Request: using a baseline as an allowlist

Question

Request: using a baseline as an allowlist

jamesbraza opened this issue 7 months ago · 5 comments

I'm submitting a ...

bug report
feature request

What is the current behavior?

detect-secrets==1.4.0 is flagging "doi" as a secret. This is an acronym for Digital Object Identifier, and is not a secret.

To solve this issue, I would have to:

Place many # pragma: allowlist secret for each "doi" instance
Or define some complex regex for --exclude-secrets

What is the expected behavior?

I would like to:

Export a baseline: detect-secrets scan --baseline .secrets.baseline
Use that baseline as an allowlist

Can we make some argument that allows one to use the "results" in a baseline file as an allow list for secrets?

What is the motivation / use case for changing the behavior?

I like the baseline file concept, it's basically a config file for detect-secrets.

Please tell us about your environment:

detect-secrets Version: 1.4.0
Python Version: 3.12.2
OS Version: macOS Sonoma 14.3
File type (if applicable): Python

Other information

N/a

Answer 1 · 2024-04-18T19:00:46.000Z

Hi @jamesbraza 👋🏼 thanks for opening this issue! How would you envision this allowlist?

Answer 2 · 2024-04-18T19:04:48.000Z

Thanks for asking! To be more concise, the idea of the allowlist is going from many # pragma: allowlist secret comments in my code base to just 1 entry in an allowlist file.

I think a YAML or TOML config file is fine, where allowed secrets show up in a YAML list. Open to anything really, and ideally it plays nicely with detect-secrets scan --baseline .secrets.baseline

Answer 3 · 2024-04-18T20:22:27.000Z

@jamesbraza I think the existing --exclude-secrets option is what you're looking for. There's a corresponding setting you can put in your baseline file.

Answer 4 · 2024-04-18T20:55:55.000Z

You are correct! It ends up in the baseline looking like this:

    {
      "path": "detect_secrets.filters.regex.should_exclude_secret",
      "pattern": [
        "abc123",
        "def456",
        "test_value"
      ]
    }

That being said, I ended up going with the word_list extra and invoking like so:

detect-secrets scan --word-list=.secrets.allowlist

Going to close this out, thank you both!

Answer 5 · 2024-04-19T16:06:36.000Z

No worries, glad we could help out! @gpflaum thanks for helping out :)