gitleaks/gitleaks

Creating Composite Rule Errors

Open

#1932 opened on Aug 18, 2025

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Go (26,970 stars) (2,048 forks)batch import
bugenhancementhelp wanted

Description

Describe the bug

I tried to define a new composite rule using code but the gitleaks generator always throws the following error:

4:02PM ERR required rule not found in config path= rule-id=anthropic-api-key

I can add any rule in ruleId and get the same result so i tried it with a rule that is initialized before the aws one.

To Reproduce Steps to reproduce the behavior:

	// define rule
	r := config.Rule{
		RuleID:      "aws-access-token",
		Description: "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.",
		Regex:       regexp.MustCompile(`\b((?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16})\b`),
		Entropy:     3,
		RequiredRules: []*config.Required{
			{RuleID: "anthropic-api-key", WithinLines: &maxLines},
		},
		Keywords: []string{
			// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
			"A3T",  // todo: might not be a valid AWS token
			"AKIA", // Access key
			"ASIA", // Temporary (AWS STS) access key
			"ABIA", // AWS STS service bearer token
			"ACCA", // Context-specific credential
		},
		Allowlists: []*config.Allowlist{
			{
				Regexes: []*regexp.Regexp{
					regexp.MustCompile(`.+EXAMPLE$`),
				},
				StopWords: []string{
					"AKIAIOSFODNN7EXAMPLE",
					"AKIA222222222EXAMPLE",
				},
			},
		},
	}

Expected behavior A Composite Rule gets created

Screenshots

Additional context Add any other context about the problem here.

cc @zricethezav

Contributor guide

Tech stack
go
Domain
security
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Go programmingGitleaks configurationComposite rules concept
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Investigate how RequiredRules are validated when defining composite rules. The error indicates that the required rule ID is not found in the config. Check the code in the config package that processes rules, particularly the function that checks for existence of required rules. Look at existing composite rules for reference. Possibly the RequiredRules are only validated against built in rules, not user defined ones. Also check any recent changes that might have broken this feature.