Added the ability to add standard strings to .gitleaks.toml.

CHANGES/+add_support_for_gitleaks.feature

@@ -0,0 +1 @@
+Taught plugin-template how to interact with .gitleaks.toml files.

plugin-template

@@ -416,6 +416,12 @@ def write_template_section(
                     destination,
                     template_vars,
                 )
+            elif destination.startswith(".gitleaks.toml."):
+                utils.merge_gitleaks(
+                    template,
+                    plugin_root_dir,
+                    destination,
+                )
             else:
                 utils.template_to_file(
                     template,

templates/bootstrap/pyproject.toml.j2

@@ -118,5 +118,6 @@ ignore = [
     ".dependabot/config.yml",
     ".ci/**",
     ".github/**",
+    ".gitleaks.toml",
 ]
 {% endif %}

templates/github/.gitleaks.toml.allowlist.j2

@@ -0,0 +1,10 @@
+[allowlist]
+  description = "Allow specific test-keys."
+  paths = [
+  ]
+  regexes = [
+    '''AKIAIT2Z5TDYPX3ARJBA''',
+    '''qR\+vjWPU50fCqQuUWbj9Fain/j2pV\+ZtBCiDiieS''',
+    '''fqRvjWaPU5o0fCqQuUWbj9Fainj2pVZtBCiDiieS''',
+    '''Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw''',
+  ]

utils.py

@@ -188,6 +188,58 @@ def template_to_file(template, plugin_root_path, relative_path, template_vars):
     destination_path.chmod(mode)
 
 
+def merge_gitleaks(template, plugin_root_path, relative_path, template_vars={}):
+    """
+    Take values from .gitleaks.allowlist.j2 and insert them into the allowlist of
+    an existing .gitleaks.toml file, or create said file otherwise.
+    """
+    basename, merge_key = relative_path.split(".toml.", maxsplit=1)
+    # "allowlist" is all we recognize for gitleaks
+    assert "allowlist" == merge_key
+    # We aren't using template-vars *currently* - but may want to at some point.
+    data = tomlkit.loads(template.render(**template_vars))
+    path = Path(plugin_root_path / f"{basename}.toml")
+    if path.exists():
+        old_toml = tomlkit.load(path.open())
+        if merge_key not in old_toml:
+            old_toml["allowlist"] = data["allowlist"]
+        else:
+            old_toml["allowlist"]["description"] = data["allowlist"]["description"]
+            merge_sets("paths", data, old_toml)
+            merge_sets("regexes", data, old_toml)
+
+    else:
+        old_toml = data
+        # Update MANIFEST.in to ignore the file we're about to create
+        # (if we are only updating .gitleaks, we 'assume' it's already being ignored)
+        manifest = Path(plugin_root_path / "MANIFEST.in")
+        if manifest.exists():
+            # MANIFEST.in is small enough to look at the whole thing at once
+            manifest_contents = manifest.read_text()
+            if ".gitleaks.toml" not in manifest_contents:
+                manifest.write_text(manifest_contents + "\nexclude .gitleaks.toml")
+    output = tomlkit.dumps(old_toml)
+    if output[-1] != "\n":
+        output = output + "\n"
+    path.write_text(output)
+
+
+def merge_sets(key, data, old_toml):
+    """
+    For a given key, merge any existing values and incoming new ones.
+    Use set() to get rid of duplicates, use sorted() to enforce ordering.
+    If incoming values are already a subset of the existing ones - nothing to do here.
+    """
+    if key in old_toml["allowlist"]:
+        old_values = set(old_toml["allowlist"][key])
+        new_values = set(data["allowlist"][key])
+        if new_values.issubset(old_values):  # Everything we want to add is already there
+            return
+        old_toml["allowlist"][key] = sorted(old_values.union(new_values))
+    else:
+        old_toml["allowlist"][key] = sorted(set(data["allowlist"][key]))
+
+
 def merge_toml(template, plugin_root_path, relative_path, template_vars):
     """
     Template a file of the form 'basename.toml.merge_key' and combine its content beneath