feat: change the include and exclude to select and ignore (#177)

BREAKING CHANGE:
`--include-rule` renamed to `--rule`
`--exclude-rule` renamed to `--ignore-rule`
Now you can use them together

- redundant error return

Part of #174

.github/workflows/new-rules.yml

@@ -13,4 +13,4 @@ jobs:
         with:
           go-version: "^1.20"
       - name: Check Gitleaks new rules
-        run: go run scripts/check_new_rules.go
+        run: go run .ci/check_new_rules.go

README.md

@@ -80,13 +80,13 @@ Additional Commands:
 
 Flags:
       --config string           config file path
-      --exclude-rule strings    exclude rules by name or tag to apply to the scan (removes from list, starts from all)
   -h, --help                    help for 2ms
       --ignore-result strings   ignore specific result by id
-      --include-rule strings    include rules by name or tag to apply to the scan (adds to list, starts from empty)
+      --ignore-rule strings     ignore rules by name or tag
       --log-level string        log level (trace, debug, info, warn, error, fatal) (default "info")
       --regex stringArray       custom regexes to apply to the scan, must be valid Go regex
       --report-path strings     path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)
+      --rule strings            select rules by name or tag to apply to this scan
       --stdout-format string    stdout output format, available formats are: json, yaml, sarif (default "yaml")
   -v, --version                 version for 2ms
 

cmd/main.go

@@ -33,8 +33,8 @@ const (
 	reportPathFlagName      = "report-path"
 	stdoutFormatFlagName    = "stdout-format"
 	customRegexRuleFlagName = "regex"
-	includeRuleFlagName     = "include-rule"
-	excludeRuleFlagName     = "exclude-rule"
+	ruleFlagName            = "rule"
+	ignoreRuleFlagName      = "ignore-rule"
 	ignoreFlagName          = "ignore-result"
 )
 
@@ -43,8 +43,8 @@ var (
 	reportPathVar      []string
 	stdoutFormatVar    string
 	customRegexRuleVar []string
-	includeRuleVar     []string
-	excludeRuleVar     []string
+	ruleVar            []string
+	ignoreRuleVar      []string
 	ignoreVar          []string
 )
 
@@ -117,9 +117,8 @@ func Execute() {
 	rootCmd.PersistentFlags().StringSliceVar(&reportPathVar, reportPathFlagName, []string{}, "path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)")
 	rootCmd.PersistentFlags().StringVar(&stdoutFormatVar, stdoutFormatFlagName, "yaml", "stdout output format, available formats are: json, yaml, sarif")
 	rootCmd.PersistentFlags().StringArrayVar(&customRegexRuleVar, customRegexRuleFlagName, []string{}, "custom regexes to apply to the scan, must be valid Go regex")
-	rootCmd.PersistentFlags().StringSliceVar(&includeRuleVar, includeRuleFlagName, []string{}, "include rules by name or tag to apply to the scan (adds to list, starts from empty)")
-	rootCmd.PersistentFlags().StringSliceVar(&excludeRuleVar, excludeRuleFlagName, []string{}, "exclude rules by name or tag to apply to the scan (removes from list, starts from all)")
-	rootCmd.MarkFlagsMutuallyExclusive(includeRuleFlagName, excludeRuleFlagName)
+	rootCmd.PersistentFlags().StringSliceVar(&ruleVar, ruleFlagName, []string{}, "select rules by name or tag to apply to this scan")
+	rootCmd.PersistentFlags().StringSliceVar(&ignoreRuleVar, ignoreRuleFlagName, []string{}, "ignore rules by name or tag")
 	rootCmd.PersistentFlags().StringSliceVar(&ignoreVar, ignoreFlagName, []string{}, "ignore specific result by id")
 
 	rootCmd.AddCommand(secrets.RulesCommand)
@@ -160,7 +159,7 @@ func validateFormat(stdout string, reportPath []string) {
 
 func preRun(cmd *cobra.Command, args []string) {
 	validateFormat(stdoutFormatVar, reportPathVar)
-	secrets, err := secrets.Init(includeRuleVar, excludeRuleVar)
+	secrets, err := secrets.Init(ruleVar, ignoreRuleVar)
 	if err != nil {
 		log.Fatal().Msg(err.Error())
 	}

secrets/secrets.go

@@ -52,28 +52,29 @@ const TagWebhook = "webhook"
 
 const customRegexRuleIdFormat = "custom-regex-%d"
 
-func Init(includeList, excludeList []string) (*Secrets, error) {
-	if len(includeList) > 0 && len(excludeList) > 0 {
-		return nil, fmt.Errorf("cannot use both include and exclude flags")
+func Init(selectedList, ignoreList []string) (*Secrets, error) {
+	if len(selectedList) > 0 && len(ignoreList) > 0 {
+		log.Warn().Msgf("Both 'rule' and 'ignoreRule' flags were provided.")
 	}
 
-	allRules, _ := loadAllRules()
-	rulesToBeApplied := make(map[string]config.Rule)
-	if len(includeList) > 0 {
-		rulesToBeApplied = selectRules(allRules, includeList)
-	} else if len(excludeList) > 0 {
-		rulesToBeApplied = excludeRules(allRules, excludeList)
-	} else {
-		for _, rule := range allRules {
-			// required to be empty when not running via cli. otherwise rule will be ignored
-			rule.Rule.Keywords = []string{}
-			rulesToBeApplied[rule.Rule.RuleID] = rule.Rule
-		}
+	selectedRules := loadAllRules()
+	if len(selectedList) > 0 {
+		selectedRules = selectRules(selectedRules, selectedList)
+	}
+	if len(ignoreList) > 0 {
+		selectedRules = ignoreRules(selectedRules, ignoreList)
 	}
-	if len(rulesToBeApplied) == 0 {
+	if len(selectedRules) == 0 {
 		return nil, fmt.Errorf("no rules were selected")
 	}
 
+	rulesToBeApplied := make(map[string]config.Rule)
+	for _, rule := range selectedRules {
+		// required to be empty when not running via cli. otherwise rule will be ignored
+		rule.Rule.Keywords = []string{}
+		rulesToBeApplied[rule.Rule.RuleID] = rule.Rule
+	}
+
 	config := config.Config{
 		Rules: rulesToBeApplied,
 	}
@@ -144,30 +145,26 @@ func isSecretIgnored(secret *reporting.Secret, ignoredIds *[]string) bool {
 	return false
 }
 
-func selectRules(allRules []Rule, tags []string) map[string]config.Rule {
-	rulesToBeApplied := make(map[string]config.Rule)
+func selectRules(allRules []Rule, tags []string) []Rule {
+	selectedRules := []Rule{}
 
 	for _, rule := range allRules {
 		if isRuleMatch(rule, tags) {
-			// required to be empty when not running via cli. otherwise rule will be ignored
-			rule.Rule.Keywords = []string{}
-			rulesToBeApplied[rule.Rule.RuleID] = rule.Rule
+			selectedRules = append(selectedRules, rule)
 		}
 	}
-	return rulesToBeApplied
+	return selectedRules
 }
 
-func excludeRules(allRules []Rule, tags []string) map[string]config.Rule {
-	rulesToBeApplied := make(map[string]config.Rule)
+func ignoreRules(allRules []Rule, tags []string) []Rule {
+	selectedRules := []Rule{}
 
 	for _, rule := range allRules {
 		if !isRuleMatch(rule, tags) {
-			// required to be empty when not running via cli. otherwise rule will be ignored
-			rule.Rule.Keywords = []string{}
-			rulesToBeApplied[rule.Rule.RuleID] = rule.Rule
+			selectedRules = append(selectedRules, rule)
 		}
 	}
-	return rulesToBeApplied
+	return selectedRules
 }
 
 func isRuleMatch(rule Rule, tags []string) bool {
@@ -184,7 +181,7 @@ func isRuleMatch(rule Rule, tags []string) bool {
 	return false
 }
 
-func loadAllRules() ([]Rule, error) {
+func loadAllRules() []Rule {
 	var allRules []Rule
 	allRules = make([]Rule, 0)
 
@@ -346,7 +343,7 @@ func loadAllRules() ([]Rule, error) {
 	allRules = append(allRules, Rule{Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}})
 	allRules = append(allRules, Rule{Rule: *internalRules.AuthenticatedURL(), Tags: []string{TagSensitiveUrl}})
 
-	return allRules, nil
+	return allRules
 }
 
 var RulesCommand = &cobra.Command{
@@ -355,10 +352,7 @@ var RulesCommand = &cobra.Command{
 	Long:  `List all rules`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 
-		rules, err := loadAllRules()
-		if err != nil {
-			return err
-		}
+		rules := loadAllRules()
 
 		tab := tabwriter.NewWriter(os.Stdout, 1, 2, 2, ' ', 0)
 
@@ -367,7 +361,7 @@ var RulesCommand = &cobra.Command{
 		for _, rule := range rules {
 			fmt.Fprintf(tab, "%s\t%s\t%s\n", rule.Rule.RuleID, rule.Rule.Description, strings.Join(rule.Tags, ","))
 		}
-		if err = tab.Flush(); err != nil {
+		if err := tab.Flush(); err != nil {
 			return err
 		}