feat(secrets): support git history scan in multiline parsers (#4637)

* added test + remove \n from string - need to update detect-secret vetsion * Update checkov/secrets/plugins/detector_utils.py Co-authored-by: Eliran Turgeman <50831652+Eliran-Turgeman@users.noreply.github.com> * ipdate detect-secrets * ipdate detect-secrets * ipdate detect-secrets * . * remove popitem() for secret_value_regex_to_group * remove popitem() for secret_value_regex_to_group --------- Co-authored-by: Eliran Turgeman <50831652+Eliran-Turgeman@users.noreply.github.com>
bridgecrewio · Mar 13, 2023 · c9ec872 · c9ec872
1 parent 1bbc826
commit c9ec872
Show file tree

Hide file tree

Showing 7 changed files with 286 additions and 204 deletions.
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/checkov/secrets/plugins/detector_utils.py b/checkov/secrets/plugins/detector_utils.py
@@ -185,7 +185,7 @@ def extract_from_string(pattern: dict[Pattern[str], int] | None, string: str) ->
     for value_regex, group_number in pattern.items():
         match = value_regex.search(string)
         if match:
-            matches |= {match.group(group_number)}
+            matches |= {match.group(group_number).rstrip('\n')}
     return matches
 
 

diff --git a/checkov/secrets/scan_git_history.py b/checkov/secrets/scan_git_history.py
@@ -105,7 +105,8 @@ def _get_commits_diff(self) -> Dict[str, Dict[str, str | Dict[str, str]]]:
                 base_diff_format = f'diff --git a/{file_diff.a_path} b/{file_diff.b_path}' \
                                    f'\nindex 0000..0000 0000\n--- a/{file_diff.a_path}\n+++ b/{file_diff.b_path}\n'
                 commits_diff.setdefault(current_commit_hash, {})
-                commits_diff[current_commit_hash][file_diff.a_path] = base_diff_format + file_diff.diff.decode()
+                file_name = file_diff.a_path if file_diff.a_path else file_diff.b_path
+                commits_diff[current_commit_hash][file_name] = base_diff_format + file_diff.diff.decode()
         return commits_diff
 
 

diff --git a/tests/secrets/git_history/__init__.py b/tests/secrets/git_history/__init__.py
diff --git a/tests/secrets/git_history/test_utils.py b/tests/secrets/git_history/test_utils.py
diff --git a/tests/secrets/test_plugin_multiline_yml.py b/tests/secrets/test_plugin_multiline_yml.py
@@ -198,7 +198,7 @@ def test_regex_keyword_in_value(self):
         ]
 
         keyword_value_regex_to_group = REGEX_VALUE_KEYWORD_BY_FILETYPE.get(FileType.YAML)
-        value_regex, group_number = keyword_value_regex_to_group.popitem()
+        value_regex, group_number = list(keyword_value_regex_to_group.items())[0]
         for line, secret in examples:
             match = value_regex.search(line).group(group_number)
             assert match == secret
@@ -217,7 +217,7 @@ def test_regex_secret_in_value(self):
         ]
 
         secret_value_regex_to_group = REGEX_VALUE_SECRET_BY_FILETYPE.get(FileType.YAML)
-        value_regex, group_number = secret_value_regex_to_group.popitem()
+        value_regex, group_number = list(secret_value_regex_to_group.items())[0]
         for line, secret in examples:
             match = value_regex.search(line).group(group_number)
             assert match == secret
diff --git a/tests/secrets/test_secret_git_history.py b/tests/secrets/test_secret_git_history.py