Merge pull request #43 from padok-team/feat/ignore-comments

feat: ignore secrets following gitleaks + trufflehog ignore tags
padok-team · Sep 29, 2023 · 440c906 · 440c906
2 parents c3f5554 + e2acefa
commit 440c906
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 9 deletions.
diff --git a/src/git_secret_scanner/scan.py b/src/git_secret_scanner/scan.py
@@ -8,7 +8,7 @@
 
 from git_secret_scanner import console
 from git_secret_scanner.report import read_report, ReportSecret, ReportWriter
-from git_secret_scanner.scanners import GitleaksScanner, TrufflehogScanner
+from git_secret_scanner.scanners import GitleaksScanner, TrufflehogScanner, is_ignored
 from git_secret_scanner.scm import GitScm
 
 
@@ -64,7 +64,18 @@ def __repository_scan(self: Self, repo: str) -> set[ReportSecret]:
             g_secret = (gitleaks_results & {secret}).pop()
             results.add(ReportSecret.merge(t_secret, g_secret))
 
-        return results
+        # now that we have all our secrets, remove secrets ignored by scanners
+        ignored_secrets: set[ReportSecret] = set()
+        for secret in results:
+            path, line = secret.path, secret.line
+            # if no line were reported, skip (this should never happen in theory...)
+            if line:
+                with Path(destination, path).open('r') as file:
+                    for idx, content in enumerate(file):
+                        if idx == line - 1 and is_ignored(content):
+                            ignored_secrets.add(secret)
+
+        return results - ignored_secrets
 
     def __load_ignored_fingerprints(self: Self) -> set[str]:
         if self.fingerprints_ignore_path is not None:

diff --git a/src/git_secret_scanner/scanners/__init__.py b/src/git_secret_scanner/scanners/__init__.py
@@ -1,5 +1,9 @@
-from .gitleaks import GitleaksScanner
-from .trufflehog import TrufflehogScanner
+from .gitleaks import GitleaksScanner, GITLEAKS_IGNORE_TAG
+from .trufflehog import TrufflehogScanner, TRUFFLEHOG_IGNORE_TAG
 
 
-__all__ = ['GitleaksScanner', 'TrufflehogScanner']
+def is_ignored(line: str) -> bool:
+    return GITLEAKS_IGNORE_TAG in line or TRUFFLEHOG_IGNORE_TAG in line
+
+
+__all__ = ['GitleaksScanner', 'TrufflehogScanner', 'is_ignored']
diff --git a/src/git_secret_scanner/scanners/gitleaks/__init__.py b/src/git_secret_scanner/scanners/gitleaks/__init__.py
@@ -1,4 +1,4 @@
-from .scanner import GitleaksScanner
+from .scanner import GitleaksScanner, GITLEAKS_IGNORE_TAG
 
 
-__all__ = ['GitleaksScanner']
+__all__ = ['GitleaksScanner', 'GITLEAKS_IGNORE_TAG']
diff --git a/src/git_secret_scanner/scanners/gitleaks/scanner.py b/src/git_secret_scanner/scanners/gitleaks/scanner.py
@@ -11,6 +11,9 @@
 from .mapping import GITLEAKS_RULE_TO_SECRET_KIND
 
 
+GITLEAKS_IGNORE_TAG = 'gitleaks:allow'
+
+
 class GitleaksReportItem:
     def __init__(self: Self,
         rule_id: str,

diff --git a/src/git_secret_scanner/scanners/trufflehog/__init__.py b/src/git_secret_scanner/scanners/trufflehog/__init__.py
@@ -1,4 +1,4 @@
-from .scanner import TrufflehogScanner
+from .scanner import TrufflehogScanner, TRUFFLEHOG_IGNORE_TAG
 
 
-__all__ = ['TrufflehogScanner']
+__all__ = ['TrufflehogScanner', 'TRUFFLEHOG_IGNORE_TAG']
diff --git a/src/git_secret_scanner/scanners/trufflehog/scanner.py b/src/git_secret_scanner/scanners/trufflehog/scanner.py
@@ -10,6 +10,9 @@
 from .mapping import TRUFFLEHOG_DETECTOR_TO_SECRET_KIND
 
 
+TRUFFLEHOG_IGNORE_TAG = 'trufflehog:ignore'
+
+
 class TrufflehogReportItem:
     def __init__(self: Self,
         file: str,