Merge pull request #65 from Yelp/60_pre_commit_removes_is_secret

Fix "pre-commit hook removes audited secrets" and verbosity overflow
Yelp · Jul 31, 2018 · 7cbb139 · 7cbb139
2 parents 8c2d022 + 710d96e
commit 7cbb139
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 10 deletions.
diff --git a/detect_secrets/core/log.py b/detect_secrets/core/log.py
@@ -43,7 +43,9 @@ def _set_debug_level(self, debug_level):
         2: logging.DEBUG,
     }
 
-    self.setLevel(mapping[debug_level])
+    self.setLevel(
+        mapping[min(debug_level, 2)],
+    )
 
 
 log = get_logger()
diff --git a/detect_secrets/core/potential_secret.py b/detect_secrets/core/potential_secret.py
@@ -14,12 +14,19 @@ class PotentialSecret(object):
     without actually knowing what the secret is.
     """
 
-    def __init__(self, typ, filename, lineno, secret):
+    def __init__(
+        self,
+        typ,
+        filename,
+        lineno,
+        secret,
+        is_secret=None,
+    ):
         """
         :type typ: str
         :param typ: human-readable secret type, defined by the plugin
                     that generated this PotentialSecret.
-                    Eg. "High Entropy String"
+                    e.g. "High Entropy String"
 
         :type filename: str
         :param filename: name of file that this secret was found
@@ -30,11 +37,15 @@ def __init__(self, typ, filename, lineno, secret):
 
         :type secret: str
         :param secret: the actual secret identified
+
+        :type is_secret: bool|None
+        :param is_secret: whether or not the secret is a true- or false- positive
         """
         self.type = typ
         self.filename = filename
         self.lineno = lineno
         self.secret_hash = self.hash_secret(secret)
+        self.is_secret = is_secret
 
         # If two PotentialSecrets have the same values for these fields,
         # they are considered equal. Note that line numbers aren't included
@@ -60,6 +71,9 @@ def json(self):
             'hashed_secret': self.secret_hash,
         }
 
+        if self.is_secret is not None:
+            attributes['is_secret'] = self.is_secret
+
         return attributes
 
     def __eq__(self, other):
@@ -80,9 +94,7 @@ def __str__(self):  # pragma: no cover
         return (
             "Secret Type: %s\n"
             "Location:    %s:%d\n"
-            # "Hash:        %s\n"
         ) % (
             self.type,
             self.filename, self.lineno,
-            # self.secret_hash
         )
diff --git a/detect_secrets/core/secrets_collection.py b/detect_secrets/core/secrets_collection.py
@@ -89,7 +89,8 @@ def _load_baseline_from_dict(cls, data):
                     item['type'],
                     filename,
                     item['line_number'],
-                    'will be replaced',
+                    secret='will be replaced',
+                    is_secret=item.get('is_secret'),
                 )
                 secret.secret_hash = item['hashed_secret']
                 result.data[filename][secret] = secret
@@ -111,7 +112,7 @@ def scan_diff(
 
         :type diff: str
         :param diff: diff string.
-                     Eg. The output of `git diff <fileA> <fileB>`
+                     e.g. The output of `git diff <fileA> <fileB>`
 
         :type baseline_filename: str
         :param baseline_filename: if there are any baseline secrets, then the baseline
@@ -311,7 +312,7 @@ def json(self):
 
             for secret_hash in self.data[filename]:
                 tmp = self.data[filename][secret_hash].json()
-                del tmp['filename']     # not necessary
+                del tmp['filename']  # not necessary
 
                 output[filename].append(tmp)
 

diff --git a/detect_secrets/core/usage.py b/detect_secrets/core/usage.py
@@ -151,7 +151,7 @@ class PluginDescriptor(namedtuple(
         # Classname of plugin; used for initialization
         'classname',
 
-        # Flag to disable plugin. Eg. `--no-hex-string-scan`
+        # Flag to disable plugin. e.g. `--no-hex-string-scan`
         'disable_flag_text',
 
         # Description for disable flag.

diff --git a/detect_secrets/plugins/core/ini_file_parser.py b/detect_secrets/plugins/core/ini_file_parser.py
@@ -37,7 +37,7 @@ def _get_value_and_line_offset(self, key, values):
 
         :type values: str
         :param values: values for key, in config file. This is plural,
-            because you can have multiple values per key. Eg.
+            because you can have multiple values per key. e.g.
 
             >>> key =
             ...     value1

diff --git a/tests/pre_commit_hook_test.py b/tests/pre_commit_hook_test.py
@@ -200,6 +200,7 @@ def _create_baseline():
             'test_data/files/file_with_secrets.py': [
                 {
                     'type': 'Base64 High Entropy String',
+                    'is_secret': True,
                     'line_number': 3,
                     'hashed_secret': PotentialSecret.hash_secret(base64_secret),
                 },