Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] What does "hashed_secrets" stands for in the output? #175

Closed
MVrachev opened this issue May 14, 2019 · 3 comments
Closed

[Question] What does "hashed_secrets" stands for in the output? #175

MVrachev opened this issue May 14, 2019 · 3 comments
Labels
question The issue is a technical question related to the project.

Comments

@MVrachev
Copy link

There is no documentation about this and the name is not really self-explanatory.
@KevinHock
Copy link
Collaborator

KevinHock commented May 14, 2019
edited
Loading

I agree it is one of the more confusing things in the codebase,hashed_secret vs. secret_hash etc.

Succinctly it is the sha1 hash of

  • the content of the secret (secret_hash)
  • the plugin that found it (secret_type)
  • and the name of the file the secret is in (filename).

It does not include line number of the secret, since that would cause the hash to change all the time.

The way hashed_secret gets set is:

detect-secrets/detect_secrets/core/potential_secret.py

Line 71 in 38b559c

'hashed_secret': self.secret_hash,

->

detect-secrets/detect_secrets/core/potential_secret.py

Line 47 in 38b559c

self.secret_hash = self.hash_secret(secret)

->

detect-secrets/detect_secrets/core/potential_secret.py

Lines 56 to 63 in 38b559c

def hash_secret(secret):
"""This offers a way to coherently test this class,
without mocking self.secret_hash.
:type secret: string
:rtype: string
"""
return hashlib.sha1(secret.encode('utf-8')).hexdigest()

->

detect-secrets/detect_secrets/core/potential_secret.py

Lines 88 to 94 in 38b559c

def __hash__(self):
return hash(
tuple(
getattr(self, x)
for x in self.fields_to_compare
),
)

->

detect-secrets/detect_secrets/core/potential_secret.py

Line 53 in 38b559c

self.fields_to_compare = ['filename', 'secret_hash', 'type']

This fields_to_compare part is especially important, e.g. one time we changed a secret type and it broke all the baselines 😁

@domanchi
Copy link
Contributor

Something we definitely didn't want to happen is create a file with all secrets from a repository extracted. This way, you wouldn't be able to share these baselines around, because you'd be just contributing to the problem (secrets in source code).

The hashed_secret field is just the hash of the secret value, to accommodate for this use case.

@MVrachev
Copy link
Author

MVrachev commented May 15, 2019
edited
Loading

Thank you for your answers!
I understand your motivation and idea now but maybe add more documentation about the hashed_secret attribute in the output.

@KevinHock KevinHock mentioned this issue May 15, 2019
Closed
@KevinHock KevinHock added the question The issue is a technical question related to the project. label May 15, 2019
This was referenced Jun 25, 2019
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question The issue is a technical question related to the project.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@KevinHock @domanchi @MVrachev