detect-secrets
detect-secrets copied to clipboard
Yelp
detect-secrets scan on Windows generates different file paths than on Linux
When running detect-secrets scan > .secrets.baseline on windows, the resulting JSON has file paths in Windows style (\ instead of /). This causes issues when you try to run detect-secrets hook in a pipeline in a Linux machine (it will not recognize any secrets as part of the baseline).
Example json from running detect-secrets scan > .secrets.baseline on windows:
"results": {
"src\\Client\\wwwroot\\index.html": [
{
"type": "Base64 High Entropy String",
"filename": "src\\Client\\wwwroot\\index.html",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 10
},
{
"type": "Base64 High Entropy String",
"filename": "src\\Client\\wwwroot\\index.html",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 25
}
],
"src\\Server\\Controllers\\BuildController.cs": [
{
"type": "Secret Keyword",
"filename": "src\\Server\\Controllers\\BuildController.cs",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 15
}
],
"src\\Server\\Program.cs": [
{
"type": "Secret Keyword",
"filename": "src\\Server\\Program.cs",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 28
},
{
"type": "Secret Keyword",
"filename": "src\\Server\\Program.cs",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 31
}
]
}
and on Linux:
"results": {
"src/Client/wwwroot/index.html": [
{
"type": "Base64 High Entropy String",
"filename": "src/Client/wwwroot/index.html",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 10
},
{
"type": "Base64 High Entropy String",
"filename": "src/Client/wwwroot/index.html",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 25
}
],
"src/Server/Controllers/BuildController.cs": [
{
"type": "Secret Keyword",
"filename": "src/Server/Controllers/BuildController.cs",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 15
}
],
"src/Server/Program.cs": [
{
"type": "Secret Keyword",
"filename": "src/Server/Program.cs",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 28
},
{
"type": "Secret Keyword",
"filename": "src/Server/Program.cs",
"hashed_secret": "somehash",
"is_verified": false,
"line_number": 31
}
]
}
As the Linux generated baseline file works when running for example detect-secrets audit on Windows (which makes sense because / also works for file paths on Windows), it would be useful to change to this format so that the resulting format is consistent across platforms. If backwards compatibility is a concern, this could be introduced along with an opt-in or opt-out CLI flag (i.e. --use-windows-style-file-paths).
Hi @Pikabanga, this issue seems to PR #586. I'll add this reference in here and keep you posted on the status of that PR.
For other Windows users, this means you have to add all files twice to the results section, once with // and once with . I guess in the meanwhile we can write a script to fix the JSON file after creation and before audit looks at it.
@Pikabanga #586 has been merged and will be included in the next release!