Common Falsepositive with submodule update

[yunikkk]

What repository are you running secret-shield on?

Multiple mapbox repos

What version of secret-shield are you running?

1.0.2

How did you invoke secret-shield?

pre-commit git hook

How is secret-shield not working as expected?

In projects with submodules where submodules are often changed and developed in parallel with the parent project there is common thing when submodule is in modified state. Then secret-shield wrongly detects GitHub token secret in Subproject commit * string, e.g. .

I've been able to disable this false positive by adding

    {
      "type": "remove",
      "name": "Ignore submodule commits",
      "pattern": "\\bSubproject commit [0-9a-zA-Z]+\\b"
    },

entry to the "preprocess": section of the json rule. Though it seem every rule will need to be modified similarly to avoid this falsepositive.

Initially I'd expected that it could be solved by just adding Submodule commit string to the falsePositive json here, as docs state here string should be ignored completely https://github.com/mapbox/secret-shield/blob/main/docs/writingRules.md#bulk-ignore. But it didn't work for me, and from the source code it seems that items from falsePositive json are only replaced in the string so it works differently, not ignoring whole string but just the mathching part. Not sure if that's intended of a bug and should be fixed.

[yunikkk]

cc @IamGreut since you seem to be the most active in the repo recently WDYT about the issue?

[IamGreut]

@yunikkk Thanks for bringing this up. Tracking.