gitleaks stopped respecting REPOSITORY_GITLEAKS_ARGUMENTS after upgrading from 8.3.0 to 8.4.1

[atodorov]

Describe the bug

I am using the following configuration

        uses: oxsecurity/megalinter/flavors/rust@v8
        env:
          # All available variables are described at https://megalinter.io/latest/configuration/
          # and configured in .mega-linter.yml
          VALIDATE_ALL_CODEBASE: true
          # tells gitleaks to scan only commits in the current PR without setting VALIDATE_ALL_CODEBASE==false
          # which has other side effects. See https://github.com/oxsecurity/megalinter/issues/2487 and
          # https://megalinter.io/latest/descriptors/repository_gitleaks/
          REPOSITORY_GITLEAKS_ARGUMENTS: --log-opts '--no-merges --first-parent ${{ github.event.pull_request.base.sha }}^..${{ github.event.pull_request.head.sha }}'

see http://github.com/gluwa/creditcoin3/blob/dev/.github/workflows/mega-linter.yml#L45-L48.

I explicitly want all other linters (where applicable) to be scanning the entire code base, while gitleaks to be scanning only pull requests.
This setup had worked for me with MegaLinter versions 8.2.0 and 8.3.0 until recently when v8.4.1 came around.

Scans for the same PR with 8.3.0 and 8.4.1 produce different results, with 8.4.1 gitleaks reports on commits which aren't part of the PR. For example:

Attempt #1, 8.3.0 -> https://github.com/gluwa/creditcoin3/actions/runs/12946839981/job/36112154759

2025-01-24T09:27:16.3459358Z ##[group]�[32m✅ Linted [REPOSITORY] files with [gitleaks] successfully - (0.11s)�[0m (expand for details)
2025-01-24T09:27:16.3460366Z - Using [gitleaks v8.21.2] https://megalinter.io/8.3.0/descriptors/repository_gitleaks
2025-01-24T09:27:16.3461024Z - MegaLinter key: [REPOSITORY_GITLEAKS]
2025-01-24T09:27:16.3461453Z - Rules config: [.gitleaks.toml]
2025-01-24T09:27:16.3462942Z - Command: [gitleaks detect --redact --log-opts --no-merges --first-parent 8e60bd8b05e1c5f3b82cba27d8e567223328110c^..be34b74d056b278aa4c79652cdbe1a45ce9be05f -c /action/lib/.automation/.gitleaks.toml --verbose --source .]
2025-01-24T09:27:16.3464848Z ##[endgroup]

Attempt #2, 8.4.1 -> https://github.com/gluwa/creditcoin3/actions/runs/12946839981/job/36343636490,

2025-01-29T10:07:05.0391990Z ##[group]�[31m❌ Linted [REPOSITORY] files with [gitleaks]: Found 2 error(s) - (7.76s)�[0m (expand for details)
2025-01-29T10:07:05.0396220Z - Using [gitleaks v8.23.2] https://megalinter.io/8.4.1/descriptors/repository_gitleaks
2025-01-29T10:07:05.0402212Z - MegaLinter key: [REPOSITORY_GITLEAKS]
2025-01-29T10:07:05.0404190Z - Rules config: [.gitleaks.toml]
2025-01-29T10:07:05.0407455Z - Command: [gitleaks detect --redact --log-opts --no-merges --first-parent 8e60bd8b05e1c5f3b82cba27d8e567223328110c^..be34b74d056b278aa4c79652cdbe1a45ce9be05f -c /action/lib/.automation/.gitleaks.toml --verbose --source .]
2025-01-29T10:07:05.0408904Z --Error detail:
2025-01-29T10:07:05.0409103Z 
2025-01-29T10:07:05.0409284Z     ○
2025-01-29T10:07:05.0409567Z     │╲
2025-01-29T10:07:05.0409844Z     │ ○
2025-01-29T10:07:05.0410118Z     ○ ░
2025-01-29T10:07:05.0410451Z     ░    gitleaks
2025-01-29T10:07:05.0410625Z 
2025-01-29T10:07:05.0410885Z Finding:     Private key: �[1;3;mREDACTED�[0m
2025-01-29T10:07:05.0411410Z Secret:      �[1;3;mREDACTED�[0m
2025-01-29T10:07:05.0411783Z RuleID:      generic-api-key
2025-01-29T10:07:05.0412129Z Entropy:     3.970636
2025-01-29T10:07:05.0412429Z File:        README.md
2025-01-29T10:07:05.0412725Z Line:        135
2025-01-29T10:07:05.0413062Z Commit:      07795222e87cd1472e42afce18da48985a3f6a21
2025-01-29T10:07:05.0413508Z Author:      Alex Todorov
2025-01-29T10:07:05.0413874Z Email:       [email protected]
2025-01-29T10:07:05.0414256Z Date:        2024-11-21T09:22:16Z
2025-01-29T10:07:05.0414899Z Fingerprint: 07795222e87cd1472e42afce18da48985a3f6a21:README.md:generic-api-key:135
2025-01-29T10:07:05.0416208Z Link:        https://github.com/gluwa/creditcoin3/blob/07795222e87cd1472e42afce18da48985a3f6a21/README.md?plain=1#L135
2025-01-29T10:07:05.0416943Z 
2025-01-29T10:07:05.0417202Z Finding:     Key: �[1;3;mREDACTED�[0m # Alice
2025-01-29T10:07:05.0417713Z Secret:      �[1;3;mREDACTED�[0m
2025-01-29T10:07:05.0418085Z RuleID:      generic-api-key
2025-01-29T10:07:05.0418437Z Entropy:     4.944236
2025-01-29T10:07:05.0418740Z File:        cc3.yml
2025-01-29T10:07:05.0419024Z Line:        9
2025-01-29T10:07:05.0419360Z Commit:      a685ce53224f97dce84302a9fe00a33acfe88b7e
2025-01-29T10:07:05.0419804Z Author:      rustlang-dev
2025-01-29T10:07:05.0420165Z Email:       [email protected]
2025-01-29T10:07:05.0420848Z Date:        2024-09-26T16:33:40Z
2025-01-29T10:07:05.0421525Z Fingerprint: a685ce53224f97dce84302a9fe00a33acfe88b7e:cc3.yml:generic-api-key:9
2025-01-29T10:07:05.0422592Z Link:        https://github.com/gluwa/creditcoin3/blob/a685ce53224f97dce84302a9fe00a33acfe88b7e/cc3.yml#L9
2025-01-29T10:07:05.0423234Z 
2025-01-29T10:07:05.0423510Z �[90m10:07AM�[0m �[32mINF�[0m 1569 commits scanned.
2025-01-29T10:07:05.0424186Z �[90m10:07AM�[0m �[32mINF�[0m scanned ~71169194 bytes (71.17 MB) in 7.07s
2025-01-29T10:07:05.0424787Z �[90m10:07AM�[0m �[31mWRN�[0m leaks found: 2
2025-01-29T10:07:05.0425069Z 
2025-01-29T10:07:05.0425456Z ##[endgroup]

Attempt #1 and #2 are executions triggered by gluwa/creditcoin3#556 (although the PR as also been updated since then).

You can see that the command and commit hashes are exactly the same.

For example, the reported leak,

2025-01-29T10:07:05.0417202Z Finding:     Key: �[1;3;mREDACTED�[0m # Alice
2025-01-29T10:07:05.0417713Z Secret:      �[1;3;mREDACTED�[0m
2025-01-29T10:07:05.0418085Z RuleID:      generic-api-key
2025-01-29T10:07:05.0418437Z Entropy:     4.944236
2025-01-29T10:07:05.0418740Z File:        cc3.yml
2025-01-29T10:07:05.0419024Z Line:        9
2025-01-29T10:07:05.0419360Z Commit:      a685ce53224f97dce84302a9fe00a33acfe88b7e
2025-01-29T10:07:05.0419804Z Author:      rustlang-dev
2025-01-29T10:07:05.0420165Z Email:       [email protected]
2025-01-29T10:07:05.0420848Z Date:        2024-09-26T16:33:40Z
2025-01-29T10:07:05.0421525Z Fingerprint: a685ce53224f97dce84302a9fe00a33acfe88b7e:cc3.yml:generic-api-key:9
2025-01-29T10:07:05.0422592Z Link:        https://github.com/gluwa/creditcoin3/blob/a685ce53224f97dce84302a9fe00a33acfe88b7e/cc3.yml#L9

is coming from https://github.com/gluwa/creditcoin3/pull/483/commits, commit "add file to run chopstics" while it should not.

I looked into MegaLinter's and gitleaks' diff pages for the respective versions but I don't see anything obvious for now.

To Reproduce
Steps to reproduce the behavior:

1. Go to SMC-1036: Update @gluwa/evm-network-test tool gluwa/creditcoin3#556
2. Execute ML 8.4.1 against it.
3. gitleaks reports a leak despite the existing configuration telling it to not scan all files.

Expected behavior
Gitleaks says everything is fine.

[bdovaz]

@nvuillam @echoix are we sure that the problem is in MegaLinter and not in gitleaks? Because the output of both versions clearly shows that it sets the parameters exactly the same in the Command: block.

gitleaks releases:

https://github.com/gitleaks/gitleaks/releases

[nvuillam]

@bdovaz indeed, REPOSITORY_GITLEAKS_ARGUMENTS is a generic variable and nothing changed about its management, so if a behavior is different, it's related to the differences between gitleaks versions

@atodorov you can ask on gitleaks repo what changed gitleaks v8.21.2 & gitleaks v8.23.2 so that the exact same calls to do provide the same result

[atodorov]

FTR the diff between gitleaks versions is gitleaks/gitleaks@v8.21.2...v8.23.2 and I didn't see anything immediately obvious.

Reported on the gitleaks repo as gitleaks/gitleaks#1739

[atodorov]

@nvuillam , @bdovaz it looks like this was a bug in gitleaks which has been fixed in 8.23.3, released 2 days ago, see gitleaks/gitleaks#1739 (comment)

[bdovaz]

Maybe @nvuillam we can add this linter update with the dotnet fix in the next minor release.

[nvuillam]

If renovate catches it, we'll catch it ! ;)