detect-secrets icon indicating copy to clipboard operation
detect-secrets copied to clipboard

Published 20 hours ago verified publisher icon Yelp

Empty results object in resulting JSON when running `detect-secrets scan`, but results are expected (and returned with `detect-secrets-hook`)

Open bender-the-greatest opened this issue 7 months ago • 0 comments

  • I'm submitting a ...

    • [x] bug report
    • [ ] feature request

  • What is the current behavior? detect-secrets scan is not returning any results in the returned JSON, though git ls-files -z | xargs -0 detect-secrets-hook seems to work as expected.

  • If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem

  1. Change to local repo directory
  2. Set up virtual env for detect-secrets: py.exe -3.11 -m venv detect-secrets
  3. Activate venv: ./detect-secrets/Scripts/Activate.ps1
  4. Install detect-secrets if missing: pip install detect-secrets
  5. Run detect-secrets scan
    • The full command we want to work is detect-secrets scan --all-files --force-use-all-plugins --exclude-files FETCH_HEAD, but this can also be demonstrated with no additional arguments.
  6. The resulting JSON file contains an empty list of results, but we know there should be some items being identified in this repo.

  • What is the expected behavior? The results object in the resulting JSON should have the expected secrets or false positives identified so it may be used to create a baseline secrets file.

  • What is the motivation / use case for changing the behavior? We have an ADO pipeline scanning our organization's Git repositories to flag when potential secrets are found in source code. We get results flagged when it is run as part of this pipeline (pipeline OS is Ubuntu). However, trying to reproduce the same command against the same repo but on a Windows development machine yields no results returned.

Because we have a high number of false positives being identified in files that are updated somewhat frequently (e.g. file hashes and registry paths are often misidentified as Base64 High Entropy String) we want to run the same command locally so we can make sure to update our secrets baseline before the pipeline scan occurs to prevent having to double back to re-confirm secrets flagged after the pipeline detect-secrets has run and we are notified at a later time.

  • Please tell us about your environment:

    • detect-secrets Version: 1.5.0
    • Python Version: 3.11
    • OS Version: Windows 11 (via PowerShell 5.1)
    • File type (if applicable): git repo (mostly ruby files and powershell scripts)

  • Other information Installing findutils on Windows and using git ls-files -z | xargs -0 detect-baseline-hook does flag the items we are expecting to see, but this is both different than what is returned with the detect-secrets scan entrypoint and is also not suitable for creating a baseline secrets file.

bender-the-greatest avatar Jul 26 '24 15:07 bender-the-greatest