🔄 Merge branch 'master' into upgrade_keyword_detector

Yelp · Dec 28, 2018 · 76ddcdf · 76ddcdf
2 parents b7e48ab + 1415b4b
commit 76ddcdf
Show file tree

Hide file tree

Showing 21 changed files with 278 additions and 276 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -1,11 +1,17 @@
 {
-  "exclude_regex": "test_data/.*|tests/.*",
-  "generated_at": "2018-07-12T23:20:29Z",
+  "exclude_regex": "test_data/.*|tests/.*|^.secrets.baseline$",
+  "generated_at": "2018-12-21T22:29:02Z",
   "plugins_used": [
+    {
+      "name": "AWSKeyDetector"
+    },
     {
       "base64_limit": 4.5,
       "name": "Base64HighEntropyString"
     },
+    {
+      "name": "BasicAuthDetector"
+    },
     {
       "hex_limit": 3,
       "name": "HexHighEntropyString"
@@ -15,58 +21,70 @@
     }
   ],
   "results": {
+    "README.md": [
+      {
+        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+        "line_number": 153,
+        "type": "Basic Auth Credentials"
+      }
+    ],
     "detect_secrets/plugins/high_entropy_strings.py": [
       {
         "hashed_secret": "88a7b59d2e9172960b72b65f7839b9da2453f3e9",
         "is_secret": false,
-        "line_number": 215,
+        "line_number": 261,
         "type": "Hex High Entropy String"
       }
     ],
     "detect_secrets/plugins/private_key.py": [
       {
         "hashed_secret": "be4fc4886bd949b369d5e092eb87494f12e57e5b",
         "is_secret": false,
-        "line_number": 34,
+        "line_number": 43,
         "type": "Private Key"
       },
       {
         "hashed_secret": "daefe0b4345a654580dcad25c7c11ff4c944a8c0",
         "is_secret": false,
-        "line_number": 35,
+        "line_number": 44,
         "type": "Private Key"
       },
       {
         "hashed_secret": "f0778f3e140a61d5bbbed5430773e52af2f5fba4",
         "is_secret": false,
-        "line_number": 36,
+        "line_number": 45,
         "type": "Private Key"
       },
       {
         "hashed_secret": "27c6929aef41ae2bcadac15ca6abcaff72cda9cd",
         "is_secret": false,
-        "line_number": 37,
+        "line_number": 46,
         "type": "Private Key"
       },
       {
         "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9",
         "is_secret": false,
-        "line_number": 38,
+        "line_number": 47,
         "type": "Private Key"
       },
       {
         "hashed_secret": "11200d1bf5e1eb358b5d823c443347d97e982a85",
         "is_secret": false,
-        "line_number": 39,
+        "line_number": 48,
         "type": "Private Key"
       },
       {
         "hashed_secret": "9279619d0c9a9529b0b223e3b809f4df24b8ba8b",
         "is_secret": false,
-        "line_number": 40,
+        "line_number": 49,
+        "type": "Private Key"
+      },
+      {
+        "hashed_secret": "4ada9713ec27066b2ffe0b7bd9c9c8d635dc4ab2",
+        "line_number": 50,
         "type": "Private Key"
       }
     ]
   },
-  "version": "0.9.1"
+  "version": "0.11.0"
 }
diff --git a/README.md b/README.md
@@ -92,7 +92,7 @@ either the client-side pre-commit hook, or the server-side secret scanner.
 3. **Secrets Baseline**, to whitelist pre-existing secrets in the repository,
    so that they won't be continuously caught through scan iterations.
 
-### Client-side Pre-commit Hook
+### Client-side `pre-commit` Hook
 
 See [pre-commit](https://github.com/pre-commit/pre-commit) for instructions
 to install the pre-commit framework. The example usage above has a sample
@@ -119,26 +119,21 @@ as your pre-commit hook, and server-side secret scanner!
 
 #### Inline Whitelisting
 
-Another way of whitelisting secrets is through the inline comment
-`# pragma: whitelist secret`.
-
-For example:
+To tell `detect-secrets` to ignore a particular line of code, simply append an
+inline `pragma: whitelist secret` comment. For example:
 
+```python
+API_KEY = "blah-blah-but-actually-not-secret"  # pragma: whitelist secret
+print('hello world')
 ```
-API_KEY = "blah-blah-but-actually-not-secret" # pragma: whitelist secret
-
-def main():
-    print('hello world')
 
-if __name__ == '__main__'
-    main()
-```
+Inline commenting syntax for a multitude of languages is supported.
 
 This may be a convenient way for you to whitelist secrets, without having to
 regenerate the entire baseline again. Furthermore, this makes the whitelisted
 secrets easily searchable, auditable, and maintainable.
 
-## Current Supported Plugins
+## Currently Supported Plugins
 
 The current heuristic searches we implement out of the box include:
 
@@ -158,7 +153,7 @@ See [detect_secrets/
 plugins](https://github.com/Yelp/detect-secrets/tree/master/detect_secrets/plugins)
 for more details.
 
-## A Few Caveats
+## Caveats
 
 This is not meant to be a sure-fire solution to prevent secrets from entering
 the codebase. Only proper developer education can truly do that. This pre-commit
@@ -168,7 +163,7 @@ committing secrets.
 ### Things that won't be prevented
 
 * Multi-line secrets
-* Default passwords that do not trigger the `KeywordDetector` (e.g. `paaassword = "paaassword"`)
+* Default passwords that do not trigger the `KeywordDetector` (e.g. `login = "hunter2"`)
 
 ### Plugin Configuration
 

diff --git a/detect_secrets/core/audit.py b/detect_secrets/core/audit.py
@@ -14,8 +14,8 @@
 from .baseline import format_baseline_for_output
 from .baseline import merge_results
 from .bidirectional_iterator import BidirectionalIterator
-from .color import BashColor
-from .color import Color
+from .color import AnsiColor
+from .color import colorize
 from .potential_secret import PotentialSecret
 
 
@@ -132,17 +132,17 @@ def compare_baselines(old_baseline_filename, new_baseline_filename):
         if is_removed:
             plugins_used = old_baseline['plugins_used']
             header = header.format(
-                BashColor.color('Status:', Color.BOLD),
+                colorize('Status:', AnsiColor.BOLD),
                 '>> {} <<'.format(
-                    BashColor.color('REMOVED', Color.RED),
+                    colorize('REMOVED', AnsiColor.RED),
                 ),
             )
         else:
             plugins_used = new_baseline['plugins_used']
             header = header.format(
-                BashColor.color('Status:', Color.BOLD),
+                colorize('Status:', AnsiColor.BOLD),
                 '>> {} <<'.format(
-                    BashColor.color('ADDED', Color.LIGHT_GREEN),
+                    colorize('ADDED', AnsiColor.LIGHT_GREEN),
                 ),
             )
 
@@ -347,14 +347,14 @@ def _print_context(     # pragma: no cover
     :raises: SecretNotFoundOnSpecifiedLineError
     """
     print('{} {} {} {}\n{} {}\n{} {}'.format(
-        BashColor.color('Secret:     ', Color.BOLD),
-        BashColor.color(str(count), Color.PURPLE),
-        BashColor.color('of', Color.BOLD),
-        BashColor.color(str(total), Color.PURPLE),
-        BashColor.color('Filename:   ', Color.BOLD),
-        BashColor.color(filename, Color.PURPLE),
-        BashColor.color('Secret Type:', Color.BOLD),
-        BashColor.color(secret['type'], Color.PURPLE),
+        colorize('Secret:     ', AnsiColor.BOLD),
+        colorize(str(count), AnsiColor.PURPLE),
+        colorize('of', AnsiColor.BOLD),
+        colorize(str(total), AnsiColor.PURPLE),
+        colorize('Filename:   ', AnsiColor.BOLD),
+        colorize(filename, AnsiColor.PURPLE),
+        colorize('Secret Type:', AnsiColor.BOLD),
+        colorize(secret['type'], AnsiColor.PURPLE),
     ))
     if additional_header_lines:
         print(additional_header_lines)
@@ -499,19 +499,19 @@ def _get_secret_with_context(
             raise
 
         output[index_of_secret_in_output] = '{}'.format(
-            BashColor.color(
+            colorize(
                 output[index_of_secret_in_output],
-                Color.BOLD,
+                AnsiColor.BOLD,
             ),
         )
 
     # Adding line numbers
     return '\n'.join(
         map(
             lambda x: '{}:{}'.format(
-                BashColor.color(
+                colorize(
                     str(int(x[0]) + start_line),
-                    Color.LIGHT_GREEN,
+                    AnsiColor.LIGHT_GREEN,
                 ),
                 x[1],
             ),
@@ -574,11 +574,11 @@ def _highlight_secret(
     end_of_secret = index_of_secret + len(raw_secret)
     return '{}{}{}'.format(
         secret_line[:index_of_secret],
-        BashColor.color(
+        colorize(
             # copy the secret out of the line because .lower() from secret
             # generator may be different from the original value:
             secret_line[index_of_secret:end_of_secret],
-            Color.RED_BACKGROUND,
+            AnsiColor.RED_BACKGROUND,
         ),
         secret_line[index_of_secret + len(raw_secret):],
     )

diff --git a/detect_secrets/core/color.py b/detect_secrets/core/color.py
@@ -1,44 +1,18 @@
 from enum import Enum
 
 
-class Color(Enum):
-    NORMAL = '[0m'
+class AnsiColor(Enum):
+    RESET = '[0m'
     BOLD = '[1m'
-
     RED = '[91m'
     RED_BACKGROUND = '[41m'
     LIGHT_GREEN = '[92m'
     PURPLE = '[95m'
 
 
-class _BashColor(object):
-
-    PREFIX = '\033'
-
-    def __init__(self):
-        self.DISABLED = False
-
-    def enable_color(self):
-        self.DISABLED = False
-
-    def disable_color(self):
-        self.DISABLED = True
-
-    def color(self, text, color):
-        """
-        :type text: str
-        :param text: the text to colorize
-
-        :type color: Color
-        :param color: the color to make the text
-
-        :returns: colored string
-        """
-        if self.DISABLED:
-            return text
-
-        return self.PREFIX + color.value + text + \
-            self.PREFIX + Color.NORMAL.value
-
-
-BashColor = _BashColor()
+def colorize(text, color):
+    return '\x1b{}{}\x1b{}'.format(
+        color.value,
+        text,
+        AnsiColor.RESET.value,
+    )
diff --git a/detect_secrets/main.py b/detect_secrets/main.py
@@ -133,7 +133,7 @@ def _get_existing_baseline(import_filename):
             return json.loads(stdin)
 
 
-def _read_from_file(filename):
+def _read_from_file(filename):  # pragma: no cover
     """Used for mocking."""
     with open(filename) as f:
         return json.loads(f.read())

diff --git a/detect_secrets/plugins/aws.py b/detect_secrets/plugins/aws.py
@@ -9,7 +9,7 @@
 
 
 class AWSKeyDetector(RegexBasedDetector):
-    secret_type = 'AWS key'
+    secret_type = 'AWS Access Key'
     blacklist = (
         re.compile(r'AKIA[0-9A-Z]{16}'),
     )
diff --git a/detect_secrets/plugins/base.py b/detect_secrets/plugins/base.py
@@ -3,7 +3,7 @@
 from abc import abstractproperty
 
 from detect_secrets.core.potential_secret import PotentialSecret
-from detect_secrets.plugins.core.constants import WHITELIST_REGEX
+from detect_secrets.plugins.core.constants import WHITELIST_REGEXES
 
 
 class BasePlugin(object):
@@ -27,7 +27,7 @@ def analyze(self, file, filename):
         """
         potential_secrets = {}
         for line_num, line in enumerate(file.readlines(), start=1):
-            if WHITELIST_REGEX.search(line):
+            if any(regex.search(line) for regex in WHITELIST_REGEXES):
                 continue
             secrets = self.analyze_string(line, line_num, filename)
             potential_secrets.update(secrets)
@@ -129,5 +129,5 @@ def analyze_string(self, string, line_num, filename):
 
     def secret_generator(self, string):
         for regex in self.blacklist:
-            if regex.search(string):
-                yield regex.pattern
+            for match in regex.findall(string):
+                yield match