trufflesecurity
Codacy detector should be more specific and should not use /version endpoint for token verification
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Currently, Codacy detector detects lines like
2022-08-19 19:22:38.155Z info [ReportRules] Generated coverage report: /tmp/codacy-coverage-15620814908828598437.json (145.15 kB) - (ReportRules.scala:265)
as verified secrets (15620814908828598437 in this case).
Btw, this is from off-the-shelf codacy/codacy-coverage-reporter-action.
Problem to be Addressed
Codacy detector should be more sensitive and should not be using https://app.codacy.com/api/v3/version as token verification endpoint, as this endpoint is unauthenticated and always returns 200.
Description of the Preferred Solution
Perhaps we should add /tmp/codacy-coverage to the list of known FPs for this detector? This seems like it will be a common occurrence, coming from the official codacy/codacy-coverage-reporter-action.
Additionally, FPs marked in this pattern consist of 20 digit-only characters, which seems like an outlier because typical Codacy tokens have various alphanumeric characters, not just digits. Perhaps there's improvement to be made there in the regex.
Also, we should use an authenticated endpoint for verification (I'm not sure which one, however).
Additional Context
References
Hey Dinvlad, feel free to open up another issue for making the detector more specific, closing this one for the verification being resolved
