gitleaks
diff --git a/‎README.md‎
Lines changed: 2 additions & 0 deletions b/‎README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎config/config.go‎
Lines changed: 33 additions & 4 deletions b/‎config/config.go‎
Lines changed: 33 additions & 4 deletions
diff --git a/‎config/config_test.go‎
Lines changed: 25 additions & 11 deletions b/‎config/config_test.go‎
Lines changed: 25 additions & 11 deletions
diff --git a/‎testdata/config/extend_disabled.toml‎
Lines changed: 11 additions & 0 deletions b/‎testdata/config/extend_disabled.toml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎testdata/config/extend_disabled_base.toml‎
Lines changed: 11 additions & 0 deletions b/‎testdata/config/extend_disabled_base.toml‎
Lines changed: 11 additions & 0 deletions
@@ -235,6 +235,8 @@ useDefault = true
 # or you can supply a path to a configuration. Path is relative to where gitleaks
 # was invoked, not the location of the base config.
 path = "common_config.toml"
+# If there are any rules you don't want to inherit, they can be specified here.
+disabledRules = [ "generic-api-key"]
 
 # An array of tables that contain information that define instructions
 # on how to detect secrets
 
@@ -77,9 +77,10 @@ type Config struct {
 // Extend is a struct that allows users to define how they want their
 // configuration extended by other configuration files.
 type Extend struct {
-	Path       string
-	URL        string
-	UseDefault bool
+	Path          string
+	URL           string
+	UseDefault    bool
+	DisabledRules []string
 }
 
 func (vc *ViperConfig) Translate() (Config, error) {
@@ -216,7 +217,7 @@ func (vc *ViperConfig) Translate() (Config, error) {
 
 	// Validate the rules after everything has been assembled (including extended configs).
 	if extendDepth == 0 {
-		for _, rule := range rulesMap {
+		for _, rule := range c.Rules {
 			if err := rule.Validate(); err != nil {
 				return Config{}, err
 			}
@@ -284,7 +285,35 @@ func (c *Config) extendURL() {
 }
 
 func (c *Config) extend(extensionConfig Config) {
+	// Get config name for helpful log messages.
+	var configName string
+	if c.Extend.Path != "" {
+		configName = c.Extend.Path
+	} else {
+		configName = "default"
+	}
+	// Convert |Config.DisabledRules| into a map for ease of access.
+	disabledRuleIDs := map[string]struct{}{}
+	for _, id := range c.Extend.DisabledRules {
+		if _, ok := extensionConfig.Rules[id]; !ok {
+			log.Warn().
+				Str("rule-id", id).
+				Str("config", configName).
+				Msg("Disabled rule doesn't exist in extended config.")
+		}
+		disabledRuleIDs[id] = struct{}{}
+	}
+
 	for ruleID, baseRule := range extensionConfig.Rules {
+		// Skip the rule.
+		if _, ok := disabledRuleIDs[ruleID]; ok {
+			log.Debug().
+				Str("rule-id", ruleID).
+				Str("config", configName).
+				Msg("Ignoring rule from extended config.")
+			continue
+		}
+
 		currentRule, ok := c.Rules[ruleID]
 		if !ok {
 			// Rule doesn't exist, add it to the config.
 
@@ -39,8 +39,7 @@ func TestTranslate(t *testing.T) {
 							Regexes:        []*regexp.Regexp{regexp.MustCompile("123")},
 						},
 					},
-				},
-				},
+				}},
 			},
 		},
 		{
@@ -73,8 +72,7 @@ func TestTranslate(t *testing.T) {
 							Regexes:        []*regexp.Regexp{regexp.MustCompile("AKIALALEMEL33243OLIA")},
 						},
 					},
-				},
-				},
+				}},
 			},
 		},
 		{
@@ -92,8 +90,7 @@ func TestTranslate(t *testing.T) {
 							Commits:        []string{"allowthiscommit"},
 						},
 					},
-				},
-				},
+				}},
 			},
 		},
 		{
@@ -111,8 +108,7 @@ func TestTranslate(t *testing.T) {
 							Paths:          []*regexp.Regexp{regexp.MustCompile(".go")},
 						},
 					},
-				},
-				},
+				}},
 			},
 		},
 		{
@@ -122,12 +118,11 @@ func TestTranslate(t *testing.T) {
 					RuleID:      "discord-api-key",
 					Description: "Discord API key",
 					Regex:       regexp.MustCompile(`(?i)(discord[a-z0-9_ .\-,]{0,25})(=|>|:=|\|\|:|<=|=>|:).{0,5}['\"]([a-h0-9]{64})['\"]`),
-					Keywords:    []string{},
 					Entropy:     3.5,
 					SecretGroup: 3,
+					Keywords:    []string{},
 					Tags:        []string{},
-				},
-				},
+				}},
 			},
 		},
 		{
@@ -350,6 +345,25 @@ func TestTranslate(t *testing.T) {
 				},
 			},
 		},
+		{
+			cfgName: "extend_disabled",
+			cfg: Config{
+				Rules: map[string]Rule{
+					"aws-secret-key": {
+						RuleID:   "aws-secret-key",
+						Regex:    regexp.MustCompile(`(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}`),
+						Tags:     []string{"key", "AWS"},
+						Keywords: []string{},
+					},
+					"pypi-upload-token": {
+						RuleID:   "pypi-upload-token",
+						Regex:    regexp.MustCompile(`pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}`),
+						Tags:     []string{},
+						Keywords: []string{},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {
 
@@ -0,0 +1,11 @@
+title = "gitleaks extend disable"
+
+[extend]
+path = "../testdata/config/extend_disabled_base.toml"
+disabledRules = [
+    'custom-rule1'
+]
+
+[[rules]]
+id = "pypi-upload-token"
+regex = '''pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}'''
@@ -0,0 +1,11 @@
+title = "gitleaks extended 3"
+
+
+[[rules]]
+id = "aws-secret-key"
+regex = '''(?i)aws_(.{0,20})?=?.[\'\"0-9a-zA-Z\/+]{40}'''
+tags = ["key", "AWS"]
+
+[[rules]]
+id = "custom-rule1"
+regex = '''[Cc]ustom!'''