Open KevinHock opened 5 years ago
(https://github.com/Yelp/detect-secrets-server/pull/18) hopes to provide the short-term solution
Would an appropriate modification for this be that we remove the exclude_regex
from the repo metadata / yaml upload and add an exclude_files
and exclude_lines
instead? Currently hitting this as we aren't using baselines yet and enmasse scanning don't have a way to handle these exclusions.
By default, we do not overwrite the repo metadata if it already exists https://github.com/Yelp/detect-secrets-server/blob/2662fa8192e487fb4e2e4f15ebd3cc66dc61d3d5/detect_secrets_server/actions/initialize.py#L132 and there is good reason for not blindly overwriting the
exclude_regex
, because each repo could have a different one in its baseline, and exclude specific files. (Even though we are not doing that at the moment.)I propose: Short-term: We add an exclude_regex to scan, and ignore the exclude_regex in the repo metadata. Long-term: We use both, and take the exclude_regex from the baseline during "add", if it exists, do not have --exclude-regex in the CLI for the 'add' command. (i.e. Set the exclude regex in the repo metadata from the baseline)
Similar to, in the pre-commit hook code (pre_commit_hook.py) we
get_secrets_not_in_baseline
https://github.com/Yelp/detect-secrets/blob/f0ece437079854910a97394451b3ab66f99ae515/detect_secrets/core/baseline.py#L57