detect-secrets icon indicating copy to clipboard operation
detect-secrets copied to clipboard

Published 20 hours ago verified publisher icon Yelp

Helm (presumably any /* */) comments aren't supported

Open dannysauer opened this issue 2 years ago • 3 comments

Doesn't work: {{- $password = index $split 1 }}{{- /* pragma: allowlist secret */}} Does work: {{- $password = index $split 1 }}{{- /* # pragma: allowlist secret */}}

This gives me teh sadz, but I figured I'd at lest document the workaround in an issue for future people. 🤷

dannysauer avatar May 18 '22 22:05 dannysauer

@dannysauer Hello, can you please let me know which file type this is in and some more context around the line in question.

jpdakran avatar Jun 29 '22 16:06 jpdakran

I'm not sure what else to say, @jpdakran :)

This was in a helm template file (so, Go template format). That templating language allows for basically C-style delimited comments. I have a variable called password which gets populated by an element from an array. The detect-secrets parser does not recognize the delimited comments; specifically it does not recognize the /* marking the beginning of a comment. It inaccurately expects comments in the helm template files to start with #.

So, the workaround above is to make a proper comment in the template file, and then to precede the pragma with the expected comment character.

In a helm chart, only the yaml files (so basically just the values file and the chart definition) work with # comment style comments; the template files use {{- /* comment */}}. So, I'm guessing that the delimited comments aren't supported. This would be similar to """ multi-line python comment """ or ` support, for another couple of potential examples. Supporting delimited comments is probably something moderately useful, as they can be used on one line as in the above example, or could possibly precede the line like this:

{{- /*
 pragma: allowlist secret
 */}}
{{- $password = index $split 1 }}

I don't know if that works in, say, C - but the general "comment start marker" and "comment end marker" style might be something handy for quite a few languages.

Here's the Helm comment documentation, for reference: https://helm.sh/docs/chart_best_practices/templates/#comments-yaml-comments-vs-template-comments

dannysauer avatar Oct 13 '22 20:10 dannysauer

Granted, the "line above" mechanism could work with # pragma .... However, in this case, what would actually happen is that the variable being defined would not show up in the emitted YAML It's used later; that line doesn't print anything. But the YAML comment line would show up in the template. So the generated YAML in the k8s manifest would have a weird comment which does not apply to the actual YAML content, potentially confusing someone in the future. Using the native templae language's delimited comments means the pragma is omitted from the generated YAML, making everyone happy. :)

dannysauer avatar Oct 13 '22 20:10 dannysauer