Merge pull request #620 from Yelp/dakranj-611-fix-audit-report-failing

Fix audit report that verifies a secret
Yelp · Sep 27, 2022 · b32a53f · b32a53f
2 parents 0dcd54c + 07e8244
commit b32a53f
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/detect_secrets/audit/common.py b/detect_secrets/audit/common.py
@@ -19,6 +19,7 @@
 from ..transformers import get_transformed_file
 from ..types import NamedIO
 from ..util.inject import call_function_with_arguments
+from detect_secrets.util.code_snippet import get_code_snippet
 
 
 def get_baseline_from_file(filename: str) -> SecretsCollection:
@@ -91,6 +92,7 @@ def get_raw_secrets_from_file(
             line_numbers = list(range(len(lines_to_scan)))
 
         for line_number, line in zip(line_numbers, lines_to_scan):
+            context = get_code_snippet(lines=line_getter.lines, line_number=line_number + 1)
             identified_secrets = call_function_with_arguments(
                 plugin.analyze_line,
                 filename=secret.filename,
@@ -100,6 +102,7 @@ def get_raw_secrets_from_file(
                 # We enable eager search, because we *know* there's a secret here -- the baseline
                 # flagged it after all.
                 enable_eager_search=bool(secret.line_number),
+                context=context,
             )
 
             for identified_secret in (identified_secrets or []):

diff --git a/tests/audit/report_test.py b/tests/audit/report_test.py
@@ -10,6 +10,7 @@
 from detect_secrets.constants import VerifiedResult
 from detect_secrets.core import baseline
 from detect_secrets.core.secrets_collection import SecretsCollection
+from detect_secrets.plugins.aws import AWSKeyDetector
 from detect_secrets.plugins.basic_auth import BasicAuthDetector
 from detect_secrets.plugins.jwt import JwtTokenDetector
 from detect_secrets.settings import transient_settings
@@ -20,13 +21,14 @@
 first_secret = 'value1'
 second_secret = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ'  # noqa: E501
 random_secret = ''.join(random.choice(string.ascii_letters) for _ in range(8))
+aws_secret = 'AKIAZZZZZZZZZZZZZZZZ'
 
 
 @pytest.mark.parametrize(
     'class_to_print, expected_real, expected_false, expected_output',
     [
         (
-            None, 3, 1,
+            None, 4, 1,
             {
                 'results': [
                     {
@@ -71,11 +73,21 @@
                             BasicAuthDetector.secret_type,
                         ],
                     },
+                    {
+                        'category': 'VERIFIED_TRUE',
+                        'lines': {
+                            1: 'aws_access_key = {}'.format(aws_secret),
+                        },
+                        'secrets': aws_secret,
+                        'types': [
+                            AWSKeyDetector.secret_type,
+                        ],
+                    },
                 ],
             },
         ),
         (
-            SecretClassToPrint.REAL_SECRET, 3, 0,
+            SecretClassToPrint.REAL_SECRET, 4, 0,
             {
                 'results': [
                     {
@@ -109,6 +121,16 @@
                             JwtTokenDetector.secret_type,
                         ],
                     },
+                    {
+                        'category': 'VERIFIED_TRUE',
+                        'lines': {
+                            1: 'aws_access_key = {}'.format(aws_secret),
+                        },
+                        'secrets': aws_secret,
+                        'types': [
+                            AWSKeyDetector.secret_type,
+                        ],
+                    },
                 ],
             },
         ),
@@ -193,27 +215,41 @@ def baseline_file():
         url = {url_format.format(second_secret)}
         example = {url_format.format(random_secret)}
     """)[1:]
+    third_content = textwrap.dedent(f"""
+        aws_access_key = {aws_secret}
+    """)[1:]
 
     with create_file_with_content(first_content) as first_file, \
             create_file_with_content(second_content) as second_file, \
+            create_file_with_content(third_content) as third_file, \
             mock_named_temporary_file() as baseline_file, \
             transient_settings({
                 'plugins_used': [
                     {'name': 'BasicAuthDetector'},
                     {'name': 'JwtTokenDetector'},
+                    {'name': 'AWSKeyDetector'},
 
                 ],
+                'filters_used': [
+                    {
+                        'path':
+                            'detect_secrets.filters.common.is_ignored_due_to_verification_policies',
+                        'min_level': 2,
+                    },
+                ],
             }):
         secrets = SecretsCollection()
         secrets.scan_file(first_file)
         secrets.scan_file(second_file)
+        secrets.scan_file(third_file)
         labels = {
             (first_file, BasicAuthDetector.secret_type, 1): True,
             (first_file, BasicAuthDetector.secret_type, 2): None,
             (first_file, BasicAuthDetector.secret_type, 3): True,
             (second_file, JwtTokenDetector.secret_type, 1): True,
             (second_file, BasicAuthDetector.secret_type, 1): False,
             (second_file, BasicAuthDetector.secret_type, 2): False,
+            (third_file, AWSKeyDetector.secret_type, 1): True,
         }
         for item in secrets:
             _, secret = item