Merge branch 'master' into cloudflare

Checkmarx · Mar 28, 2024 · d6b5536 · d6b5536
2 parents 5db52ae + 33e0634
commit d6b5536
Show file tree

Hide file tree

Showing 9 changed files with 292 additions and 44 deletions.
diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go
@@ -147,6 +147,7 @@ func main() {
 		rules.Prefect(),
 		rules.PrivateKey(),
 		rules.PulumiAPIToken(),
+		rules.PuttyPrivateKey(),
 		rules.PyPiUploadToken(),
 		rules.RapidAPIAccessToken(),
 		rules.ReadMe(),

diff --git a/cmd/generate/config/rules/putty.go b/cmd/generate/config/rules/putty.go
@@ -0,0 +1,138 @@
+package rules
+
+import (
+	"regexp"
+
+	"github.com/zricethezav/gitleaks/v8/config"
+	"github.com/zricethezav/gitleaks/v8/detect"
+)
+
+func PuttyPrivateKey() *config.Rule {
+	r := config.Rule{
+		Description: "Identified a Putty Private Key, which may compromise cryptographic security and sensitive data encryption.",
+		RuleID:      "putty-private-key",
+		Path:        regexp.MustCompile(`(?i)\.ppk$`),
+		Regex:       regexp.MustCompile(`Private-Lines: \d+\s+([\n\S-]+)\s+[A-Za-z0-9-:]+`),
+		Keywords:    []string{"PuTTY-User-Key-File-"},
+		Allowlist: config.Allowlist{
+			Description: "Ignore private key protected by a passphrase",
+			Regexes:     []*regexp.Regexp{regexp.MustCompile(`Encryption: [^n][^o][^n][^e]`)},
+			RegexTarget: "raw",
+		},
+	}
+
+	tps := []detect.Fragment{
+		{
+			FilePath: "dsa-key-20240314.ppk",
+			Raw: `
+						PuTTY-User-Key-File-3: ssh-dss
+						Encryption: none
+						Comment: dsa-key-20240314
+						Public-Lines: 18
+						AAAAB3NzaC1kc3MAAAEBAIpeviC974g40YTx0CuxCWjGwWPA97aC7GbnVeB1J4SD
+						A+9r6CtOk+r6bbWTO2UOgN1Nw/wBvUXIGGByOVkkY1G49rY4XWpekrA/OQEtLjdY
+						C0mCQyLRCt72+Q7MGwjnBcP4a7fA7A/Z8T/4Gljp1VpHWfauhvSzS3emr3gDVdhB
+						O5D/J4ApDyaMn4GZ7P0ooyntQY1CT7cmJuMw9SKJR0rYUPrJK0BqxTUtq9rbcqwb
+						9D0ugh+NH5SpmoX7SuvD/T/SHRxTbKhYWIQEYA1tGwIijkOxRSqhS8ISPPntKLW9
+						CeFWqmrY5odFVByRin6q18Wi/IB9HRqo9y2MCRqOhLsAAAAVAJt1uH4ZwTN4yugv
+						qS1OrO4DGVl9AAABAQCEwbRowR99EcSo8VhM6QdtP34j6GU59hX550gL3LMtmANm
+						P10XhuMe6zIkZteEuA2HMJCCUEAoB+4h2uy64p9ch3Vku4a8qJr/BW/cG/+yGtQw
+						HznOehEQh8lAQJIx5EP5Lx6fDDYMRpHgRPIYMNlUx9jJOd2xzmDVjUjd5IaDzEfb
+						P6Jslp8xcsFKhm2W7cLW30jHpA5FkuhqB9Lso/eQw4l4sUD/CMYtyZgKjBRwGDn9
+						gRAn88/G23VSVKm6KdKHiuIbtTyCokPMJcqsLLvOkiakgZ00dzIpQgrH1y4HmM78
+						hqUETurduN+EGGDWgb2cicd2FpAGDCU0IlQ9V+c0AAABAANPWGlC3LJAsIei44lR
+						3W7hELFGMHy5US7UvlO5hZMvLSu5+dvjU4Q+Jqv13o1ZQA0RnzsAy35uBwzyeF/y
+						/ZU8SHSYl0k7bwsXHB618xjWCDW93tHwI+/oevwyZzVcHFDR9KNceaWkXlOraagO
+						CXfU05DaE5kt9nEvovBNQQb96nJvGiBcV1/jxZ8MQrX/zZUgdrQ6AAoWVgeQ3Kfj
+						J+PjZh6SuKVIb8+D/RYNrOFOUQu+uzcI4/VorEoPQObjL7VzOtPy2sxyF+TPeLOI
+						pEw/TeYsOeDv6egtMQKNWGeL9y8/z/IJu4tONCoXrQJ4Q8v0JHQ2q3XREE2RfzWP
+						Uyw=
+						Private-Lines: 1
+						AAAAFFADQ+s+X6fltaX5ADIslRHnLYcd
+						Private-MAC: e01458212c8d218b16ccd35800a225c17acc12d58ec7fc54c20a106141451305
+					`,
+		},
+		{
+			FilePath: "path/to/rsa-key-20240314.ppk",
+			Raw: `
+		PuTTY-User-Key-File-3: ssh-rsa
+		Encryption: none
+		Comment: rsa-key-20240314
+		Public-Lines: 6
+		AAAAB3NzaC1yc2EAAAADAQABAAABAQCVXOpGY7pY//q0d9Bm3XcauPrj75po0trZ
+		lC1Gh4tDIMyl19xQqSG2rLE2sfgGjgK/8QuZMk2ZdbbshDGOSG8WmBb/wuseeJYH
+		UGcNDddbssyTMcN/jnL2E4KLu1C6LW6ToBUogK5rvgFs0bBm2QCmGo2nOvc0IiWj
+		LZD0+6MoL9KUgcCBqvYmwwdaU0Gpr7GlHKrQ7P6j6cLXUqcfXcSE+2QBk8yfvKIW
+		miZyjHxyz0u6yzsIhBc/raaRLNbilXLa0Efkv4n9h9mpdvXfo4ofnQfn/MkSHJF6
+		oKWYR1Nn2MGi+M8TIwnL+O4/9l6Rzg43G4pZpioh0J6u47wpd8xx
+		Private-Lines: 14
+		AAABACJPG4lbsxxqgF4f/4EBcjBzOT5OdXuKo7bC8Lt4uyaKTDf0I6lrkFDzzikw
+		LDblPAB3ECD6ixSrE3+0xeVXAh2Ahhft4DA5psy7TVCUU1m+8nsFPVD5mbKovJ34
+		QwzhDrteVD3fgTFCjfU/HXQieKGvC8bUJqCVD2wyNU/w1YOPTgyazXF6oqV7vRTM
+		GAoXkrM9OwA7gD21e+ZXpoou3nne7zX9QUIZNV68LcDrxS6exC27IqMougruTH+t
+		ADwZuKjxbe6arj21+eEFoZNDNuO+YWXTiTisaKpt8blMoVBLnmXkDb8aP4sntMd+
+		uJnzgLO/YbnenApC86vsN2NmkiEAAACBAN52GNPMnEbj2LBqbNiVbi65Wpf4OOeQ
+		4QRn97YcfNaKTli0x3AMo1RCGBAM/sRWdRr42IaoIRftsJsLD29TnYs7PEagmbht
+		MWtbJ94XriL0KjQSHkvclARYBTmaH/GIbJe2NEarKcHBYMRe9OGDfymbCQqaXazR
+		NNApH0HgCO2tAAAAgQCr4ZV6ZFBs8CkLzEVJYLgPVo2xWK2NT0Wp/1S8iQcUIHja
+		YGompPJWKerMeOn0eTPy2W1gKRiG7XJKTvUr0Q1jAOpyHSB26wp91PdnFEy01ZVc
+		9r3ji1ljsha1b2dyy1/OV4UtPL75yt7oSRZwBK5rIq+aslG99GwXMF43+NyqVQAA
+		AIEAwsuoZkAqq09RG/DP0nEzsPaf16heb3WxvnrczM7pDqAxgD+1VM3L9WZUCdiO
+		DjUM2ZgaRS/cwWKfhTsTdBNhlC3tku+6fHNlitmmnsrj0T8HT3fbLLQ7b7D2I9t2
+		MTQElrixH/aJ20UcePIVR22I/RmEaS1uJL2SmKvm4uLutIE=
+		Private-MAC: 04dc4dfdfb21a070395413c6ba9e246ccdd830d2561983f9eeab5e72f299d8f7
+				`,
+		},
+	}
+	fps := []detect.Fragment{
+		{
+			FilePath: "ecdsa-key.ppk",
+			Raw: `
+				PuTTY-User-Key-File-3: ecdsa-sha2-nistp256
+				Encryption: aes256-cbc
+				Comment: Private key protected by a passphrase
+				Public-Lines: 3
+				AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPXuPjvVPvVY
+				Sgn+fcEP/kdmaBM1Vf4zV4Kjup/fftK4YtPgIYiCI3tS0hlCY7FwkqFsUCxWs0ct
+				vXLcxNpYALQ=
+				Key-Derivation: Argon2id
+				Argon2-Memory: 8192
+				Argon2-Passes: 3
+				Argon2-Parallelism: 1
+				Argon2-Salt: a647a1cd3cba6b26830fee829c37473d
+				Private-Lines: 1
+				FF6XTS+aW43YfvrKDTsWK6Ld8NDGQKUnyLNJiezr7HNi/Y6ZfNNEUl9W8zR5H+t7
+				Private-MAC: eb7b22e0e79122bf0abf5ca4f43bd89ad004475aca39853ae41d991c1fb3d35d
+			`,
+		},
+		{
+			FilePath: "id_rsa",
+			Raw: `
+				PuTTY-User-Key-File-3: ssh-dss
+				Encryption: none
+				Comment: Fragment with wrong FilePath
+				Public-Lines: 2
+				AAAAB3NzaC1kc3MAAAEBAIpeviC974g40YTx0CuxCWjGwWPA97aC7GbnVeB1J4SD
+				Uyw=
+				Private-Lines: 1
+				AAAAFFADQ+s+X6fltaX5ADIslRHnLYcd
+				Private-MAC: e01458212c8d218b16ccd35800a225c17acc12d58ec7fc54c20a106141451305
+			`,
+		},
+		{
+			Raw: `
+				PuTTY-User-Key-File-3: ssh-dss
+				Encryption: none
+				Comment: Fragment without FilePath
+				Public-Lines: 2
+				AAAAB3NzaC1kc3MAAAEBAIpeviC974g40YTx0CuxCWjGwWPA97aC7GbnVeB1J4SD
+				Uyw=
+				Private-Lines: 1
+				AAAAFFADQ+s+X6fltaX5ADIslRHnLYcd
+				Private-MAC: e01458212c8d218b16ccd35800a225c17acc12d58ec7fc54c20a106141451305
+			`,
+		},
+	}
+
+	return validateFragments(r, tps, fps)
+}
diff --git a/cmd/generate/config/rules/rule.go b/cmd/generate/config/rules/rule.go
@@ -71,6 +71,22 @@ func generateSampleSecret(identifier string, secret string) string {
 }
 
 func validate(r config.Rule, truePositives []string, falsePositives []string) *config.Rule {
+	tps := make([]detect.Fragment, len(truePositives))
+	fps := make([]detect.Fragment, len(falsePositives))
+	for i, tp := range truePositives {
+		tps[i] = detect.Fragment{
+			Raw: tp,
+		}
+	}
+	for i, fp := range falsePositives {
+		fps[i] = detect.Fragment{
+			Raw: fp,
+		}
+	}
+	return validateFragments(r, tps, fps)
+}
+
+func validateFragments(r config.Rule, truePositives []detect.Fragment, falsePositives []detect.Fragment) *config.Rule {
 	// normalize keywords like in the config package
 	var keywords []string
 	for _, k := range r.Keywords {
@@ -85,13 +101,13 @@ func validate(r config.Rule, truePositives []string, falsePositives []string) *c
 		Keywords: keywords,
 	})
 	for _, tp := range truePositives {
-		if len(d.DetectString(tp)) != 1 {
-			log.Fatal().Msgf("Failed to validate. For rule ID [%s], true positive [%s] was not detected by regexp [%s]", r.RuleID, tp, r.Regex)
+		if len(d.Detect(tp)) != 1 {
+			log.Fatal().Msgf("Failed to validate. For rule ID [%s], true positive [%s] was not detected by regexp [%s]", r.RuleID, tp.Raw, r.Regex)
 		}
 	}
 	for _, fp := range falsePositives {
-		if len(d.DetectString(fp)) != 0 {
-			log.Fatal().Msgf("Failed to validate. For rule ID [%s], false positive [%s] was detected by regexp [%s]", r.RuleID, fp, r.Regex)
+		if len(d.Detect(fp)) != 0 {
+			log.Fatal().Msgf("Failed to validate. For rule ID [%s], false positive [%s] was detected by regexp [%s]", r.RuleID, fp.Raw, r.Regex)
 		}
 	}
 	return &r

diff --git a/config/allowlist.go b/config/allowlist.go
@@ -14,13 +14,8 @@ type Allowlist struct {
 	// Regexes is slice of content regular expressions that are allowed to be ignored.
 	Regexes []*regexp.Regexp
 
-	// Can be `match` or `line`.
-	//
-	// If `match` the _Regexes_ will be tested against the match of the _Rule.Regex_.
-	//
-	// If `line` the _Regexes_ will be tested against the entire line.
-	//
-	// If RegexTarget is empty, it will be tested against the found secret.
+	// RegexTarget can be "match", "line", or "raw" and is used to specify on which part of the content the regex should be applied.
+	// If not set, it default will be the secret value.
 	RegexTarget string
 
 	// Paths is a slice of path regular expressions that are allowed to be ignored.

diff --git a/config/gitleaks.toml b/config/gitleaks.toml
@@ -2499,6 +2499,22 @@ keywords = [
     "pul-",
 ]
 
+[[rules]]
+id = "putty-private-key"
+description = "Identified a Putty Private Key, which may compromise cryptographic security and sensitive data encryption."
+regex = '''Private-Lines: \d+\s+([\n\S-]+)\s+[A-Za-z0-9-:]+'''
+path = '''(?i)\.ppk$'''
+keywords = [
+    "putty-user-key-file-",
+]
+
+[rules.allowlist]
+
+regexTarget = "raw"
+regexes = [
+    "Encryption: [^n][^o][^n][^e]",
+]
+
 [[rules]]
 id = "pypi-upload-token"
 description = "Discovered a PyPI upload token, potentially compromising Python package distribution and repository integrity."

diff --git a/detect/detect.go b/detect/detect.go
@@ -325,6 +325,8 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find
 			allowlistTarget = finding.Match
 		case "line":
 			allowlistTarget = finding.Line
+		case "raw":
+			allowlistTarget = fragment.Raw
 		}
 
 		globalAllowlistTarget := finding.Secret
@@ -333,6 +335,8 @@ func (d *Detector) detectRule(fragment Fragment, rule config.Rule) []report.Find
 			globalAllowlistTarget = finding.Match
 		case "line":
 			globalAllowlistTarget = finding.Line
+		case "raw":
+			globalAllowlistTarget = fragment.Raw
 		}
 		if rule.Allowlist.RegexAllowed(allowlistTarget) ||
 			d.Config.Allowlist.RegexAllowed(globalAllowlistTarget) {

diff --git a/detect/detect_test.go b/detect/detect_test.go
@@ -574,13 +574,15 @@ func TestFromGitStaged(t *testing.T) {
 // TestFromFiles tests the FromFiles function
 func TestFromFiles(t *testing.T) {
 	tests := []struct {
+		testName         string
 		cfgName          string
 		source           string
 		expectedFindings []report.Finding
 	}{
 		{
-			source:  filepath.Join(repoBasePath, "nogit"),
-			cfgName: "simple",
+			testName: "aws on folder",
+			source:   filepath.Join(repoBasePath, "nogit"),
+			cfgName:  "simple",
 			expectedFindings: []report.Finding{
 				{
 					Description: "AWS Access Key",
@@ -601,8 +603,9 @@ func TestFromFiles(t *testing.T) {
 			},
 		},
 		{
-			source:  filepath.Join(repoBasePath, "nogit", "main.go"),
-			cfgName: "simple",
+			testName: "aws on file",
+			source:   filepath.Join(repoBasePath, "nogit", "main.go"),
+			cfgName:  "simple",
 			expectedFindings: []report.Finding{
 				{
 					Description: "AWS Access Key",
@@ -622,42 +625,74 @@ func TestFromFiles(t *testing.T) {
 			},
 		},
 		{
+			testName:         "ignored by .gitleaksignore",
 			source:           filepath.Join(repoBasePath, "nogit", "api.go"),
 			cfgName:          "simple",
 			expectedFindings: []report.Finding{},
 		},
+		{
+			testName: "putty secret with raw regex match",
+			source:   filepath.Join(repoBasePath, "nogit", "putty.ppk"),
+			cfgName:  "putty",
+			expectedFindings: []report.Finding{
+				{
+					Description: "Identified a Putty Private Key, which may compromise cryptographic security and sensitive data encryption.",
+					StartLine:   11,
+					EndLine:     26,
+					StartColumn: 2,
+					EndColumn:   78,
+					Line:        "\nPrivate-Lines: 14\nAAABACJPG4lbsxxqgF4f/4EBcjBzOT5OdXuKo7bC8Lt4uyaKTDf0I6lrkFDzzikw\nLDblPAB3ECD6ixSrE3+0xeVXAh2Ahhft4DA5psy7TVCUU1m+8nsFPVD5mbKovJ34\nQwzhDrteVD3fgTFCjfU/HXQieKGvC8bUJqCVD2wyNU/w1YOPTgyazXF6oqV7vRTM\nGAoXkrM9OwA7gD21e+ZXpoou3nne7zX9QUIZNV68LcDrxS6exC27IqMougruTH+t\nADwZuKjxbe6arj21+eEFoZNDNuO+YWXTiTisaKpt8blMoVBLnmXkDb8aP4sntMd+\nuJnzgLO/YbnenApC86vsN2NmkiEAAACBAN52GNPMnEbj2LBqbNiVbi65Wpf4OOeQ\n4QRn97YcfNaKTli0x3AMo1RCGBAM/sRWdRr42IaoIRftsJsLD29TnYs7PEagmbht\nMWtbJ94XriL0KjQSHkvclARYBTmaH/GIbJe2NEarKcHBYMRe9OGDfymbCQqaXazR\nNNApH0HgCO2tAAAAgQCr4ZV6ZFBs8CkLzEVJYLgPVo2xWK2NT0Wp/1S8iQcUIHja\nYGompPJWKerMeOn0eTPy2W1gKRiG7XJKTvUr0Q1jAOpyHSB26wp91PdnFEy01ZVc\n9r3ji1ljsha1b2dyy1/OV4UtPL75yt7oSRZwBK5rIq+aslG99GwXMF43+NyqVQAA\nAIEAwsuoZkAqq09RG/DP0nEzsPaf16heb3WxvnrczM7pDqAxgD+1VM3L9WZUCdiO\nDjUM2ZgaRS/cwWKfhTsTdBNhlC3tku+6fHNlitmmnsrj0T8HT3fbLLQ7b7D2I9t2\nMTQElrixH/aJ20UcePIVR22I/RmEaS1uJL2SmKvm4uLutIE=\nPrivate-MAC: 04dc4dfdfb21a070395413c6ba9e246ccdd830d2561983f9eeab5e72f299d8f7",
+					Match:       "Private-Lines: 14\nAAABACJPG4lbsxxqgF4f/4EBcjBzOT5OdXuKo7bC8Lt4uyaKTDf0I6lrkFDzzikw\nLDblPAB3ECD6ixSrE3+0xeVXAh2Ahhft4DA5psy7TVCUU1m+8nsFPVD5mbKovJ34\nQwzhDrteVD3fgTFCjfU/HXQieKGvC8bUJqCVD2wyNU/w1YOPTgyazXF6oqV7vRTM\nGAoXkrM9OwA7gD21e+ZXpoou3nne7zX9QUIZNV68LcDrxS6exC27IqMougruTH+t\nADwZuKjxbe6arj21+eEFoZNDNuO+YWXTiTisaKpt8blMoVBLnmXkDb8aP4sntMd+\nuJnzgLO/YbnenApC86vsN2NmkiEAAACBAN52GNPMnEbj2LBqbNiVbi65Wpf4OOeQ\n4QRn97YcfNaKTli0x3AMo1RCGBAM/sRWdRr42IaoIRftsJsLD29TnYs7PEagmbht\nMWtbJ94XriL0KjQSHkvclARYBTmaH/GIbJe2NEarKcHBYMRe9OGDfymbCQqaXazR\nNNApH0HgCO2tAAAAgQCr4ZV6ZFBs8CkLzEVJYLgPVo2xWK2NT0Wp/1S8iQcUIHja\nYGompPJWKerMeOn0eTPy2W1gKRiG7XJKTvUr0Q1jAOpyHSB26wp91PdnFEy01ZVc\n9r3ji1ljsha1b2dyy1/OV4UtPL75yt7oSRZwBK5rIq+aslG99GwXMF43+NyqVQAA\nAIEAwsuoZkAqq09RG/DP0nEzsPaf16heb3WxvnrczM7pDqAxgD+1VM3L9WZUCdiO\nDjUM2ZgaRS/cwWKfhTsTdBNhlC3tku+6fHNlitmmnsrj0T8HT3fbLLQ7b7D2I9t2\nMTQElrixH/aJ20UcePIVR22I/RmEaS1uJL2SmKvm4uLutIE=\nPrivate-MAC: 04dc4dfdfb21a070395413c6ba9e246ccdd830d2561983f9eeab5e72f299d8f7",
+					Secret:      "AAABACJPG4lbsxxqgF4f/4EBcjBzOT5OdXuKo7bC8Lt4uyaKTDf0I6lrkFDzzikw\nLDblPAB3ECD6ixSrE3+0xeVXAh2Ahhft4DA5psy7TVCUU1m+8nsFPVD5mbKovJ34\nQwzhDrteVD3fgTFCjfU/HXQieKGvC8bUJqCVD2wyNU/w1YOPTgyazXF6oqV7vRTM\nGAoXkrM9OwA7gD21e+ZXpoou3nne7zX9QUIZNV68LcDrxS6exC27IqMougruTH+t\nADwZuKjxbe6arj21+eEFoZNDNuO+YWXTiTisaKpt8blMoVBLnmXkDb8aP4sntMd+\nuJnzgLO/YbnenApC86vsN2NmkiEAAACBAN52GNPMnEbj2LBqbNiVbi65Wpf4OOeQ\n4QRn97YcfNaKTli0x3AMo1RCGBAM/sRWdRr42IaoIRftsJsLD29TnYs7PEagmbht\nMWtbJ94XriL0KjQSHkvclARYBTmaH/GIbJe2NEarKcHBYMRe9OGDfymbCQqaXazR\nNNApH0HgCO2tAAAAgQCr4ZV6ZFBs8CkLzEVJYLgPVo2xWK2NT0Wp/1S8iQcUIHja\nYGompPJWKerMeOn0eTPy2W1gKRiG7XJKTvUr0Q1jAOpyHSB26wp91PdnFEy01ZVc\n9r3ji1ljsha1b2dyy1/OV4UtPL75yt7oSRZwBK5rIq+aslG99GwXMF43+NyqVQAA\nAIEAwsuoZkAqq09RG/DP0nEzsPaf16heb3WxvnrczM7pDqAxgD+1VM3L9WZUCdiO\nDjUM2ZgaRS/cwWKfhTsTdBNhlC3tku+6fHNlitmmnsrj0T8HT3fbLLQ7b7D2I9t2\nMTQElrixH/aJ20UcePIVR22I/RmEaS1uJL2SmKvm4uLutIE=\nPrivate-MAC:",
+					File:        "../testdata/repos/nogit/putty.ppk",
+					SymlinkFile: "",
+					Commit:      "",
+					Entropy:     5.980694,
+					Author:      "",
+					Email:       "",
+					Date:        "",
+					Message:     "",
+					Tags:        []string{},
+					RuleID:      "putty-private-key",
+					Fingerprint: "../testdata/repos/nogit/putty.ppk:putty-private-key:11",
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {
-		viper.AddConfigPath(configPath)
-		viper.SetConfigName("simple")
-		viper.SetConfigType("toml")
-		err := viper.ReadInConfig()
-		require.NoError(t, err)
-
-		var vc config.ViperConfig
-		err = viper.Unmarshal(&vc)
-		require.NoError(t, err)
-		cfg, _ := vc.Translate()
-		detector := NewDetector(cfg)
-
-		var ignorePath string
-		info, err := os.Stat(tt.source)
-		require.NoError(t, err)
-
-		if info.IsDir() {
-			ignorePath = filepath.Join(tt.source, ".gitleaksignore")
-		} else {
-			ignorePath = filepath.Join(filepath.Dir(tt.source), ".gitleaksignore")
-		}
-		err = detector.AddGitleaksIgnore(ignorePath)
-		require.NoError(t, err)
-		detector.FollowSymlinks = true
-		paths, err := sources.DirectoryTargets(tt.source, detector.Sema, true)
-		require.NoError(t, err)
-		findings, err := detector.DetectFiles(paths)
-		require.NoError(t, err)
-		assert.ElementsMatch(t, tt.expectedFindings, findings)
+		tt := tt
+		t.Run(tt.testName, func(t *testing.T) {
+			viper.AddConfigPath(configPath)
+			viper.SetConfigName(tt.cfgName)
+			viper.SetConfigType("toml")
+			err := viper.ReadInConfig()
+			require.NoError(t, err)
+
+			var vc config.ViperConfig
+			err = viper.Unmarshal(&vc)
+			require.NoError(t, err)
+			cfg, _ := vc.Translate()
+			detector := NewDetector(cfg)
+
+			var ignorePath string
+			info, err := os.Stat(tt.source)
+			require.NoError(t, err)
+
+			if info.IsDir() {
+				ignorePath = filepath.Join(tt.source, ".gitleaksignore")
+			} else {
+				ignorePath = filepath.Join(filepath.Dir(tt.source), ".gitleaksignore")
+			}
+			err = detector.AddGitleaksIgnore(ignorePath)
+			require.NoError(t, err)
+			detector.FollowSymlinks = true
+			paths, err := sources.DirectoryTargets(tt.source, detector.Sema, true)
+			require.NoError(t, err)
+			findings, err := detector.DetectFiles(paths)
+			require.NoError(t, err)
+			assert.ElementsMatch(t, tt.expectedFindings, findings)
+		})
 	}
 }
 

diff --git a/testdata/config/putty.toml b/testdata/config/putty.toml
@@ -0,0 +1,17 @@
+title = "allow regex on raw"
+
+[[rules]]
+id = "putty-private-key"
+description = "Identified a Putty Private Key, which may compromise cryptographic security and sensitive data encryption."
+regex = '''Private-Lines: \d+\s+([\n\S-]+)\s+[A-Za-z0-9-:]+'''
+path = '''(?i)\.ppk$'''
+keywords = [
+    "putty-user-key-file-",
+]
+
+[rules.allowlist]
+
+regexTarget = "raw"
+regexes = [
+    "Encryption: [^n][^o][^n][^e]",
+]