Skip to content

Content Checker Plugin #118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Content Checker Plugin #118

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
149 changes: 46 additions & 103 deletions detect_secrets/core/usage.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,36 +51,37 @@ def add_output_verified_false_flag(parser):


class ParserBuilder(object):

def __init__(self):
self.parser = argparse.ArgumentParser()
self.subparser = None

self.add_default_arguments()

def add_default_arguments(self):
self._add_verbosity_argument()._add_version_argument()
self._add_verbosity_argument()\
._add_version_argument()

def add_pre_commit_arguments(self):
self._add_filenames_argument()\
._add_set_baseline_argument()\
._add_exclude_lines_argument()\
._add_word_list_argument()\
._add_use_all_plugins_argument()\
._add_no_verify_flag()\
._add_no_verify_flag() \
._add_output_verified_false_flag()\
._add_fail_on_unaudited_flag()
._add_fail_on_non_audited_flag()
Copy link

@victoria-miltcheva victoria-miltcheva Apr 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line should be ._add_fail_on_unaudited_flag(): https://github.com/IBM/detect-secrets/blob/master/detect_secrets/core/usage.py#L88


PluginOptions(self.parser).add_arguments()

return self

def add_console_use_arguments(self):
self.subparser = self.parser.add_subparsers(
subparser = self.parser.add_subparsers(
dest='action',
)

for action_parser in (ScanOptions, AuditOptions):
action_parser(self.subparser).add_arguments()
action_parser(subparser).add_arguments()

return self

Expand Down Expand Up @@ -145,18 +146,19 @@ def _add_output_verified_false_flag(self):
add_output_verified_false_flag(self.parser)
return self

def _add_fail_on_unaudited_flag(self):
def _add_fail_on_non_audited_flag(self):
self.parser.add_argument(
'--fail-on-unaudited',
'--fail-on-non-audited',
Comment on lines +149 to +151
Copy link

@victoria-miltcheva victoria-miltcheva Apr 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this change please be undone? This renames the --fail-on-unaudited flag and will break detect-secrets for users who are using this flag in their builds and pre-commit config files.

Copy link

@victoria-miltcheva victoria-miltcheva Apr 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I understand what happened, you're probably working off an outdated version of master (see #118 (comment)).

action='store_true',
help='Fail check if there are entries have not been audited in baseline.',
)
return self


class ScanOptions:

def __init__(self, subparser):
self.parser: argparse.ArgumentParser = subparser.add_parser(
self.parser = subparser.add_parser(
'scan',
)

Expand Down Expand Up @@ -227,7 +229,10 @@ def _add_adhoc_scanning_argument(self):
'--string',
nargs='?',
const=True,
help=('Scans an individual string, and displays configured ' 'plugins\' verdict.'),
help=(
'Scans an individual string, and displays configured '
'plugins\' verdict.'
),
)
return self

Expand All @@ -245,78 +250,22 @@ def _add_output_raw_argument(self):


class AuditOptions:

def __init__(self, subparser):
# Override the default audit parser usage message since the arguments within
Copy link

@victoria-miltcheva victoria-miltcheva Apr 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: why was the report parser code removed? I wonder if you were working off an outdated version of master. I'd recommend merging upstream master into your branch to ensure that you're working with the latest code.

# the _add_report_module group should only be permitted when the --report
# arg is included. argparse does not have built-in mutual inclusion functionality,
# so we had to add our own custom validation function, validate_args,
# in detect-secrets/core/report/report.py.
# docs: https://docs.python.org/3/library/argparse.html#usage
self.parser: argparse.ArgumentParser = subparser.add_parser(
self.parser = subparser.add_parser(
'audit',
usage='%(prog)s [-h] [--diff | --display-results | --report [--fail-on-unaudited]'
' [--fail-on-live] [--fail-on-audited-real] [--json | --omit-instructions]]'
' [filename ...]',
)

def _add_report_module(self):
report_parser = self.parser.add_argument_group(
title='reporting',
description=(
'Displays a report with the secrets detected which fail certain conditions. '
'To be used with the report mode (--report).'
),
)

report_parser.add_argument(
'--fail-on-unaudited',
action='store_true',
help=(
'This condition is met when there are potential secrets'
' in the baseline file which have not yet been audited.'
' To pass this check, run detect-secrets audit <BASELINE_FILE> to'
' audit all unaudited secrets.'
),
)

report_parser.add_argument(
'--fail-on-live',
action='store_true',
help=(
'This condition is met when a secret has been verified'
' to be live. To pass this check, make sure that any'
' secrets in the baseline file with a property of'
' is_verified: true have been remediated, afterwards re-scan.'
),
)

report_parser.add_argument(
'--fail-on-audited-real',
action='store_true',
def add_arguments(self):
self.parser.add_argument(
'filename',
nargs='+',
help=(
'This condition is met when the baseline file contains'
' one or more secrets which have been marked as actual'
' secrets during the auditing process. Secrets with a'
' property of is_secret: true meet this condition.'
' To pass this check, remove these secrets from your'
' code and re-scan so that they will be removed from your baseline.'
'Audit a given baseline file to distinguish the difference '
'between false and true positives.'
),
)
report_parser_exclusive = report_parser.add_mutually_exclusive_group()

report_parser_exclusive.add_argument(
'--json',
action='store_true',
help=('Causes the report output to be formatted as JSON.'),
)

report_parser_exclusive.add_argument(
'--omit-instructions',
action='store_true',
help=('Omits instructions from the report.'),
)

def add_arguments(self):
action_parser = self.parser.add_mutually_exclusive_group()

action_parser.add_argument(
Expand All @@ -338,23 +287,6 @@ def add_arguments(self):
),
)

action_parser.add_argument(
'--report',
action='store_true',
help=('Displays a report with the secrets detected'),
)

self._add_report_module()

self.parser.add_argument(
'filename',
nargs='+',
help=(
'Audit a given baseline file to distinguish the difference '
'between false and true positives.'
),
)

return self


Expand All @@ -364,10 +296,13 @@ class PluginDescriptor(
[
# Classname of plugin; used for initialization
'classname',

# Flag to disable plugin. e.g. `--no-hex-string-scan`
'flag_text',

# Description for disable flag.
'help_text',

# type: list
# Allows the bundling of all related command line provided
# arguments together, under one plugin name.
Expand All @@ -380,13 +315,19 @@ class PluginDescriptor(
# Therefore, only populate the default value upon consolidation
# (rather than relying on argparse default).
'related_args',

# The name of the plugin file
'filename',
],
),
):

def __new__(cls, related_args=None, **kwargs):
return super(PluginDescriptor, cls).__new__(cls, related_args=related_args or [], **kwargs)
return super(PluginDescriptor, cls).__new__(
cls,
related_args=related_args or [],
**kwargs
)

@classmethod
def from_plugin_class(cls, plugin, name):
Expand All @@ -398,12 +339,10 @@ def from_plugin_class(cls, plugin, name):
if plugin.default_options:
related_args = []
for arg_name, value in plugin.default_options.items():
related_args.append(
(
'--{}'.format(arg_name.replace('_', '-')),
value,
),
)
related_args.append((
'--{}'.format(arg_name.replace('_', '-')),
value,
))

return cls(
classname=name,
Expand Down Expand Up @@ -572,6 +511,12 @@ class PluginOptions:
help_text='Disables scans for GitHub credentials',
filename='github_token',
),
PluginDescriptor(
classname='ContentChecker',
flag_text='--no-contentchecker-scan', # todo, check
help_text='Disables scans for ContentChecker credentials',
filename='content_checker',
),
]
opt_in_plugins = [
PluginDescriptor(
Expand Down Expand Up @@ -658,11 +603,9 @@ def consolidate_args(args):
related_args[arg_name] = default_value
is_using_default_value[arg_name] = True

active_plugins.update(
{
plugin.classname: related_args,
},
)
active_plugins.update({
plugin.classname: related_args,
})

for plugin in PluginOptions.all_plugins:
if getattr(plugin, 'classname') in list(active_plugins):
Expand Down
Loading