Request: using a baseline as an allowlist
jamesbraza opened this issue · 5 comments
I'm submitting a ...
- bug report
- feature request
What is the current behavior?
detect-secrets==1.4.0
is flagging "doi"
as a secret. This is an acronym for Digital Object Identifier, and is not a secret.
To solve this issue, I would have to:
- Place many
# pragma: allowlist secret
for each"doi"
instance - Or define some complex regex for
--exclude-secrets
What is the expected behavior?
I would like to:
- Export a baseline:
detect-secrets scan --baseline .secrets.baseline
- Use that baseline as an allowlist
Can we make some argument that allows one to use the "results"
in a baseline file as an allow list for secrets?
What is the motivation / use case for changing the behavior?
I like the baseline file concept, it's basically a config file for detect-secrets
.
Please tell us about your environment:
- detect-secrets Version: 1.4.0
- Python Version: 3.12.2
- OS Version: macOS Sonoma 14.3
- File type (if applicable): Python
Other information
N/a
Hi @jamesbraza 👋🏼 thanks for opening this issue! How would you envision this allowlist?
Thanks for asking! To be more concise, the idea of the allowlist is going from many # pragma: allowlist secret
comments in my code base to just 1 entry in an allowlist file.
I think a YAML or TOML config file is fine, where allowed secrets show up in a YAML list. Open to anything really, and ideally it plays nicely with detect-secrets scan --baseline .secrets.baseline
@jamesbraza I think the existing --exclude-secrets
option is what you're looking for. There's a corresponding setting you can put in your baseline file.
You are correct! It ends up in the baseline looking like this:
{
"path": "detect_secrets.filters.regex.should_exclude_secret",
"pattern": [
"abc123",
"def456",
"test_value"
]
}
That being said, I ended up going with the word_list
extra and invoking like so:
detect-secrets scan --word-list=.secrets.allowlist
Going to close this out, thank you both!
No worries, glad we could help out! @gpflaum thanks for helping out :)