DariuszPorowski · Mar 12, 2025
diff --git a/‎.gitleaks/UDMSecretChecks.toml
+18-18 b/‎.gitleaks/UDMSecretChecks.toml
+18-18
diff --git a/‎Dockerfile
+2-2 b/‎Dockerfile
+2-2
diff --git a/‎LICENSE
+1-1 b/‎LICENSE
+1-1
diff --git a/‎README.md
+22-18 b/‎README.md
+22-18
diff --git a/‎action.yml
+12-1 b/‎action.yml
+12-1
diff --git a/‎entrypoint.sh
+9-1 b/‎entrypoint.sh
+9-1
@@ -35,7 +35,7 @@ id = "CSCAN0030"
 description = "PublishSettings"
 regex = '''userPWD="[a-zA-Z0-9\+\/]{60}"'''
 path = '''(?i)(publishsettings|\.pubxml$)'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -52,7 +52,7 @@ id = "CSCAN0091-1"
 description = "AspNetMachineKeyInConfig1"
 path = '''\.(?:xml|pubxml|definitions|ps1|wadcfgx|ccf|config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
 regex = '''<machineKey[^>]+(?:decryptionKey\s*\=\s*"[a-fA-F0-9]{48,}|validationKey\s*\=\s*"[a-fA-F0-9]{48,})[^>]+>'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -63,7 +63,7 @@ id = "CSCAN0091-2"
 description = "AspNetMachineKeyInConfig2"
 path = '''\.(?:xml|pubxml|definitions|ps1|wadcfgx|ccf|config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
 regex = '''(?:decryptionKey|validationKey)="[a-zA-Z0-9]+"'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -74,15 +74,15 @@ id = "CSCAN0092-1"
 description = "SqlConnectionStringInConfig1"
 path = '''\.(?:xml|pubxml|definitions|ps1|wadcfgx|ccf|config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
 regex = '''(?i)(?:connection[sS]tring|connString)[^=]*=["'][^"']*[pP]assword\s*=\s*[^\s;][^"']*(?:'|")'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager'''
 
 [[rules]]
 id = "CSCAN0092-2"
 description = "SqlConnectionStringInConfig2"
 path = '''\.(?:xml|pubxml|definitions|ps1|wadcfgx|ccf|config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties|policy_and_key\.hpp|AccountConfig\.h)$|hubot'''
 regex = '''(?i)(?:User ID|uid|UserId).*(?:Password|[^a-z]pwd)=[^'\$%<@'";\[\{][^;/"]{4,128}(?:;|")'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:prefix <<|guestaccesstoken|skiptoken|cookie|tsm|fake|example|badlyFormatted|Invalid|sha512|sha256|"input"|ENCRYPTED|"EncodedRequestUri"|looks like|myStorageAccountName|(?:0|x|\*){8,})''',
@@ -93,7 +93,7 @@ id = "CSCAN0043"
 description = "SqlConnectionStringInCode"
 path = '''\.(?:xml|pubxml|definitions|ps1|wadcfgx|ccf|config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties|policy_and_key\.hpp|AccountConfig\.h)$|hubot'''
 regex = '''(?i)(?:User ID|uid|UserId).*(?:Password|[^a-z]pwd)=[^'\$%<@'";\[\{][^;/"]{4,128}(?:;|")'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:prefix <<|guestaccesstoken|skiptoken|cookie|tsm|fake|example|badlyFormatted|Invalid|sha512|sha256|"input"|ENCRYPTED|"EncodedRequestUri"|looks like|myStorageAccountName|(?:0|x|\*){8,})''',
@@ -140,7 +140,7 @@ id = "CSCAN0095-1"
 description = "GeneralSecretInConfig1"
 path = '''\.(?:config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
 regex = '''<add\skey="[^"]+(?:key(?:s|[0-9])?|credentials?|secret(?:s|[0-9])?|password|token|KeyPrimary|KeySecondary|KeyOrSas|KeyEncrypted)"\s*value\s*="[^"]+"[^>]*/>'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''key\s*=\s*"[^"]*AppKey[^"]*"\s+value\s*=\s*"[a-z]+"''',
     '''value\s*=\s*"(?:[a-z]+(?: [a-z]+)+"|_+[a-z]+_+"|[a-z]+-[a-z]+-[a-z]+["-]|[a-z]+-[a-z]+"|[a-z]+\\[a-z]+"|\d+"|[^"]*ConnectionString")''',
@@ -155,7 +155,7 @@ id = "CSCAN0095-2"
 description = "GeneralSecretInConfig2"
 path = '''\.(?:config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
 regex = '''<add\skey="[^"]+"\s*value="[^"]*EncryptedSecret:[^"]+"\s*/>'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''key\s*=\s*"[^"]*AppKey[^"]*"\s+value\s*=\s*"[a-z]+"''',
     '''value\s*=\s*"(?:[a-z]+(?: [a-z]+)+"|_+[a-z]+_+"|[a-z]+-[a-z]+-[a-z]+["-]|[a-z]+-[a-z]+"|[a-z]+\\[a-z]+"|\d+"|[^"]*ConnectionString")''',
@@ -170,7 +170,7 @@ id = "CSCAN0095-3"
 description = "GeneralSecretInConfig3"
 path = '''\.(?:config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
 regex = '''<Credential\sname="[^"]*(?:key(?:s|[0-9])?|credentials?|secret(?:s|[0-9])?|password|token|KeyPrimary|KeySecondary|KeyOrSas|KeyEncrypted)"(\s*value\s*="[^"]+".*?/>|[^>]*>.*?</Credential>)'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''key\s*=\s*"[^"]*AppKey[^"]*"\s+value\s*=\s*"[a-z]+"''',
     '''value\s*=\s*"(?:[a-z]+(?: [a-z]+)+"|_+[a-z]+_+"|[a-z]+-[a-z]+-[a-z]+["-]|[a-z]+-[a-z]+"|[a-z]+\\[a-z]+"|\d+"|[^"]*ConnectionString")''',
@@ -185,7 +185,7 @@ id = "CSCAN0095-4"
 description = "GeneralSecretInConfig4"
 path = '''\.(?:config|cscfg|json|js|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|ts|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|py|sh|m|php|xaml|keys|cmd|rds|loadtest|properties)$|hubot'''
 regex = '''<setting\sname="[^"]*Password".*[\r?\n]*\s*<value>.+</value>'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''key\s*=\s*"[^"]*AppKey[^"]*"\s+value\s*=\s*"[a-z]+"''',
     '''value\s*=\s*"(?:[a-z]+(?: [a-z]+)+"|_+[a-z]+_+"|[a-z]+-[a-z]+-[a-z]+["-]|[a-z]+-[a-z]+"|[a-z]+\\[a-z]+"|\d+"|[^"]*ConnectionString")''',
@@ -218,7 +218,7 @@ id = "CSCAN0220-1"
 description = "DefaultPasswordContexts1"
 path = '''\.(?:ps1|psm1|)$'''
 regex = '''ConvertTo-SecureString(?:\s*-String)?\s*"[^$"\r?\n]+"'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -229,7 +229,7 @@ id = "CSCAN0220-2"
 description = "DefaultPasswordContexts2"
 path = '''\.(?:cs|xml|config|json|ts|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argpath)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$'''
 regex = '''new\sX509Certificate2\([^()]*,\s*"[^"\r?\n]+"[^)]*\)'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -240,7 +240,7 @@ id = "CSCAN0220-3"
 description = "DefaultPasswordContexts3"
 path = '''\.(?:cs|xml|config|json|ts|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argpath)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$'''
 regex = '''AdminPassword\s*=\s*"[^"\r?\n]+"'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -251,7 +251,7 @@ id = "CSCAN0220-4"
 description = "DefaultPasswordContexts4"
 path = '''\.(?:cs|xml|config|json|ts|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argpath)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$'''
 regex = '''(?i)<password>.+</password>'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -262,7 +262,7 @@ id = "CSCAN0220-5"
 description = "DefaultPasswordContexts5"
 path = '''\.(?:cs|xml|config|json|ts|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argpath)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$'''
 regex = '''ClearTextPassword"?\s*[:=]\s*"[^"\r?\n]+"'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -273,7 +273,7 @@ id = "CSCAN0220-6"
 description = "DefaultPasswordContexts6"
 path = '''\.(?:cs|xml|config|json|ts|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argpath)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$'''
 regex = '''certutil.*?\-p\s+("[^"%]+"|'[^'%]+'|[^"']\S*\s)'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -284,7 +284,7 @@ id = "CSCAN0220-7"
 description = "DefaultPasswordContexts7"
 path = '''\.(?:cs|xml|config|json|ts|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argpath)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$'''
 regex = '''password\s*=\s*N?(["][^"\r?\n]{4,}["]|['][^'\r?\n]{4,}['])'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = [
     '''Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(?:Password|pwd|secret|credentials?)(?:Key|Location)|KeyManager''',
     '''(?:_AppKey"|(?:(?:credential|password|token)s?|(?:Account|access)Key=)"[\s\r?\n]*/|Username"|\.dll|(?:Secret|Token|Key|Credential)s?(?:Encryption|From|(?:Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,})''',
@@ -295,7 +295,7 @@ id = "CSCAN0160"
 description = "DomainPassword"
 regex = '''new(?:-object)?\s+System.Net.NetworkCredential\(?:.*?,\s*"[^"]+"'''
 path = '''\.cs$|\.c$|\.cpp$|\.ps1$|\.ps$|\.cmd$|\.bat$|\.log$|\.psd$|\.psm1$'''
-[rules.allowlist]
+[rules.allowlists]
 regexes = '''(%1%|\$MIGUSER_PASSWORD|%miguser_pwd%)'''
 description = "ignore placeholders"
 
 
@@ -1,5 +1,5 @@
-FROM zricethezav/gitleaks:latest
-# FROM ghcr.io/zricethezav/gitleaks:latest
+# FROM zricethezav/gitleaks:latest
+FROM ghcr.io/gitleaks/gitleaks:latest
 
 LABEL "com.github.actions.name"="Gitleaks Scanner"
 LABEL "com.github.actions.description"="Runs Gitleaks in your CI/CD workflow"
 
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022-2023 Dariusz Porowski
+Copyright (c) 2022-2025 Dariusz Porowski
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 
@@ -10,17 +10,21 @@ This GitHub Action allows you to run [Gitleaks](https://github.com/gitleaks/gitl
 
 ## Inputs
 
-| Name          | Required |  Type  | Default value                   | Description                                                                      |
-|---------------|:--------:|:------:|---------------------------------|----------------------------------------------------------------------------------|
-| source        |  false   | string | $GITHUB_WORKSPACE               | Path to source (relative to $GITHUB_WORKSPACE)                                   |
-| config        |  false   | string | /.gitleaks/UDMSecretChecks.toml | Config file path (relative to $GITHUB_WORKSPACE)                                 |
-| baseline_path |  false   | string | *not set*                       | Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE) |
-| report_format |  false   | string | json                            | Report file format: json, csv, sarif                                             |
-| no_git        |  false   |  bool  | *not set*                       | Treat git repos as plain directories and scan those file                         |
-| redact        |  false   |  bool  | true                            | Redact secrets from log messages and leaks                                       |
-| fail          |  false   |  bool  | true                            | Fail if secrets founded                                                          |
-| verbose       |  false   |  bool  | true                            | Show verbose output from scan                                                    |
-| log_level     |  false   | string | info                            | Log level (trace, debug, info, warn, error, fatal)                               |
+| Name             | Required |  Type  | Default value                   | Description                                                                      |
+|------------------|:--------:|:------:|---------------------------------|----------------------------------------------------------------------------------|
+| source           |  false   | string | $GITHUB_WORKSPACE               | Path to source (relative to $GITHUB_WORKSPACE)                                   |
+| config           |  false   | string | /.gitleaks/UDMSecretChecks.toml | Config file path (relative to $GITHUB_WORKSPACE)                                 |
+| baseline_path    |  false   | string | *not set*                       | Path to baseline with issues that can be ignored (relative to $GITHUB_WORKSPACE) |
+| report_format    |  false   | string | json                            | Report file format: json, csv, sarif                                             |
+| no_git           |  false   |  bool  | *not set*                       | Treat git repos as plain directories and scan those file                         |
+| redact           |  false   |  bool  | true                            | Redact secrets from log messages and leaks                                       |
+| fail             |  false   |  bool  | true                            | Fail if secrets founded                                                          |
+| verbose          |  false   |  bool  | true                            | Show verbose output from scan                                                    |
+| log_level        |  false   | string | info                            | Log level (trace, debug, info, warn, error, fatal)                               |
+| exit_code        |  false   |  int   | 1                               | Exit code when leaks have been encountered                                       |
+| log_opts         |  false   | string | *not set*                       | Exit code when leaks have been encountered                                       |
+| max_decode_depth |  false   |  int   | 0                               | Allow recursive decoding up to this depth (default "0", no decoding is done)     |
+| follow_symlinks  |  false   |  bool  | false                           | Scan files that are symlinks to other files                                      |
 
 > ⚠️ The solution provides predefined configuration (See: [.gitleaks](https://github.com/DariuszPorowski/github-action-gitleaks/tree/main/.gitleaks) path). You can override it by yours config using relative to `$GITHUB_WORKSPACE`.
 
@@ -36,7 +40,7 @@ This GitHub Action allows you to run [Gitleaks](https://github.com/gitleaks/gitl
 
 ## Example usage
 
-> ⚠️ You must use `actions/checkout` before the `github-action-gitleaks` step. If you are using `actions/checkout@v3` you must specify a commit depth other than the default which is 1.
+> ⚠️ You must use `actions/checkout` before the `github-action-gitleaks` step. If you are using `actions/checkout@v4` you must specify a commit depth other than the default which is 1.
 >
 > Using a `fetch-depth` of '0' clones the entire history. If you want to do a more efficient clone, use '2', but that is not guaranteed to work with pull requests.
 
@@ -62,7 +66,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -73,7 +77,7 @@ jobs:
           fail: false
 
       - name: Post PR comment
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         if: ${{ steps.gitleaks.outputs.exitcode == 1 && github.event_name == 'pull_request' }}
         with:
           github-token: ${{ github.token }}
@@ -101,7 +105,7 @@ jobs:
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     fetch-depth: 0
 
@@ -126,7 +130,7 @@ jobs:
 
 - name: Upload Gitleaks SARIF report to code scanning service
   if: ${{ steps.gitleaks.outputs.exitcode == 1 }}
-  uses: github/codeql-action/upload-sarif@v2
+  uses: github/codeql-action/upload-sarif@v3
   with:
     sarif_file: ${{ steps.gitleaks.outputs.report }}
 ```
@@ -137,7 +141,7 @@ jobs:
 
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v3
+  uses: actions/checkout@v4
   with:
     fetch-depth: 0
 
@@ -148,7 +152,7 @@ jobs:
     config: MyGitleaksConfigs/MyGitleaksConfig.toml
 
 - name: Upload Gitleaks JSON report to artifacts
-  uses: actions/upload-artifact@v3
+  uses: actions/upload-artifact@v4
   if: failure()
   with:
     name: gitleaks
 
@@ -38,9 +38,20 @@ inputs:
     required: false
     default: "info"
   exit_code:
-    description: "exit code when leaks have been encountered (default 1)"
+    description: "Exit code when leaks have been encountered (default 1)"
     required: false
     default: "1"
+  log_opts:
+    description: "Git log options (default: <not set>)"
+    required: false
+  max_decode_depth:
+    description: "Allow recursive decoding up to this depth (default 0, no decoding is done)"
+    required: false
+    default: "0"
+  follow_symlinks:
+    description: "Scan files that are symlinks to other files (default: false)"
+    required: false
+    default: "false"
 
 outputs:
   exitcode: # id of output
 
@@ -41,6 +41,8 @@ INPUT_FAIL=$(default 'true' 'false' "${INPUT_FAIL}" 'true')
 INPUT_VERBOSE=$(default 'true' 'false' "${INPUT_VERBOSE}" 'true')
 INPUT_LOG_LEVEL=$(default 'info' "${INPUT_LOG_LEVEL}" "${INPUT_LOG_LEVEL}" 'true')
 INPUT_EXIT_CODE=$(default '1' '0' "${INPUT_EXIT_CODE}" 'true')
+INPUT_MAX_DECODE_DEPTH=$(default '0' '0' "${INPUT_MAX_DECODE_DEPTH}" 'true')
+INPUT_FOLLOW_SYMLINKS=$(default 'false' 'true' "${INPUT_FOLLOW_SYMLINKS}" 'true')
 
 echo "----------------------------------"
 echo "INPUT PARAMETERS"
@@ -55,6 +57,9 @@ echo "INPUT_FAIL: ${INPUT_FAIL}"
 echo "INPUT_VERBOSE: ${INPUT_VERBOSE}"
 echo "INPUT_LOG_LEVEL: ${INPUT_LOG_LEVEL}"
 echo "INPUT_EXIT_CODE: ${INPUT_EXIT_CODE}"
+echo "INPUT_LOG_OPTS: ${INPUT_LOG_OPTS}"
+echo "INPUT_MAX_DECODE_DEPTH: ${INPUT_MAX_DECODE_DEPTH}"
+echo "INPUT_FOLLOW_SYMLINKS: ${INPUT_FOLLOW_SYMLINKS}"
 echo "----------------------------------"
 
 echo "Setting Git safe directory (CVE-2022-24765)"
@@ -74,14 +79,17 @@ command+=$(arg '--verbose' "${INPUT_VERBOSE}")
 command+=$(arg '--log-level %s' "${INPUT_LOG_LEVEL}")
 command+=$(arg '--report-path %s' "${GITHUB_WORKSPACE}/gitleaks-report.${INPUT_REPORT_FORMAT}")
 command+=$(arg '--exit-code %d' "${INPUT_EXIT_CODE}")
+command+=$(arg '--max-decode-depth %d' "${INPUT_MAX_DECODE_DEPTH}")
+command+=$(arg '--follow-symlinks' "${INPUT_FOLLOW_SYMLINKS}")
 
 if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
   command+=$(arg '--source %s' "${GITHUB_WORKSPACE}")
 
   base_sha=$(git rev-parse "refs/remotes/origin/${GITHUB_BASE_REF}")
-  head_sha=$(git rev-list --no-merges -n 1 refs/remotes/pull/${GITHUB_REF_NAME})
+  head_sha=$(git rev-list --no-merges -n 1 "refs/remotes/pull/${GITHUB_REF_NAME}")
   command+=$(arg '--log-opts "%s"' "--no-merges --first-parent ${base_sha}...${head_sha}")
 else
+  command+=$(arg '--log-opts "%s"' "${INPUT_LOG_OPTS}")
   command+=$(arg '--source %s' "${INPUT_SOURCE}")
   command+=$(arg '--no-git' "${INPUT_NO_GIT}")
 fi