From af04c73da5a07e0971cfc81175134678a484c36e Mon Sep 17 00:00:00 2001
From: Romain Gaillard <rgaillard@gmail.com>
Date: Mon, 14 Oct 2024 13:04:36 +0200
Subject: [PATCH] fix: Disable generic API key rule by default in
 loki.secretfilter (#1877)

* Disable generic api key rule by default

* Update doc

* Update docs/sources/reference/components/loki/loki.secretfilter.md

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>

---------

Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com>
---
 .../reference/components/loki/loki.secretfilter.md   |  4 ++--
 internal/component/loki/secretfilter/secretfilter.go |  4 ++--
 .../component/loki/secretfilter/secretfilter_test.go | 12 ++++++------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/docs/sources/reference/components/loki/loki.secretfilter.md b/docs/sources/reference/components/loki/loki.secretfilter.md
index 70fe15cd35..a4767a1e71 100644
--- a/docs/sources/reference/components/loki/loki.secretfilter.md
+++ b/docs/sources/reference/components/loki/loki.secretfilter.md
@@ -40,7 +40,7 @@ Name                     | Type                 | Description
 `gitleaks_config`        | `string`             | Path to the custom `gitleaks.toml` file.        | Embedded Gitleaks file           | no
 `types`                  | `map(string)`        | Types of secret to look for.                    | All types                        | no
 `redact_with`            | `string`             | String to use to redact secrets.                | `<REDACTED-SECRET:$SECRET_NAME>` | no
-`exclude_generic`        | `bool`               | Exclude the generic API key rule.               | `false`                          | no
+`include_generic`        | `bool`               | Include the generic API key rule.               | `false`                          | no
 `allowlist`              | `map(string)`        | List of regexes to allowlist matching secrets.  | `{}`                             | no
 `partial_mask`           | `number`             | Show the first N characters of the secret.      | `0`                              | no
 
@@ -51,7 +51,7 @@ The `types` argument is a map of secret types to look for. The values are used a
 
 The `redact_with` argument is a string that can use variables such as `$SECRET_NAME` (replaced with the matching secret type) and `$SECRET_HASH`(replaced with the sha1 hash of the secret).
 
-The `exclude_generic` argument is a boolean that excludes the generic API key rule in the Gitleaks configuration file if set to `true`.
+The `include_generic` argument is a boolean that includes the generic API key rule in the Gitleaks configuration file if set to `true`. It's disabled by default because it can generate false positives.
 
 The `allowlist` argument is a map of regular expressions to allow matching secrets.
 A secret will not be redacted if it matches any of the regular expressions. The allowlist in the Gitleaks configuration file is also applied.
diff --git a/internal/component/loki/secretfilter/secretfilter.go b/internal/component/loki/secretfilter/secretfilter.go
index 155e5bd15d..32a745e316 100644
--- a/internal/component/loki/secretfilter/secretfilter.go
+++ b/internal/component/loki/secretfilter/secretfilter.go
@@ -53,7 +53,7 @@ type Arguments struct {
 	GitleaksConfig string              `alloy:"gitleaks_config,attr,optional"` // Path to the custom gitleaks.toml file. If empty, the embedded one is used
 	Types          []string            `alloy:"types,attr,optional"`           // Types of secret to look for (e.g. "aws", "gcp", ...). If empty, all types are included
 	RedactWith     string              `alloy:"redact_with,attr,optional"`     // Redact the secret with this string. Use $SECRET_NAME and $SECRET_HASH to include the secret name and hash
-	ExcludeGeneric bool                `alloy:"exclude_generic,attr,optional"` // Exclude the generic API key rule (default: false)
+	IncludeGeneric bool                `alloy:"include_generic,attr,optional"` // Include the generic API key rule (default: false)
 	AllowList      []string            `alloy:"allowlist,attr,optional"`       // List of regexes to allowlist (on top of what's in the Gitleaks config)
 	PartialMask    uint                `alloy:"partial_mask,attr,optional"`    // Show the first N characters of the secret (default: 0)
 }
@@ -338,7 +338,7 @@ func (c *Component) Update(args component.Arguments) error {
 	}
 
 	// Add the generic API key rule last if needed
-	if ruleGenericApiKey != nil && !c.args.ExcludeGeneric {
+	if ruleGenericApiKey != nil && c.args.IncludeGeneric {
 		c.Rules = append(c.Rules, *ruleGenericApiKey)
 	}
 
diff --git a/internal/component/loki/secretfilter/secretfilter_test.go b/internal/component/loki/secretfilter/secretfilter_test.go
index b02158e8f3..d57de301e9 100644
--- a/internal/component/loki/secretfilter/secretfilter_test.go
+++ b/internal/component/loki/secretfilter/secretfilter_test.go
@@ -70,9 +70,9 @@ var testConfigs = map[string]string{
 		forward_to = []
 		allowlist = [".*foobar.*"]
 	`,
-	"exclude_generic": `
+	"include_generic": `
 		forward_to = []
-		exclude_generic = true
+		include_generic = true
 	`,
 	"custom_gitleaks_file_simple": `
 		forward_to = []
@@ -230,14 +230,14 @@ var tt = []struct {
 		testConfigs["default"],
 		"",
 		testLogs["simple_secret_generic"].log,
-		replaceSecrets(testLogs["simple_secret_generic"].log, testLogs["simple_secret_generic"].secrets, true, false, defaultRedactionString),
+		testLogs["simple_secret_generic"].log, // Generic secret is excluded so no redaction expected
 	},
 	{
-		"exclude_generic",
-		testConfigs["exclude_generic"],
+		"include_generic",
+		testConfigs["include_generic"],
 		"",
 		testLogs["simple_secret_generic"].log,
-		testLogs["simple_secret_generic"].log, // Generic secret is excluded so no redaction expected
+		replaceSecrets(testLogs["simple_secret_generic"].log, testLogs["simple_secret_generic"].secrets, true, false, defaultRedactionString),
 	},
 	{
 		"custom_gitleaks_file_simple",