Secrets Detected in Branch #1 Causes Blocking of Pull Request Merge in a Clean Branch #2

[Dylan-Rinker]

Describe the bug If a secret exists in one branch of the repository, the advanced compliance action will alert on that secret on every other branch in that repository. This can inhibit the ability to merge pull requests on branches where the secret does not exist.

To Reproduce Steps to reproduce the behavior:

1. Set up the advanced-security-compliance action setup to detect secrets.
2. Create a branch and introduce a secret (ex. String API_TOKEN = "AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q";)
3. Create a pull request against main. This pull request will fail security compliance.
4. Create another branch off main that does not have the secret.
5. Create a pull request against main. This pull request will also fail, even though the secret doesn't exist in this branch/PR.

Expected behavior Only the branch where the secret exists should be prohibited from merging into main.

[GeekMasher]

@Dylan-Rinker Sorry for the delay. You are absolutely right, sadly the Secret Scanning API does not have data around which branches X token was discovered in.

This might be able to be done with the GraphQL API and looking up where a commit is and do the match but I wasn't able to build this in v1.

[GeekMasher]

@Dylan-Rinker Closing issue due to the limitations in Secret Scanning. Please open a new issue here if you still need this issue resolved. https://github.com/advanced-security/policy-as-code/issues