From 3fedf6f8e72d0523b4cb1abaf3fc2d077ff5331f Mon Sep 17 00:00:00 2001
From: Zachary Rice <zricer@protonmail.com>
Date: Thu, 9 Dec 2021 09:21:17 -0600
Subject: [PATCH] remove writing default config, introduce GITLEAKS_CONFIG
 (#746)

* remove writing default config, introduce GITLEAKS_CONFIG

* setting report format default to json, update readme
---
 README.md   |  6 +++---
 cmd/root.go | 31 ++++++++++++++++---------------
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index fc22924ef..3cdcbc3d5 100644
--- a/README.md
+++ b/README.md
@@ -78,9 +78,9 @@ Flags:
   -c, --config string          config file path
                                order of precedence:
                                1. --config/-c
-                               2. (--source/-s)/.gitleaks.toml
-                               if --config/-c is not set and no (--source/-s)/.gitleaks.toml present
-                               then .gitleaks.toml will be written to (--source/-s)/.gitleaks.toml for future use
+                               2. env var GITLEAKS_CONFIG
+                               3. (--source/-s)/.gitleaks.toml
+                               If none of the three options are used, then gitleaks will use the default config
       --exit-code string       exit code when leaks have been encountered (default: 1)
   -h, --help                   help for gitleaks
   -l, --log-level string       log level (debug, info, warn, error, fatal) (default "info")
diff --git a/cmd/root.go b/cmd/root.go
index bfb3ca64c..46da82f67 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -26,9 +26,9 @@ const banner = `
 const configDescription = `config file path
 order of precedence: 
 1. --config/-c 
-2. (--source/-s)/.gitleaks.toml
-if --config/-c is not set and no (--source/s)/.gitleaks.toml is present 
-then .gitleaks.toml will be written to (--source/-s)/.gitleaks.toml for future use`
+2. env var GITLEAKS_CONFIG
+3. (--source/-s)/.gitleaks.toml
+If none of the three options are used, then gitleaks will use the default config`
 
 var rootCmd = &cobra.Command{
 	Use:   "gitleaks",
@@ -38,10 +38,10 @@ var rootCmd = &cobra.Command{
 func init() {
 	cobra.OnInitialize(initLog)
 	rootCmd.PersistentFlags().StringP("config", "c", "", configDescription)
-	rootCmd.PersistentFlags().Int("exit-code", 1, "exit code when leaks have been encountered (default: 1)")
+	rootCmd.PersistentFlags().Int("exit-code", 1, "exit code when leaks have been encountered")
 	rootCmd.PersistentFlags().StringP("source", "s", ".", "path to source (default: $PWD)")
 	rootCmd.PersistentFlags().StringP("report-path", "r", "", "report file")
-	rootCmd.PersistentFlags().StringP("report-format", "f", "", "output format (json, csv, sarif)")
+	rootCmd.PersistentFlags().StringP("report-format", "f", "json", "output format (json, csv, sarif)")
 	rootCmd.PersistentFlags().StringP("log-level", "l", "info", "log level (debug, info, warn, error, fatal)")
 	rootCmd.PersistentFlags().BoolP("verbose", "v", false, "show verbose output from scan")
 	rootCmd.PersistentFlags().Bool("redact", false, "redact secrets from logs and stdout")
@@ -78,7 +78,11 @@ func initConfig() {
 	}
 	if cfgPath != "" {
 		viper.SetConfigFile(cfgPath)
-		log.Debug().Msgf("Using gitleaks config %s", cfgPath)
+		log.Debug().Msgf("Using gitleaks config %s from `--config`", cfgPath)
+	} else if os.Getenv("GITLEAKS_CONFIG") != "" {
+		envPath := os.Getenv("GITLEAKS_CONFIG")
+		viper.SetConfigFile(envPath)
+		log.Debug().Msgf("Using gitleaks config from GITLEAKS_CONFIG env var: %s", envPath)
 	} else {
 		source, err := rootCmd.Flags().GetString("source")
 		if err != nil {
@@ -90,7 +94,7 @@ func initConfig() {
 		}
 
 		if !fileInfo.IsDir() {
-			log.Debug().Msgf("Unable to write default gitleaks config to %s since --source=%s is a file, using default config",
+			log.Debug().Msgf("Unable to load gitleaks config from %s since --source=%s is a file, using default config",
 				filepath.Join(source, ".gitleaks.toml"), source)
 			viper.SetConfigType("toml")
 			viper.ReadConfig(strings.NewReader(config.DefaultConfig))
@@ -98,15 +102,12 @@ func initConfig() {
 		}
 
 		if _, err := os.Stat(filepath.Join(source, ".gitleaks.toml")); os.IsNotExist(err) {
-			log.Debug().Msgf("No gitleaks config found, writing default gitleaks config to %s", filepath.Join(source, ".gitleaks.toml"))
-			if err := os.WriteFile(filepath.Join(source, ".gitleaks.toml"), []byte(config.DefaultConfig), os.ModePerm); err != nil {
-				log.Debug().Msgf("Unable to write default gitleaks config to %s, using default config", filepath.Join(source, ".gitleaks.toml"))
-				viper.SetConfigType("toml")
-				viper.ReadConfig(strings.NewReader(config.DefaultConfig))
-				return
-			}
+			log.Debug().Msgf("No gitleaks config found in path %s, using default gitleaks config", filepath.Join(source, ".gitleaks.toml"))
+			viper.SetConfigType("toml")
+			viper.ReadConfig(strings.NewReader(config.DefaultConfig))
+			return
 		} else {
-			log.Debug().Msgf("Using existing gitleaks config %s", filepath.Join(source, ".gitleaks.toml"))
+			log.Debug().Msgf("Using existing gitleaks config %s from `(--source)/.gitleaks.toml`", filepath.Join(source, ".gitleaks.toml"))
 		}
 
 		viper.AddConfigPath(source)