernames or passwords (#​1726)
• 1f323d8 fix(cmd): read log-opts before GitLogCmd (#​1730)

v8.23.2

Compare Source

Changelog

• d88bc09 facebook keyword
• 3fdaefd fix(meraki): restrict keyword case (#​1722)
• f3ae52e feat(generic-api-key): detect base64 (#​1598)
• d6a828a great branch name (#​1721)
• d2ffffe fix(git): remove .git suffix for links (#​1716)
• a43dc0d chore: refine generic-api-key fps + trace logging (#​1720)
• 69ed20e fix(generate): move newline out of char range (#​1719)
• 52b895a newline literal (#​1718)
• 3f4d91f build: support either stdlib or 3rd-party regexp (#​1706)
• 049f5b2 chore(detect): update trace logging (#​1713)
• 7a6183d feat(git): redact passwords from remote URL (#​1709)
• 3c7f3f0 feat(git): include link in report (#​1698)
• 0e3f4f7 chore: reduce generic-api-key fps (#​1707)
• 3ed8567 blorp
• e977850 added new rule for cisco meraki api key (#​1700)
• ad7a4fb feat: general fp tweaks (#​1703)
• b2cf03c chore(generate): use \x60 instead of literal (#​1702)
• a3f623c chore(regex): simplify secretPrefix, suffix (#​1620)
• cc71bb1 update version for pre-commit in README.md (#​1699)

v8.23.1

Compare Source

Changelog

• 7bad9f7 chore(gcp): add firebase example keys to the gcp-api-key allowlists (#​1635)
• 977236c fix: unaligned 64-bit atomic operation panic (#​1696)
• a211b16 force push to master everyday
• 0e5f644 feat(config): disable extended rule (#​1535)
• f320a60 style: prevent globbing and word splitting (#​1543)
• c4526b2 refactor(generic-api-key): remove hard-coded 'magic' (#​1600)
• 748076d chore(generate): add failing test case (#​1690)

v8.23.0

Compare Source

Changelog

• db8e5e6 feat(generate): use multiple allowlists (#​1691)
• 973c794 chore(rules): include fps in reference (#​1471)
• f0d4499 Add comma as operator for GenerateSemiGenericRegex (#​1679)
• ab38a46 refactor: central logger (#​1692)
• b022d1c friendship ended with tines

READ THIS!!! The default gitleaks config now uses [[rules.allowlists]]

    # ⚠️ In v8.21.0 `[rules.allowlist]` was replaced with `[[rules.allowlists]]`.
    # This change was backwards-compatible: instances of `[rules.allowlist]` still  work.
    #
    # You can define multiple allowlists for a rule to reduce false positives.
    # A finding will be ignored if _ANY_ `[[rules.allowlists]]` matches.
    [[rules.allowlists]]
    description = "ignore commit A"
    # When multiple criteria are defined the default condition is "OR".
    # e.g., this can match on |commits| OR |paths| OR |stopwords|.
    condition = "OR"
    commits = [ "commit-A", "commit-B"]
    paths = [
      '''go\.mod''',
      '''go\.sum'''
    ]
    # note: stopwords targets the extracted secret, not the entire regex match
    # like 'regexes' does. (stopwords introduced in 8.8.0)
    stopwords = [
      '''client''',
      '''endpoint''',
    ]

    [[rules.allowlists]]
    # The "AND" condition can be used to make sure all criteria match.
    # e.g., this matches if |regexes| AND |paths| are satisfied.
    condition = "AND"
    # note: |regexes| defaults to check the _Secret_ in the finding.
    # Acceptable values for |regexTarget| are "secret" (default), "match", and "line".
    regexTarget = "match"
    regexes = [ '''(?i)parseur[il]''' ]
    paths = [ '''package-lock\.json''' ]

v8.22.1

Compare Source

Changelog

• b69b515 Entropy trace (#​1659)
• 7357adc build: add 'toolchain' to go.mod (#​1682)
• 4c3da6e refactor(detect): create readUntilSafeBoundary + add tests (#​1676)
• dbe3746 twitter really does suck ass now
• 7edfc6b chore(tests): test cases for generate.go (#​1623)
• efe40ca fix: only use non-empty secret groups (#​1632)
• 7cb5f6f build: upgrade sprig v2->v3 (#​1674)
• 2930537 fix: generate report file even if no findings (#​1673)

v8.22.0

Compare Source

Changelog

• a91c671 replace std library regex engine with go-re2 (#​1669)

---

This bumps the gitleaks binary size from around 8.5MB to 15MB but yields 2-4x speedup. Worth it imo. If you feel strongly against this change feel free to open an issue where we can discuss the tradeoffs in more depth. Credit to @​ahrav

v8.21.4

Compare Source

Changelog

• 906085f Update golang version to 1.23 (#​1672)
• 8a83062 log bytes (#​1670)

v8.21.3

Compare Source

Changelog

• [a9e6d8c](https://redirect.gith

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.