Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

using client to scan the clone repo and return the result with "hashed_secret" #198

Closed
saturbo opened this issue Jun 24, 2019 · 5 comments
Closed

using client to scan the clone repo and return the result with "hashed_secret" #198

saturbo opened this issue Jun 24, 2019 · 5 comments
Labels
question The issue is a technical question related to the project.

Comments

@saturbo
Copy link

saturbo commented Jun 24, 2019

Hi guys, I want to ask a stupid question, I am using the client side tools to scan all the clone repo, as a result , I got all the result with "hasd_secret". My question is --is it possible to show the result without hash so that I can show with my IT team to further check the code.?
@saturbo
Copy link
Author

saturbo commented Jun 24, 2019

supplement some case:

"results": {
"src/main/resources/application.yml": [
{
"hashed_secret": "6cf121a60a3c78f941651f6e01906dfec489cdb2",
"line_number": 44,
"type": "Secret Keyword"
},
{
"hashed_secret": "d1d71eeb23a0c194704129c41502e4c780f3160c",
"line_number": 44,
"type": "Base64 High Entropy String"

@dgzlopes
Copy link
Contributor

dgzlopes commented Jun 24, 2019
edited
Loading

I don't know If detect-secrets is able to generate a baseline file without hashing secrets, but If you want to audit the results generated by detect-secrets scan then detect-secrets audit works flawlessly. It shows the secret, some context about where it appears and you can even tag it as a valid secret or a false-positive.

If you want to give It a spin, just redirect scan output (called baseline) to its own file with detect-secrets scan > .secrets.baseline and then run detect-secrets audit .secrets.baseline

@dgzlopes dgzlopes mentioned this issue Jun 24, 2019
Open
@KevinHock KevinHock added the question The issue is a technical question related to the project. label Jun 25, 2019
@KevinHock
Copy link
Collaborator

Unfortunately this isn't possible to do right now, but issue #191 will fix this.

What @dgzlopes suggested is the best it can do currently

@domanchi
Copy link
Contributor

FWIW, there are several reasons why I've been against having an easy way to extract these secrets in an easily shareable form (like the use case you described).

  1. We don't want a file with all the secrets in it, because this is going to be tracked in source control. That's against everything this tool is about.

  2. We don't want to promote a situation where you can run a command, extract all the secrets from a repository, then share that file with plain text secrets with someone. The implicit assumption from the audit functionality is that you have access to the code base, and therefore, merely exists as a helper tool (seeing that you can read the baseline, and get those secrets manually).

If you could generate a baseline with plain text secrets, you could technically share them with someone without repository access, and further worsen the issue of spreading secrets around.

@saturbo, does your IT team have code base access?

@saturbo
Copy link
Author

saturbo commented Jul 1, 2019

@domanchi actually the IT team do have the code base access and your considering is definitely right. So I am going the show they the audio reports of the secrets in steady of showing the plain text. Thx for all the reply and suggestions!

@saturbo saturbo closed this as completed Jul 1, 2019
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue May 28, 2020
@justineyster
Verify Artifactory catches expected secret (Yelp#198)
866cfcf 
* Verify Artifactory catches expected secret

Follow up of [this comment](https://github.ibm.com/Whitewater/whitewater-detect-secrets/pull/197#discussion_r2457154) on Yelp#197.

* Fix cannot index dict.keys object
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Jul 9, 2020
@justineyster
Verify Artifactory catches expected secret (Yelp#198)
6d5d795 
* Verify Artifactory catches expected secret

Follow up of [this comment](https://github.ibm.com/Whitewater/whitewater-detect-secrets/pull/197#discussion_r2457154) on Yelp#197.

* Fix cannot index dict.keys object
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question The issue is a technical question related to the project.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KevinHock @dgzlopes @domanchi @saturbo