tartufo
tartufo copied to clipboard
Published
20 hours ago •
godaddy
godaddy
No feature parity in detection between pre-commit and scan-local-repo for tartufo v3, contrary to v2
🐛 Bug Report
My expectation is that pre-commit on a given commit and scan-local-repo just after the commit is added returns the same results.
If pre-commit says "all clear", and the commit is added, if I run scan-local-repo just after, it shouldn't flag as a problem the exact same commit that pre-commit was happy with.
However that does not seem the case, pre-commit lets a commit go through that is right after flagged by scan-local-repo.
To Reproduce
$ git init test3
Initialized empty Git repository in /private/tmp/test3/.git/
$ cd test3
$ git commit --allow-empty -m 'Start'
[main (root-commit) 42f5966] Start
$ tartufo --version
tartufo, version 3.1.3
$ echo OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8 > secret.txt
$ git add secret.txt
$ tartufo --entropy pre-commit
Time: 2022-04-13T14:53:40.109393
All clear. No secrets detected.
$ git commit -m 'Secret added'
[main 15032bb] Secret added
1 file changed, 1 insertion(+)
create mode 100644 secret.txt
$ tartufo --entropy scan-local-repo .
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Filepath: secret.txt
Signature: ca29177c396aa5465f41495af1e486d666308b51b7dab52228730624466cbc25
Commit time: 2022-04-13 14:55:08
Commit message: Secret added
Commit hash: 15032bb925d8650ebd15fe8d5f3a2f8b76327168
Branch: main
diff --git a/secret.txt b/secret.txt
new file mode 100644
index 0000000..049ae76
--- /dev/null
+++ b/secret.txt
@@ -0,0 +1 @@
+OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8
Switching tartufo back to some 2.x versions make it work correctly, so something changed between versions 2 and 3.
$ pipx inject tartufo 'tartufo<3'
injected package tartufo into venv tartufo
done! ✨ 🌟 ✨
$ pipx inject tartufo 'click<8'
injected package click into venv tartufo
done! ✨ 🌟 ✨
$ tartufo --version
tartufo, version 2.10.1
$ git init test4
$ cd test4/
$ git commit --allow-empty -m 'Start'
[main (root-commit) 6340e72] Start
$ echo OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8 > secret.txt
$ git add secret.txt
$ tartufo --entropy pre-commit
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Filepath: secret.txt
Signature: ca29177c396aa5465f41495af1e486d666308b51b7dab52228730624466cbc25
@@ -0,0 +1 @@
+OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8
~~~~~~~~~~~~~~~~~~~~~
Expected Behavior
Tartufo v3 should behave here like tartufo v2 and detect the problem at pre-commit step.
Code Example
N/A
Environment
See above. Python 3.9, tartufo 3.1.3 and 2.10.1 as comparison.
Hi @pmevzek-godaddy . This has been fixed in v3.1.4
$ tartufo --version
tartufo, version 3.1.4
$ git init tartufo-test
Initialized empty Git repository in /Users/smimani/GoDaddy/tartufo-test/.git/
$ cd tartufo-test
$ git commit --allow-empty -m 'Start'
[master (root-commit) d7bfc27] Start
$ echo OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8 > secret.txt
$ git add secret.txt
$ tartufo --entropy pre-commit
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Filepath: secret.txt
Signature: ca29177c396aa5465f41495af1e486d666308b51b7dab52228730624466cbc25
diff --git a/secret.txt b/secret.txt
new file mode 100644
index 0000000..049ae76
--- /dev/null
+++ b/secret.txt
@@ -0,0 +1 @@
+OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8
~~~~~~~~~~~~~~~~~~~~~
$ git commit -m 'Secret added' 1 ↵
[master cca4b62] Secret added
1 file changed, 1 insertion(+)
create mode 100644 secret.txt
$ tartufo --entropy scan-local-repo .
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Filepath: secret.txt
Signature: ca29177c396aa5465f41495af1e486d666308b51b7dab52228730624466cbc25
Commit time: 2022-05-31 16:56:28
Commit message: Secret added
Commit hash: cca4b62db10e413edf6945c9082930076d7a5b02
Branch: master
diff --git a/secret.txt b/secret.txt
new file mode 100644
index 0000000..049ae76
--- /dev/null
+++ b/secret.txt
@@ -0,0 +1 @@
+OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8
~~~~~~~~~~~~~~~~~~~~~
