detect-secrets icon indicating copy to clipboard operation
detect-secrets copied to clipboard
verified publisher icon Yelp

Add options for baseline diff minimizing

Open KevinHock opened this issue 7 years ago • 3 comments

--no-line-numbers (in baseline) --no-generated-at (in baseline) and "Make pre-commit hook only look at the git diff" options.

Are all possible ideas.

KevinHock avatar Nov 05 '18 20:11 KevinHock

In an active project these fields can change quite often and make merging and code review slightly more difficult. I would definitely make use of these options if they were available.

stephenpaulger avatar Jun 11 '19 10:06 stephenpaulger

Removing good first issue label.

The super tricky thing about this is that there's a reason for each of the fields. For example:

  • The line_number field powers the audit functionality
  • The version field indicates which version the baseline was generated at, to assist with backwards compatibility, and debugging issues when something breaks due to a version bump.
  • The generated_at field allows security teams to manually verify post-hoc whether this tool would have caught a secret found, if clients had used this pre-commit tool. This really helps with evangelization and promotion of best practices, seeing that pre-commit by its nature, is mostly an opt-in tool.

It's currently unclear what we would do for a "minimized baseline" to address the above points.

domanchi avatar Jun 25 '19 14:06 domanchi

The generated_at field allows security teams to manually verify post-hoc whether this tool would have caught a secret found, if clients had used this pre-commit tool. This really helps with evangelization and promotion of best practices, seeing that pre-commit by its nature, is mostly an opt-in tool.

What are the benefits of this over git log?

The version field indicates which version the baseline was generated at, to assist with backwards compatibility, and debugging issues when something breaks due to a version bump.

This doesn't change with many multiple users running their pre-commit hooks, causing merge conflicts etc. So I don't think this needs to be trimmed in the hypothetical future --minimize-baseline-diff option.

The line_number field powers the audit functionality.

This is tricky, we'd need to change the audit functionality to look only for a secret matching the hashed_secret before doing this.

I don't know if the e.g. --no-generated-at (in baseline) or "Make pre-commit hook only look at the git diff" options are complicated though.

KevinHock avatar Jun 25 '19 18:06 KevinHock