cred-alert-cli scan --diff doesn't notice RSA private key

[benchristel]

I'm trying out cred-alert-cli in preparation for using the git hooks in https://github.com/pivotal-cf/git-hooks-core, and I'm seeing some false negatives that seem to be due to behavior of --diff

Platform and Versions

• Mac OS 10.11.6 (El Capitan)
• cred-alert-cli version db35f3e
• git --version 2.14.1

What I tried:

cd myrepo
cp ~/.ssh/id_rsa .
git add id_rsa
git diff --cached | cred-alert-cli scan --diff
echo $?

What I expected:

• A warning about the id_rsa file printed to the terminal
• echo $? should output nonzero

What I observed

• Nothing printed by cred-alert-cli
• echo $? outputs 0.

Bizarrely, cred-alert-cli does output the expected warning if I don't use the --diff flag.

It works as expected on a different Mac with OS 10.12.6 Sierra and git 2.13.0.

I am not sure if this is user error (should I not use --diff?) or if it points to a bug in cred-alert-cli.

The cf git hooks use --diff for checking git diffs, so if that's not correct, I'll open an issue there.

Thanks for any guidance you can provide :)

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[professor]

@benchristel are you saying this is potentially a 10.11.6 (El Capitan) vs 10.12.6 (Sierra) problem?

[benchristel]

@professor yes, though looking at the code I don't understand how it could be. It might also be a git version issue, or something else in the environment that's eluded me.

[dsharp-pivotal]

This was due to git config --global color.ui always on our machines, except the one that happened to be Sierra. The terminal escapes foiled cred-alert-cli.