tartufo icon indicating copy to clipboard operation
tartufo copied to clipboard

Published 20 hours ago verified publisher icon godaddy

Configuration source misleading and can't easily be specified

Open rbailey-godaddy opened this issue 2 years ago • 0 comments

🐛 Bug Report

It's well-established that tartufo will examine configuration files in the target repository in order to parameterize a scan, but it is not possible to specify what version of those files actually get used. I polled my team regarding this behavior and they regard it as a bug rather than a feature. Basically:

  • tartufo scan-remote-repo uses the configuration that is in the "default" branch of the repository (i.e. the one that is checked out by default when a clone operation completes)
  • tartufo scan-local-repo uses the configuration that is current in the local working directory (which might well be the "default" branch in the context of a CICD workflow)
  • Using the --branch option has no effect on this behavior -- it controls only which commits are scanned

An additional parameter, such as --config-branch foo, should be provided to address the use case elaborated below.

To Reproduce

  1. Pick any arbitrary repository that has been configured to use tartufo
  2. Create a new branch (such as "test") and check it out
  3. Create a file with a forbidden expression or a high-entropy string
  4. Commit the file
  5. tartufo scan-local-repo . will report an issue
  6. Add the exclusion to the configuration file (i.e. pyproject.toml)
  7. Commit the configuration file
  8. tartufo scan-local-repo . will not report the issue
  9. Check out a different branch (for example, main)
  10. tartufo scan-local-repo . reports the issue
  11. tartufo scan-local-repo --branch test . reports the issue (use the branch created above)

Although the configuration is properly updated in the repository, it is ignored unless it happens to be in the current branch.

Expected Behavior

It should be possible to scan a repository using the configuration in a specified branch. This behavior should be independent of the decision to restrict the scope of a scan to a particular branch (with --branch).

In particular, if I have a new branch that contains both "false-positive" issues and exclusions permitting them, it should be possible to specify that branch for configuration retrieval and perform a full-repository scan which passes, instead of spuriously failing because configuration from a different branch was chosen outside of my control.

rbailey-godaddy avatar Jul 07 '22 18:07 rbailey-godaddy