Bump the go-dependencies group with 5 updates

[dependabot]

https://entire.io/gh/entireio/cli/trails/338

Bumps the go-dependencies group with 5 updates:

Package	From	To
github.com/betterleaks/betterleaks	1.1.2	1.2.0
github.com/posthog/posthog-go	1.12.4	1.12.5
golang.org/x/mod	0.35.0	0.36.0
golang.org/x/sys	0.43.0	0.44.0
golang.org/x/term	0.42.0	0.43.0

Updates github.com/betterleaks/betterleaks from 1.1.2 to 1.2.0

Release notes

Sourced from github.com/betterleaks/betterleaks's releases.

v1.2.0

What's New

GitHub Source

You can now scan GitHub resources natively with Betterleaks. The GitHub source has resources that can be included or excluded w/ cli options (--include/--exclude).

# Scan GitHub org (defaults to only scanning repos) 
betterleaks github https://github.com/betterleaks
Scan GitHub org (all resources)
betterleaks github https://github.com/betterleaks --include prs,pr-comments,issues,issue-comments,discussions,releases,release-assets,actions,action-artifacts
Scan GitHub user (w/ gists)
betterleaks github https://github.com/cooluser123456789 --gists
Scan GitHub org but exclude certain repos (glob matching)
betterleaks github https://github.com/betterleaks --exclude-repo **/*betterleaks
Scan specific resource, like a PR... but exclude the description (only scan comments)
betterleaks github betterleaks/betterleaks#113 --exclude pr-comments

Check the scanning docs for more examples.

CEL-filtering (bye bye allowlists)

Filters replace legacy allowlists, entropy checks, and token efficiency checks with dynamic Common Expression Language (CEL) statements. If a filter expression evaluates to true, the item is skipped/discarded.

• prefilter: Exists only at the global level. It evaluates before any regex runs and only has access to file/commit metadata (attributes). Use this to entirely bypass binary files or bot commits.
• filter: Exists globally and per-rule. It evaluates after a regex match is found and has access to both attributes and the finding itself.

Note that safe attribute access requires somewhat cumbersome syntax, attributes.[?"key"].orValue(""). If key does not exist in the attributes map, then it will default to using an empty string, "".

Available filter bindings

Binding / Function	Description
attributes	A map of metadata. Keys include: path, git.sha, git.author_name, git.author_email, git.date, git.message, git.remote_url, git.platform, fs.symlink. Full list of available keys available here.
finding	A map representing the secret. Keys include: secret (the extracted value), match (the full regex match), line (the line of code), rule_id, and description.
matchesAny(string, list)	Returns true if the string matches any of the provided regex patterns.
containsAny(string, list)	Returns true if the string contains any of the provided strings (uses an efficient Aho-Corasick substring match).
entropy(string)	Returns the Shannon entropy (float) of the string. Useful for filtering out non-random placeholders.
failsTokenEfficiency(string)	Returns true if the string tokenizes too efficiently (i.e., it looks like natural language instead of a random secret).

---

Example filter CEL expression:

filter = '''
</tr></table> 

... (truncated)

Commits

• 296fee3 fix up validation filtering (#116)
• 7f689bb GitHub source + tweaks (#115)
• 007410e Feat/cel filters (#100)
• c65402b ovhcloud rules, make crypto bindings consistent (#102)
• baf13cb fix: do not crash when workers exceed commits (#99)
• 3947777 feat(rule): add MongoDB connection string (#94)
• 6208265 that perp skerp (#95)
• 0a41896 fix: do not pass filenames to betterleaks (#91)
• ff43d2a Dynamic attributes (prep work for more sources) and Run() entry (better api...
• 42d8f28 Update build command in README (#90)
• Additional commits viewable in compare view

Updates github.com/posthog/posthog-go from 1.12.4 to 1.12.5

Release notes

Sourced from github.com/posthog/posthog-go's releases.

1.12.5

Unreleased

Changelog

Sourced from github.com/posthog/posthog-go's changelog.

1.12.5

Patch Changes

• 6d243a6: Return ErrSDKDisabled from no-op clients when the project API key is missing, return ErrNoPersonalAPIKey before making requests for Personal API key dependent methods when no Personal API key is configured, and return ErrNoDistinctID from EvaluateFlags when distinct_id is missing.

New Features

• EvaluateFlags: New method on Client that returns a FeatureFlagEvaluations snapshot for a user using a single /flags request. The snapshot powers any number of IsEnabled / GetFlag / GetFlagPayload checks, fires deduped $feature_flag_called events with full v4 metadata (id, version, reason, request_id), and can be attached to a Capture event via the new Capture.Flags field to populate $feature/<key> and $active_feature_flags without another network call.
• Capture.Flags: New optional field on Capture that accepts a *FeatureFlagEvaluations snapshot. Takes precedence over SendFeatureFlags, avoids a hidden /flags request per event, and lets caller-supplied Properties override the auto-generated $feature/<key> values on conflict.

Internal

• Refactored the $feature_flag_called dedup logic into a shared helper so the existing single-flag path and the new snapshot path use identical semantics against the same per-distinct_id LRU cache.
• $feature_flag_called events from the snapshot path combine response-level errors (errors_while_computing_flags, quota_limited) with per-flag errors (flag_missing) comma-joined in $feature_flag_error, matching the granularity of the legacy single-flag path.

Commits

• 22195ff chore: release v1.12.5 [version bump] [skip ci]
• 6d243a6 fix: revert d2c4dd2 (#199)
• d2c4dd2 chore: release v1.12.4 [version bump] [skip ci]
• e9436fa Fix no-op client for empty API key (#193)
• 06421d2 chore: sign release workflow commits (#198)
• 8e96d3d Run Go CI on main pushes (#197)
• 9f60d7a feat(flags): support mixed targeting in local evaluation (#192)
• 4f175d4 chore: trigger releases from main changesets (#196)
• 2370beb feat: add EvaluateFlags() API for single-call flag evaluation (#191)
• See full diff in compare view

Updates golang.org/x/mod from 0.35.0 to 0.36.0

Commits

• 643da9b go.mod: update golang.org/x dependencies
• ccc3cdf zip: include 'but content has correct sum' note in TestVCS
• ab30318 zip: update zip hashes for new flate compression
• See full diff in compare view

Updates golang.org/x/sys from 0.43.0 to 0.44.0

Commits

• fb1facd windows: avoid uint16 overflow in NewNTUnicodeString
• 94ad893 windows: add GetIfTable2Ex, GetIpInterface{Entry,Table}, GetUnicastIpAddressT...
• 54fe89f cpu: use IsProcessorFeaturePresent to calculate ARM64 on windows
• df7d5d7 unix: automatically remove container created by mkall.sh
• 68a4a8e unix: avoid nil pointer dereference in Utime
• 690c91f unix: add CPUSetDynamic for systems with more than 1024 CPUs
• See full diff in compare view

Updates golang.org/x/term from 0.42.0 to 0.43.0

Commits

• 3c3e485 go.mod: update golang.org/x dependencies
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions