-
Notifications
You must be signed in to change notification settings - Fork 472
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Respect plugin list from baseline #121
Comments
CC @jribm |
That certainly sounds reasonable @killuazhu, let me chat with @domanchi about it IRL and I'll update this afterwards. The only "Pro" for having |
Hey @killuazhu, That's a really good idea. I think We would definitely welcome the addition of a new |
Hey @KevinHock , @domanchi thanks for looking into the issue. So instead of using The updated behavior would be
For users who want to always stay at the latest, they can use If you guys think this makes sense, I can put something together. It's a little bit different from our current implementation, but I think it's actually cleaner. Our current implementation introduces a bunch of |
SGTM. Looking forward to your improvements! |
This issue is implemented through #124 |
Help me please. I have 2 false positive: |
Some of the plugins, in particular, entropy-based and keyword plugins, can generate a relatively high number of false positives. When some of our teams are using detect-secrets, they choose to exclude certain plugins (with or without the combination of excluding some files). Currently, if you run a scan with
--no-xxx-scan
option, the used plugin list would be persisted in the baseline file.If some developer or automation system picks up the repo, have no pre-commit hook setup and also unaware of the exclude list, they could run into the issue that they issue
detect-secrets --update baseline
, then the baseline file is regenerated with all plugins used.Would the community entertain the idea that
detect-secrets --update baseline
scan use the plugin list from baseline instead of all plugins (default setting)? Some additional options can be added if you want to use more plugins than baseline ones to scan the repo.We have something implemented in our fork (offline in our GHE), we'd like to hear some feedback on the problem before submitting a big PR.
The text was updated successfully, but these errors were encountered: