detect-secrets icon indicating copy to clipboard operation
detect-secrets copied to clipboard

Published 20 hours ago verified publisher icon Yelp

Most secrets are not detected

Open dudicoco opened this issue 3 years ago • 3 comments

I'm running detect-secrets on the following file (these are fake values):

env:
  PASSWORD: dY^5Ke76gdSiF
  OPSGENIE_API_KEY: oov9e5e9-3ccb-20c3-1097-74gyye7tx42q
  OPSGENIE_API_KEY_URL: https://api.opsgenie.com/v1/json/cloudwatch?apiKey=182663ax-3ccb-20c3-1097-3ol15d0wfu45
  SLACK_WEBHOOK: https://hooks.slack.com/services/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
  SLACK_API_KEY: xoxb-8825133122-0721161319009-2cmV8RhmMaFzb7NyFjXZNfgO
  OKTA_CLIENT_ID: cjjg9h0C61FPeOmmmAmz
  ANODOT_TOKEN: uvqcblfxi1d3ohvwjftgb59e3mba1x98
  GITHUB_TOKEN: 1mlcyz92suir2qzfimaeekzb1goo5lveam15hebm

When running with the KeywordDetector plugin disabled, only the SLACK_API_KEY value is detected, and not even by the slack plugin:

ERROR: Potential secrets about to be committed to git repo!

Secret Type: Base64 High Entropy String
Location:    test.yaml:6

What should be configured in order for these secrets to be detected? Why are the slack secrets not detected by the slack plugin?

Thanks

dudicoco avatar May 19 '21 18:05 dudicoco

Same here happening with release.

toniblyx avatar Jun 08 '21 12:06 toniblyx

0.14.3 detects some of them by keyword plugin

      {
        "hashed_secret": "dc9b6de4a6f71ef9c1131393b1bb64e050292d72",
        "is_verified": false,
        "line_number": 2,
        "type": "Secret Keyword"
      },
      {
        "hashed_secret": "feb4b6644b66d1e591bb96fb42bc4e06ce2fa65a",
        "is_verified": false,
        "line_number": 3,
        "type": "Secret Keyword"
      },
      {
        "hashed_secret": "9ed75184449b25a4a079f884b8aacbd47516e4a3",
        "is_verified": false,
        "line_number": 4,
        "type": "Secret Keyword"
      },
      {
        "hashed_secret": "64a20535ff4cf3a34c0b4ab9fdc09b77db62ed89",
        "is_verified": false,
        "line_number": 6,
        "type": "Secret Keyword"
      }

seems that 1.x got weaker by default for api-keys & passwords case

dmivankov avatar Jul 07 '21 10:07 dmivankov

We're hitting the same problem.

This secret is not detected:

env:
  APIKEY: 550e7956f012f471d91a126c635add67

This secret is detected:

env:
  APIKEY: "550e7956f012f471d91a126c635add67"

If I scan the string directly, the HexHighEntropyString plugin detects it:

 $ detect-secrets scan --string 550e7956f012f471d91a126c635add67
AWSKeyDetector         : False
ArtifactoryDetector    : False
AzureStorageKeyDetector: False
Base64HighEntropyString: False (3.64)
BasicAuthDetector      : False
CloudantDetector       : False
DiscordBotTokenDetector: False
GitHubTokenDetector    : False
HexHighEntropyString   : True  (3.64)
IbmCloudIamDetector    : False
IbmCosHmacDetector     : False
JwtTokenDetector       : False
KeywordDetector        : False
MailchimpDetector      : False
NpmDetector            : False
PrivateKeyDetector     : False
SendGridDetector       : False
SlackDetector          : False
SoftlayerDetector      : False
SquareOAuthDetector    : False
StripeDetector         : False
TwilioKeyDetector      : False

Any idea why the secret is not detected in the file when not quoted?

robinbowes avatar Jun 05 '23 15:06 robinbowes