Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add audit baseline functionality#44

Merged
domanchi merged 11 commits into
masterfrom
add-audit-baseline-functionality
Jun 27, 2018
Merged

Add audit baseline functionality#44
domanchi merged 11 commits into
masterfrom
add-audit-baseline-functionality

Conversation

@domanchi
Copy link
Copy Markdown
Contributor

@domanchi domanchi commented Jun 26, 2018

Testing

detect-secrets$ pip install -e .
detect-secrets$ detect-secrets --scan test_data > .secrets.baseline
detect-secrets$ detect-secrets --audit .secrets.baseline

Output

Secrets Left: 1/14
Filename:     test_data/baseline.file
----------
4:  "results": {
5:    "file_with_secrets.py": [
6:      {
7:        "type": "High Entropy String",
8:        "line_number": 3,
9:        "hashed_secret": "262547656a76a8a5d24ad428e7010e0fbb8d0413"
10:      }
11:    ],
12:    "sample.diff": [
13:      {
14:        "type": "High Entropy String",
----------
Is this a valid secret? (y)es, (n)o, (s)kip, (q)uit:

Features

  • Full colored, interactive auditor for secrets found through --scan.
  • Ability to flag both false and true positives within the baseline.
  • Handles case well where baseline's reported line number falls out of sync with actual code.
  • skip allows you to revisit the secret at a later time.
  • Audit sessions can be "saved" by quitting pre-maturely: secrets already audited will not need to be reviewed again.

Backwards Compatibility Considerations

This is a breaking change!

  • Baselines will need to be created in sorted order as well as requiring the plugins_used list with proper initialization args.
  • Private Key Detector now creates a hash of the blacklisted line, rather than the whole line itself. This will require all older baselines with this plugin to be rescanned, to get the new hash.
  • SensitivityValues has been dropped. detect-secrets-server will need to be pinned on an older version, until fixed.

@domanchi domanchi mentioned this pull request Jun 26, 2018
Closed
@KevinHock KevinHock self-requested a review June 26, 2018 20:57
KevinHock
KevinHock approved these changes Jun 26, 2018
View reviewed changes
Copy link
Copy Markdown
Collaborator

@KevinHock KevinHock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :D

Comment thread detect_secrets/core/audit.py Outdated

current_secret_index += 1

break
Copy link
Copy Markdown
Collaborator

@KevinHock KevinHock Jun 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I follow, why only do the first filename here?

Copy link
Copy Markdown
Contributor Author

@domanchi domanchi Jun 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, nice catch.

I throw in breaks when testing; looks like I missed a spot.

Comment thread detect_secrets/core/audit.py Outdated
def _secret_generator(baseline):
"""Generates secrets to audit, from the baseline"""
current_secret_index = 1
num_secrets_to_parse = sum(map(
Copy link
Copy Markdown
Collaborator

@KevinHock KevinHock Jun 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Maybe add some comments and space it out so there isn't the ))). I initially misread it as map gets all the secrets that don't have an is_secret attribute (i.e. the ones that have not been audited) and adds that number to the number of results in the baseline.

num_secrets_to_parse = sum(
  map(
      lambda filename: len(
        list(
          filter(
              lambda secret: not hasattr(secret, 'is_secret'),
              baseline['results'][filename],
          )
        )
      ),
      baseline['results'],
  )
)

Comment thread detect_secrets/core/audit.py
lineno=0,
)

# There could be more than two secrets on the same line.
Copy link
Copy Markdown
Collaborator

@KevinHock KevinHock Jun 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice. :D

Comment thread detect_secrets/core/audit.py Outdated
for raw_secret in plugin.secret_generator(secret_line):
yield raw_secret

# It hits here if the secret has been moved, from the original
Copy link
Copy Markdown
Collaborator

@KevinHock KevinHock Jun 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be more pythonic/you wouldn't need a comment (uncle bob 💯 ), if you did for .. else (i.e. if you don't take a break you get a raise.)

Comment thread detect_secrets/core/audit.py
),
x[1],
),
enumerate(output),
Copy link
Copy Markdown
Collaborator

@KevinHock KevinHock Jun 26, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, woah, this is reel nice 🍰 ⚡️ 💡

@domanchi domanchi force-pushed the add-audit-baseline-functionality branch from 61cf2d5 to b77ceec Compare June 27, 2018 03:50
@domanchi domanchi merged commit a7dc425 into master Jun 27, 2018
@domanchi domanchi deleted the add-audit-baseline-functionality branch June 27, 2018 03:55
@domanchi domanchi mentioned this pull request Jun 27, 2018
Merged
@dcepler dcepler mentioned this pull request Aug 24, 2018
Closed
jfagoagas pushed a commit to jfagoagas/detect-secrets that referenced this pull request Mar 14, 2026
@shamilpatel25
Merge pull request Yelp#44 from shamilpatel25/fixCloudIamTest
7350d36 
resolving IBM Cloud IAM test test_verify_payload_not_json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KevinHock KevinHock KevinHock approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@domanchi @KevinHock