bjompen
Relative path not working for exclusion list
Hi Björn, let me start by saying I love your tool 😊
I'm using it (latest version, 2.0.1) in our repo and somehow the relative paths don't work for the exclusion list.
This is what I'm doing:
Find-Secret -Path C:\src\mycode\ -Excludelist C:\src\mycode\build\pipelines\.ignoreSecrets
The .ignoreSecrets file looks like this:
.\src\Webparts\myProject-myworkspaces\package-lock.json
.\src\Webparts\myProject-records\package-lock.json
and I'm getting failures:
PSSecretScanner Scan Results @ [ 17:44:57 - 17:45:08] 11.82s
PatternName: Connection String
LineNumber Path
---------- ----
71955 C:\src\mycode\src\Webparts\myProject-records\package-lock.json
72027 C:\src\mycode\src\Webparts\myProject-records\package-lock.json
75279 C:\src\mycode\src\Webparts\myProject-records\package-lock.json
PatternName: Google API Key
LineNumber Path
---------- ----
12754 C:\src\mycode\src\Webparts\myProject-myworkspaces\package-lock.json
48670 C:\src\mycode\src\Webparts\myProject-myworkspaces\package-lock.json
found 5 secrets!!!!!
If I add the full paths in the exclude list it works just fine:
C:\src\mycode\src\Webparts\myProject-myworkspaces\package-lock.json
C:\src\mycode\src\Webparts\myProject-records\package-lock.json
Incidentally they're a false positive, that's why I want to exclude them. For example, like 71955 looks like "version": "npm:[email protected]" and 12754 like "integrity": "sha512-LOOOONGSTRING==" (ok that's a hash that looks very much like a secret).
BTW I have a workaround as follows:
$scanResults = Find-Secret -Path '$(System.DefaultWorkingDirectory)'
$scanErrors = $scanResults.Results | Where-Object { $_.Filename -ne 'package-lock.json' }
if ($scanErrors.Count -gt 0) {
$scanErrors | Format-List
throw "Secrets detected in $($scanErrors.Count) files"
}
It's not great but it works.
Hello, and first of all, thank you for your kind words! It makes me super happy when people find my toys useful 🥰
Have been away for a conference, But I will look in to this as soon as I have the time.
Ok, I think I can see the issue. The exclude list is actually working as intended, but the docs does need an update.
Relative paths are always calculated using the .igoresecrets file as root source.
So, your file is C:\src\mycode\build\pipelines\.ignoreSecrets, and therefore, if you add a relative path such as .\src\Webparts\myProject-myworkspaces\package-lock.json the resolved path would be C:\src\mycode\build\pipelines\\src\Webparts\myProject-myworkspaces\package-lock.json
Basically, replace the . in your relative path with the full name of the folder that .ignorefiles is stored in.
I understand this can be confusing, but the reason for this decision is that it was the least confusing (and easiest to calculate) I could think of that worked whether we are in a git repo or not.
On sollution to your issue could be to add \..\ to your relative path so it becomes .\..\..\..\src\Webparts\myProject-myworkspaces\package-lock.json , although I do not really like this myself. It looks icky 😂
Other options would be either to store your .ignoresecrets file in the src folder, or use something like a build script to resolve paths before running it in the pipeline..
I am 100% open to any other options or ideas to make the ignoresecrets more flexible though..
As for right now I will clarify the docs on this. Hope this helps!
Oh I understand now. I can simply move the .ignoreSecrets file to the root. I'll give a try today and ping back. Many thanks!