Reports commented line as an issue

[MVrachev]

I have my file test.js.
I use it to run different tests to understand how detect-secrets works.

When I scan this file with the command:
detect-secrets scan test.js

I get as a result:

  "results": {
    "test.js": [
      {
        "hashed_secret": "edbd2994e5980ce68a498791abc1fb9c40f6bb43",
        "line_number": 13,
        "type": "Secret Keyword"
      },
      {
        "hashed_secret": "daefe0b4345a654580dcad25c7c11ff4c944a8c0",
        "line_number": 68,
        "type": "Private Key"
      },
      {
        "hashed_secret": "99b5e14eaf6b7cd863796dab48ae736be2ac6b53",
        "line_number": 77,
        "type": "Basic Auth Credentials"
      }
    ]
  },

The problems on line 13 and 68 are real, but not the one on line 77.

On line 77 I have:
// let basic_auth = 'http://username:whywouldyouusehttpforpasswords@example.com'

Node.js version: v11.9.0

detect-secrets version: 0.12.2

[dgzlopes]

Hi! You have to use the // pragma: whitelist secret comment for ignoring a particular line of code (Inline Whitelisting on README.md). As a note, support for text after inline whitelisting comments was added on 0.12.3, so maybe you should update.

On the other hand, testing it right now with pragma seems to behave badly as this returns a secret :

// pragma: whitelist secret let basic_auth = 'http://username:whywouldyouusehttpforpasswords@example.com'

But this works fine:

// pragma: whitelist secret let basic_auth = 'http://username:@example.com'

From checking this briefly, whitelisting fails when we have a secret inside a whitelisted comment.

[killuazhu]

@dgzlopes The inline comment needs to be on the same line. For you case, you can use

let basic_auth = 'http://username:@example.com' // pragma: whitelist secret

[dgzlopes]

Yep @killuazhu, but support for text after inline whitelisting was added (here [0]) so both examples should work! But the first one doesn't work as expected.

I mean, this actually works fine on the last version (by working fine I mean, the additional text is omitted):

// pragma: whitelist secret let basic_auth = 'http://username:@example.com'

[0] #168

[dgzlopes]

Obviously, the 'common case' is:

var key = "pass" # pragma: whitelist secret

or with after text:

var key = "pass" # pragma: whitelist secret some text

But on the edge case of having a key (this is just an example, but I mean a detect-secrets detectable key) on the comment, it doesn't work:

var key = "pass" # pragma: whitelist secret youusehttpforpasswords

Maybe this needs a look?

[MVrachev]

Thank you both for your responses!
Even if the code is commented it's still can be hardcoded credentials and it makes sense that detect-secrets scan such code and only through a specific comment to be missed.