Add an option to ignore secrets which are removed by the scanned commit.
The goal of this PR is to create a way to accept secrets which are being remediated. If a dev is removing a secret from their code, but not rewriting the git history, GGShield will prevent them (pre-commit, pre-push or pre-receive) from committing and pushing the secret remediation.
This optional option will allow users to accept secrets in commits when they are removed, either on a deleted line or in a deleted file.
What has been done
Add --ignore-removed-secrets via the decorator add_secret_scan_common_options
Add an equivalent field to SecretConfig named ignore_removed_secrets
[x] As much as possible, the changes include tests (unit and/or functional)
[x] If the changes affect the end user (new feature, behavior change, bug fix) then the PR has a changelog entry (see doc/dev/getting-started.md). If the changes do not affect the end user, then the skip-changelog label has been added to the PR.
Context
Add an option to ignore secrets which are removed by the scanned commit.
The goal of this PR is to create a way to accept secrets which are being remediated. If a dev is removing a secret from their code, but not rewriting the git history, GGShield will prevent them (pre-commit, pre-push or pre-receive) from committing and pushing the secret remediation.
This optional option will allow users to accept secrets in commits when they are removed, either on a deleted line or in a deleted file.
What has been done
--ignore-removed-secrets
via the decoratoradd_secret_scan_common_options
SecretConfig
namedignore_removed_secrets
Validation
Create a repository, add then remove a secret:
Then verify that scanning the repository raises two incidents and only one with
--ignore-removed-secrets
PR check list
skip-changelog
label has been added to the PR.