detect-secrets icon indicating copy to clipboard operation
detect-secrets copied to clipboard

Published 20 hours ago verified publisher icon Yelp

[bug] Secrets in multiline scalar values in YAML files not (always?) detected

Open nathankooij opened this issue 3 years ago • 6 comments

Given a YAML file like:

---
config: |
  api_keys:
    - key: "54aa556bacccda85b2cdd21bfd2369fed4c6f451e4af938adf0deb0d2b6a01a3"
    - key: 17ff70a5f4cb42cca7854f0abcd18354f647cfcd636d58ca285080b170f1c5ca
other_key: "f788a426e555dd10f03cfabc281f0bf910f5229f5b68e895f2bc1fa955115173"

detect-secrets -v scan --all-files will find the 3rd secret, but not the 1st or 2nd. All three when checked in isolation are detected by the HexHighEntropyString:

❯ detect-secrets scan --string f788a426e555dd10f03cfabc281f0bf910f5229f5b68e895f2bc1fa955115174
AWSKeyDetector         : False
ArtifactoryDetector    : False
AzureStorageKeyDetector: False
Base64HighEntropyString: False (3.759)
BasicAuthDetector      : False
CloudantDetector       : False
HexHighEntropyString   : True  (3.759)
IbmCloudIamDetector    : False
IbmCosHmacDetector     : False
JwtTokenDetector       : False
KeywordDetector        : False
MailchimpDetector      : False
NpmDetector            : False
PrivateKeyDetector     : False
SlackDetector          : False
SoftlayerDetector      : False
SquareOAuthDetector    : False
StripeDetector         : False
TwilioKeyDetector      : False

Renaming the file to e.g. .json or .txt will cause the (quoted) secrets to be picked up again. So it seems to be related to multiline scalar values parsing of YAML files.

Version used:

❯ detect-secrets --version
1.0.3

Let me know if there's anything that is missing/I should check.

nathankooij avatar Mar 29 '21 15:03 nathankooij