search

GitGuardian / ggshield

Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
https://gitguardian.com
MIT License
1.59k stars 139 forks source link

ggshield local scan not detecting secrets #874

Closed andrei-on-github closed 3 months ago

andrei-on-github commented 3 months ago

Environment

Describe the bug

ggshield doesn't detect any secrets in my .py files, nor in other types of files.

A clear and concise description of what the bug is. `[andrei@xeria test]$ ggshield auth login ggshield is already authenticated without an expiry date [andrei@xeria test]$ echo $(cat testfile.py) from http.server import BaseHTTPRequestHandler, HTTPServer import logging test_slack_key = "xoxb-563210206324-FGqsdnMasd3fgsd4" [andrei@xeria test]$ ggshield secret scan path -r . Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1 / 1

No secrets have been found

[andrei@xeria test]$`

Steps to reproduce:

  1. Setup steps required to reproduce the issue Install ggshield with:pip install ggshield Authenticate with ggshiel auth login
  2. Run command ggshield scan something ggshield secret scan path -r . ggshield secret scan path -r testfile.py I also to use in git as a pre-commit hook: `

    !/bin/sh

    ggshield secret scan pre-commit "$@"

[andrei@xeria test]$ git add testfile.py [andrei@xeria test]$ git commit -m "adding secrets file" Scanning... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 1 / 1

No secrets have been found

[master 1921bde] adding secrets file 1 file changed, 1 insertion(+) [andrei@xeria test]$ `

Actual result: ggshield report that no secrets have been found: No secrets have been found

I've also tested this by installing as a pre-commit hook, and the behavior is the same

Expected result:

ggshield reports that the files or commits contain hardcoded secrets If applicable, add logs or screenshots to help explain your problem.

agateau-gg commented 3 months ago

Hi @andrei-on-github, I just looked at your test file and it seems the Slack key in it is too short to be recognized. If I add another character at the end, ggshield detects it. Is this a valid key or was it truncated?

andrei-on-github commented 3 months ago

Hello @agateau-gg. Indeed the secret is recognised if i add one more character. I have incorrecly assumed that, for slack only the: xoxb-,xoxp-,xwfp- parts are necessary for a pattern recognition to work, did not find any relevant information about lenght being a factor so I assumed it was not being used in the scanning process.

Thank you!

agateau-gg commented 3 months ago

Great! closing this issue then.