Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scopeconfig doesn't seem to ignore package-lock.json #360

Closed
varaamo opened this issue Mar 24, 2022 · 6 comments
Closed

scopeconfig doesn't seem to ignore package-lock.json #360

varaamo opened this issue Mar 24, 2022 · 6 comments
Assignees
@tinamthomas

Comments

@varaamo
Copy link

varaamo commented Mar 24, 2022

Adding the following lines to .talismanrc doesn't seem to ignore the package-lock.json file. I added these lines and ran talisman --scan and it still reports the integrity fields as potential issues

scopeconfig:

  • scope: go
  • scope: node
@tinamthomas tinamthomas self-assigned this Mar 25, 2022
@tinamthomas
Copy link
Collaborator

tinamthomas commented Mar 25, 2022
edited
Loading

Talisman does not use the .talismanrc in the scan mode. It is used for the pre-hook mode.

This is mentioneded here. : "Talisman currently does not support ignoring of files for scanning".

@varaamo
Copy link
Author

varaamo commented Mar 25, 2022
edited
Loading

Note sure if that's accurate. I'm running the following command: ./talisman_linux_amd64 --scan with contents of .talismanrc as follows. It's picking the custom patterns correctly but not the scopeconfig.

scopeconfig:

  • scope: go
  • scope: node
    custom_patterns:
  • (?i)(.password)\s*=\s*[0-9a-zA-Z/+=_]{32}
  • (?i)(password)\s*=\s*[0-9a-zA-Z/+=_]+
  • (?i)(pwd)\s*=\s*[0-9a-zA-Z/+=_]+
  • (?i)(password)\s*:\s*[0-9a-zA-Z/+=_]+
  • (?i)(pwd)\s*:\s*[0-9a-zA-Z/+=_]+
  • (?i)(.secret)\s*=\s*[0-9a-zA-Z/+=_]{32}
  • (?i)(_secret)\s*=\s*[0-9a-zA-Z/+=_]{32}
  • (?i)(ApiKey)\s*=\s*[0-9a-zA-Z/+=_]{32}
  • (?s) AKIA[0-9A-Z]{16}
  • (?s)AIza[0-9A-Za-z-_]{35}
  • (?s)[0-9]+-[0-9A-Za-z_]{32}.apps.googleusercontent.com
  • (?s)eyJ[A-Za-z0-9_/+-].[A-Za-z0-9._/+-]

@svishwanath-tw
Copy link
Collaborator

svishwanath-tw commented Mar 25, 2022
edited
Loading

@varaamo : Scan with ignores was a special build created a long time ago for your usage.
The mainline scan feature does not support ignores or custom and allowed patterns.
The key problem being a way to identify a particular version of the file that is also easy for users to specify (blob-id vs commit/tag + file path vs what other options).

@varaamo
Copy link
Author

varaamo commented Mar 25, 2022

@svishwanath-tw: Is there a way you can build me a version of a scan with scopeconfig and custom_patterns. We are using a pre-receive secrets scanning hook that I built at my work place using the version of talisman cli you'd provided me earlier. Currently there is a need to ignore package-lock.json and other manifest files from the scans due to the false positives. Much appreciated if you can help.

@svishwanath-tw
Copy link
Collaborator

@varaamo : Please check using release v1.27.0 and close this issue if it suits you.

@svishwanath-tw
Copy link
Collaborator

@varaamo : I'm closing this issue now. Please consider open-sourcing the pre-receive script. I think others would find it useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tinamthomas tinamthomas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@svishwanath-tw @tinamthomas @varaamo