Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option to ignore secrets which are removed by the scanned commit #909

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add an option to ignore secrets which are removed by the scanned commit #909

wants to merge 1 commit into from

Conversation

Walz
Copy link
Collaborator

@Walz Walz commented Jun 7, 2024

Context

Add an option to ignore secrets which are removed by the scanned commit.
The goal of this PR is to create a way to accept secrets which are being remediated. If a dev is removing a secret from their code, but not rewriting the git history, GGShield will prevent them (pre-commit, pre-push or pre-receive) from committing and pushing the secret remediation.

This optional option will allow users to accept secrets in commits when they are removed, either on a deleted line or in a deleted file.

What has been done

  • Add --ignore-removed-secrets via the decorator add_secret_scan_common_options
  • Add an equivalent field to SecretConfig named ignore_removed_secrets

Validation

Create a repository, add then remove a secret:

git init
echo "ggtt-v-7faxcu9ak6" > secret.txt
git add secret.txt
git commit -m "add secret"
echo "remove" > secret.txt
git add secret.txt
git commit -m "remove secret"

Then verify that scanning the repository raises two incidents and only one with --ignore-removed-secrets

$ ggshield secret scan repo . --json | jq .total_incidents
Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 2 / 2
2

$ ggshield secret scan repo . --json --ignore-removed-secrets | jq .total_incidents
Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 2 / 2
1

PR check list

  • As much as possible, the changes include tests (unit and/or functional)
  • If the changes affect the end user (new feature, behavior change, bug fix) then the PR has a changelog entry (see doc/dev/getting-started.md). If the changes do not affect the end user, then the skip-changelog label has been added to the PR.

agateau-gg
agateau-gg requested changes Aug 30, 2024
View reviewed changes
Copy link
Collaborator

@agateau-gg agateau-gg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor remarks, looks good.

ggshield/verticals/secret/secret_scan_collection.py
Comment on lines +47 to +54
not content_splitlines[line_number - 1].startswith("-")
for match in policy_break.matches
for line_number in range(
cast(int, match.line_start), cast(int, match.line_end) + 1
)
if match.line_start is not None
and match.line_end is not None
and 0 <= line_number - 1 < len(content_splitlines)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This generator expression is a bit long. Can you move it to a helper function?

ggshield/verticals/secret/output/secret_output_handler.py
@@ -20,18 +20,23 @@ def __init__(
verbose: bool,
output: Optional[Path] = None,
ignore_known_secrets: bool = False,
ignore_removed_secrets: bool = True,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you set this to False by default, to be consistent with the default value in SecretConfig?

ggshield/cmd/secret/scan/secret_scan_common_options.py
"--ignore-removed-secrets",
is_flag=True,
default=None,
help="Ignore secrets which are removed by the scanned commit.",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
help="Ignore secrets which are removed by the scanned commit.",
help="Ignore secrets removed by the scanned commit.",

changelog.d/20240606_111932_samuel.guillaume.md

### Added

- Add option `--ignore-removed-secrets` to ignore secrets which are removed by the scanned commit.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- Add option `--ignore-removed-secrets` to ignore secrets which are removed by the scanned commit.
- Add option `--ignore-removed-secrets` to ignore secrets removed by the scanned commit.

tests/functional/secret/test_scan_repo.py
@pytest.mark.parametrize("ignore_removed_secrets", [True, False])
@pytest.mark.parametrize("file_deleted", [True, False])
def test_scan_repo_ignore_removed_secrets(
tmp_path_factory: pytest.TempPathFactory,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The leaky_repo() fixture uses tmp_path_factory because it's a module-scope fixture, but since this test creates its own repo, it can use tmp_path.

tests/functional/secret/test_scan_repo.py
repo.create_commit()

if file_deleted:
os.remove(secret_file)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:

Suggested change
os.remove(secret_file)
secret_file.unlink()

tests/functional/secret/test_scan_repo.py
ignore_removed_secrets: bool,
file_deleted: bool,
) -> None:
# GIVEN a repository with a past commits adding and removing a leak
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# GIVEN a repository with a past commits adding and removing a leak
# GIVEN a repository with a commit adding a leak
# AND another commit removing the leak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agateau-gg agateau-gg agateau-gg requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Walz @agateau-gg