Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add audit baseline functionality #44

Merged
merged 11 commits into from
Jun 27, 2018
Merged

Add audit baseline functionality #44

merged 11 commits into from
Jun 27, 2018

Conversation

domanchi
Copy link
Contributor

Testing

detect-secrets$ pip install -e .
detect-secrets$ detect-secrets --scan test_data > .secrets.baseline
detect-secrets$ detect-secrets --audit .secrets.baseline

Output

Secrets Left: 1/14
Filename:     test_data/baseline.file
----------
4:  "results": {
5:    "file_with_secrets.py": [
6:      {
7:        "type": "High Entropy String",
8:        "line_number": 3,
9:        "hashed_secret": "262547656a76a8a5d24ad428e7010e0fbb8d0413"
10:      }
11:    ],
12:    "sample.diff": [
13:      {
14:        "type": "High Entropy String",
----------
Is this a valid secret? (y)es, (n)o, (s)kip, (q)uit:

Features

  • Full colored, interactive auditor for secrets found through --scan.
  • Ability to flag both false and true positives within the baseline.
  • Handles case well where baseline's reported line number falls out of sync with actual code.
  • skip allows you to revisit the secret at a later time.
  • Audit sessions can be "saved" by quitting pre-maturely: secrets already audited will not need to be reviewed again.

Backwards Compatibility Considerations

This is a breaking change!

  • Baselines will need to be created in sorted order as well as requiring the plugins_used list with proper initialization args.
  • Private Key Detector now creates a hash of the blacklisted line, rather than the whole line itself. This will require all older baselines with this plugin to be rescanned, to get the new hash.
  • SensitivityValues has been dropped. detect-secrets-server will need to be pinned on an older version, until fixed.

@domanchi domanchi mentioned this pull request Jun 26, 2018
Closed
@KevinHock KevinHock self-requested a review June 26, 2018 20:57
KevinHock
KevinHock approved these changes Jun 26, 2018
View reviewed changes
Copy link
Collaborator

@KevinHock KevinHock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :D

detect_secrets/core/audit.py Outdated

current_secret_index += 1

break
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I follow, why only do the first filename here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, nice catch.

I throw in breaks when testing; looks like I missed a spot.

detect_secrets/core/audit.py Outdated
def _secret_generator(baseline):
"""Generates secrets to audit, from the baseline"""
current_secret_index = 1
num_secrets_to_parse = sum(map(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Maybe add some comments and space it out so there isn't the ))). I initially misread it as map gets all the secrets that don't have an is_secret attribute (i.e. the ones that have not been audited) and adds that number to the number of results in the baseline.

num_secrets_to_parse = sum(
  map(
      lambda filename: len(
        list(
          filter(
              lambda secret: not hasattr(secret, 'is_secret'),
              baseline['results'][filename],
          )
        )
      ),
      baseline['results'],
  )
)

detect_secrets/core/audit.py
lineno=0,
)

# There could be more than two secrets on the same line.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice. :D

detect_secrets/core/audit.py Outdated
for raw_secret in plugin.secret_generator(secret_line):
yield raw_secret

# It hits here if the secret has been moved, from the original
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd be more pythonic/you wouldn't need a comment (uncle bob 💯 ), if you did for .. else (i.e. if you don't take a break you get a raise.)

detect_secrets/core/audit.py
),
x[1],
),
enumerate(output),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, woah, this is reel nice 🍰 ⚡️ 💡

@domanchi domanchi force-pushed the add-audit-baseline-functionality branch from 61cf2d5 to b77ceec Compare June 27, 2018 03:50
@domanchi domanchi merged commit a7dc425 into master Jun 27, 2018
@domanchi domanchi deleted the add-audit-baseline-functionality branch June 27, 2018 03:55
@domanchi domanchi mentioned this pull request Jun 27, 2018
Merged
@dcepler dcepler mentioned this pull request Aug 24, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KevinHock KevinHock KevinHock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@domanchi @KevinHock