Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exclusion Parameters/Arguments Are Not Being Passed On #540

Open
blonienc opened this issue May 1, 2024 · 2 comments
Open

Exclusion Parameters/Arguments Are Not Being Passed On #540

blonienc opened this issue May 1, 2024 · 2 comments
Assignees
@itoltz
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@blonienc
Copy link

blonienc commented May 1, 2024
edited
Loading

As a SeCurLI user, when opt to exclude scanning a particular file or folder type, that excision is not not being honored and the exclusions are still being scanned. Most recent example was trying to exclude snap files but they were still being scanned.

This causes issues in the fact that if I continue to get false positive results with my SeCureLI scan.

To reproduce:

Have secrets present in file or folder
Create exclusion rule
View results

AC:

  • Using inherent SeCureLI functionality I am able to exclude folder or file type from the scan
  • Results are not give for the exclusions
@blonienc blonienc added bug Something isn't working help wanted Extra attention is needed labels May 1, 2024
@schuslalom
Copy link

Calling detect-secrets directly, and passing in --exclude-files works as expected:

detect-secrets scan --exclude-files '.*\.snap$'

When the following is added to .secureli/.pre-commit-config.yaml:

  - hooks:
      - args:
          - --exclude-files '.*\.snap$'
        id: detect-secrets
    repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0

The files ending in .snap are not excluded as part of the scan.

However, if the syntax is changed to:

  - hooks:
      - args: ['--exclude-files', '.*\.snap$']
        id: detect-secrets
    repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0

Then the .snap files are excluded from the scan as expected.

The last syntax works, so I think this can be solved simply with documentation in secureli on how to correctly provide arguments. The working example was taken from the detect-secrets repo: https://github.com/Yelp/detect-secrets#:~:text=args%3A%20%5B%27%2D%2Dbaseline%27%2C%20%27.secrets.baseline%27%5D

@itoltz itoltz self-assigned this Jun 3, 2024
@itoltz
Copy link
Contributor

itoltz commented Jun 3, 2024

It's worth noting that the two samples @schuslalom provided are slightly different. In the first case, the pattern is surrounded by single quotes ('.*/.snap$'), while in the second case it is not (.*/snap$).

That said, based on my testing I don't believe the presence of quotes makes a difference one way or the other. The salient point seems to be that the first example results in an array with a single element (["--exclude-files '.*\.snap$'"]) while the second example results in an array with two elements (["--exclude-files", ".*/snap$"]). The first example works if I split the file pattern into its own element.

- hooks:
    - args:
        - --exclude-files
        - '.*\.snap$'
      id: detect-secrets
  repo: https://github.com/Yelp/detect-secrets
  rev: v1.5.0

I'm looking into adding this quirk into our documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@itoltz itoltz

Labels
bug Something isn't working help wanted Extra attention is needed
Projects
seCureLI
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@schuslalom @itoltz @blonienc