Changed or added secrets in existing files not detected

[csurfleet]

• I'm submitting a possible bug but probable user error

• What is the current behavior? I have generated a baseline file and specified some known passwords. When I change that password, or add another password elsewhere in the file, it is not picked up by either detect-secrets scan or detect-secrets-hook

• If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem I have a compose file with this section in it:

  mongodb:
  image: mongo:latest
  environment:
    MONGO_INITDB_ROOT_USERNAME: root
    MONGO_INITDB_ROOT_PASSWORD: password

  When I run detect-secrets scan > .baseline I get the baseline file. I then audit it, see the password and say that yes, it should be commited.

I commit the baseline file then modify my compose file to

mongodb:
    image: mongo:latest
    environment:
      MONGO_INITDB_ROOT_USERNAME: root
      MONGO_INITDB_ROOT_PASSWORD: changedpassword
      SOME_OTHER_PASSWORD: newpassword

I then run detect-secrets scan --baseline .baseline > .newsecrets but the resulting file is empty. I can also run detect-secrets-hook --baseline .baseline and see no results there either.

• What is the expected behavior? I would expect both the changed password token and the new password to have been flagged to me by the subsequent commands. Hopefully I'm just missing a parameter or something? This seems basic so it must be user error!

• Please tell us about your environment:

  • detect-secrets Version: 1.4.0
  • Python Version: 3.9
  • OS Version: Windows 10

[jpdakran]

Hi @csurfleet. Thank you for reporting this. I can explain the behaviour you are seeing.

Running detect-secrets scan > .baseline will add the MONGO_INITDB_ROOT_PASSWORD: password to the baseline file.

When you update the file to change the existing password and add a new password this will alert.

There is a difference between detect-secrets scan and detect-secrets-hook - the prior adds secrets to your baseline and the later alerts on new secrets.

When you run detect-secrets scan --baseline .baseline > .newsecrets - This does not work since adding the --baseline command initiates an update to that file with the results - there is no stdout which is why there is nothing in .newsecrets.

Running detect-secrets scan --baseline .baseline would correctly update the baseline file with the changed secret and the new secret.

If you want to alert (on the changed and new secret) - you can see the functionality below:

• Running detect-secrets-hook --baseline .baseline with the updated baseline would produce no results since both the changed secret and new secret are in the baseline. If you did not update the baseline and just ran this command - you would see an alert for the changed and new secret.
• Running detect-secrets-hook will alert on both secrets - since it has no idea about the baseline file.

If you have any other questions let me know.

[jpdakran]

As this is intended behavior. I will go ahead and close out this issue. If you have any other questions or this answer was not sufficient. Please feel free to open another issue.