Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--baseline <FILE> returns no results #183

Closed
lirantal opened this issue May 21, 2019 · 5 comments
Closed

--baseline <FILE> returns no results #183

lirantal opened this issue May 21, 2019 · 5 comments
Labels
question The issue is a technical question related to the project.

Comments

@lirantal
Copy link
Contributor

I'm running detect-secrets-hook from a container with the current directory mounted. What would be some reasons that when I add a baseline I get no results and no error at all, but when I remove it and leave out just the file name, such as: detect-secrets-hook something.json it reports correctly.

What could be the reasons for that?
I'm using version 0.12.2

@domanchi
Copy link
Contributor

Hi @lirantal,

Can you post a stack trace or example invocation so that we can better debug it?

@lirantal
Copy link
Contributor Author

@domanchi sure, how can I provide you with a stacktrace or anything useful to debug it?

So reminder that I installed detect-secrets in a container and I mounted the top level directory with .git as a volume there. When I run it without the baseline I get this kind of output:

root@b4fd6c41d694:/usr/src/app/server# detect-secrets-hook a.js
Potential secrets about to be committed to git repo! Please rectify or
explicitly ignore with an inline `pragma: whitelist secret` comment.

Secret Type: Secret Keyword
Location:    a.js:3

Secret Type: Secret Keyword
Location:    a.js:6

Possible mitigations:

  - For information about putting your secrets in a safer place,
    please ask in #security
  - Mark false positives with an inline `pragma: whitelist secret`
    comment
  - Commit with `--no-verify` if this is a one-time false positive

If a secret has already been committed, visit
https://help.github.com/articles/removing-sensitive-data-from-a-
repository

When with baseline I get nothing printed:

root@b4fd6c41d694:/usr/src/app/server# detect-secrets-hook --baseline .secrets-baseline a.js
root@b4fd6c41d694:/usr/src/app/server#

However, when I run the baseline command like above from the host machine (not inside a container) it works fine.

@lirantal
Copy link
Contributor Author

One difference that I now noticed is:

  1. Locally on my host I have python 2.7 and detect-secrets 0.12.2 installed
  2. On the docker container I have python 3.7 and detect-secrets 0.12.3

@domanchi
Copy link
Contributor

The output you provided helps!

My hypothesis is that this is expected behavior. The detect-secrets-hook is meant to be used as a pre-commit hook, and will only complain if things are found. However, if a baseline is provided, it will ignore the secrets provided in the baseline.

Methods to check whether my hypothesis is accurate:

  • Does your baseline contain the secrets found on a.js:3 and a.js:6?
  • If you manually edit your baseline, and remove one of those secrets, will the detect-secrets-hook complain?
  • If you print the error code, it should be 0.
root@b4fd6c41d694:/usr/src/app/server# detect-secrets-hook --baseline .secrets-baseline a.js
root@b4fd6c41d694:/usr/src/app/server# echo $?
0

@KevinHock KevinHock added the question The issue is a technical question related to the project. label May 22, 2019
@lirantal
Copy link
Contributor Author

I realized the issue is that I hadn't had git available in the docker image and that was the source of the silent failures. This is now working well and we can close the issue.

I have a docker image bundling this for easy compatibility:

So you can now do something like:

docker run -it --rm --name detect-secrets --volume `pwd`:/usr/src/app lirantal/detect-secrets "src/index.js" "src/component.js"

killuazhu pushed a commit to IBM/detect-secrets that referenced this issue May 28, 2020
* Add basic auth detection for just PAT, no username

* Cover other cases

* Address @xianjun comments
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Jul 9, 2020
* Add basic auth detection for just PAT, no username

* Cover other cases

* Address @xianjun comments
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Sep 17, 2020
* Use GHDetectorV2

Supports git-defenders/detect-secrets-discuss#166

Cover additional token contexts in GitHub V2 detector (Yelp#183)

Turn on GHDetectorV2 (Yelp#184)

Supports git-defenders/detect-secrets-discuss#124

Delete GHDetector V1 (Yelp#186)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question The issue is a technical question related to the project.
Projects
None yet
Development

No branches or pull requests

3 participants