Skip to content

feat(output): Only fail secret scans when the secret is introduced #1010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2024
Merged

feat(output): Only fail secret scans when the secret is introduced #1010

merged 1 commit into from
Dec 3, 2024

Conversation

@Walz
Copy link
Collaborator

@Walz Walz commented Nov 14, 2024
edited
Loading

Context

Related to SPI-526 and will close #1001

We want to only fail secret scans when the secret is introduced.
New fields have been added to the API to automatically detect if the content is a diff and if the secret has been added, deleted or in the context. (GitGuardian/py-gitguardian#122)

  • Add not_introduced as an ignore reason
  • Make use of diff_kind to ignore policy breaks

diff_kind can be null (outside of commit) or ADDITION/DELETION/CONTEXT. We want to keep only the policy breaks with diff_kind:

  • null => outside of commits, when scanning files or docker layers
  • ADDITION => introduced by a commit

In #1024, a --all-secrets option will allow user to display ignored secrets.

Validation

  • Create a repository
  • Add a secret in commit A
  • Edit the line below the secret in commit B
  • Remove the secret in commit C

When scanning the repository with main: 3 policy breaks are found in commit A, B and C
When scanning with this PR: 1 policy break is found in commit A

PR check list

  • As much as possible, the changes include tests (unit and/or functional)
  • If the changes affect the end user (new feature, behavior change, bug fix) then the PR has a changelog entry (see doc/dev/getting-started.md). If the changes do not affect the end user, then the skip-changelog label has been added to the PR.

@Walz Walz force-pushed the samuel/spi-526-implement-deletion-commit-identification-in-ggshield branch from 455a373 to ee9c949 Compare November 15, 2024 14:51
agateau-gg
agateau-gg requested changes Nov 19, 2024
View reviewed changes
@Walz Walz force-pushed the samuel/spi-526-implement-deletion-commit-identification-in-ggshield branch from ee9c949 to db52127 Compare November 20, 2024 16:38
@Walz Walz force-pushed the samuel/spi-526-implement-deletion-commit-identification-in-ggshield branch from db52127 to f838e67 Compare November 29, 2024 14:54
@GitGuardian GitGuardian deleted a comment from gitguardian bot Nov 29, 2024
@GitGuardian GitGuardian deleted a comment from gitguardian bot Nov 29, 2024
@GitGuardian GitGuardian deleted a comment from codecov bot Nov 29, 2024
@codecov
Copy link

codecov bot commented Nov 29, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.03%. Comparing base (6427d8f) to head (b34d264).
Report is 2 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1010   +/-   ##
=======================================
  Coverage   92.03%   92.03%           
=======================================
  Files         181      181           
  Lines        7706     7708    +2     
=======================================
+ Hits         7092     7094    +2     
  Misses        614      614
Flag Coverage Δ
unittests 92.03% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Walz
Copy link
Collaborator Author

Walz commented Nov 29, 2024
edited
Loading

Thanks to #1016, this PR is a lot simpler now.

@Walz Walz requested a review from agateau-gg November 29, 2024 14:58
@Walz Walz force-pushed the samuel/spi-526-implement-deletion-commit-identification-in-ggshield branch from f838e67 to b34d264 Compare November 29, 2024 14:58
@gitguardian
Copy link

gitguardian bot commented Nov 29, 2024

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
Once a secret has been leaked into a git repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@Walz Walz marked this pull request as ready for review December 2, 2024 14:06
@Walz Walz requested a review from a team as a code owner December 2, 2024 14:06
@Walz Walz requested review from agateau-gg and removed request for agateau-gg December 3, 2024 09:24
agateau-gg
agateau-gg approved these changes Dec 3, 2024
View reviewed changes
Copy link
Collaborator

@agateau-gg agateau-gg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! And thanks for the great PR description ✨.

@agateau-gg agateau-gg merged commit ee56436 into main Dec 3, 2024
33 checks passed
@agateau-gg agateau-gg deleted the samuel/spi-526-implement-deletion-commit-identification-in-ggshield branch December 3, 2024 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agateau-gg agateau-gg agateau-gg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FEATURE] Fail only upon adding a secret (not when removing or when a secret is on the line above or below).

3 participants

@Walz @agateau-gg