Closed csurfleet closed 1 year ago
Hi @csurfleet. Thank you for reporting this. I can explain the behaviour you are seeing.
Running detect-secrets scan > .baseline
will add the MONGO_INITDB_ROOT_PASSWORD: password
to the baseline file.
When you update the file to change the existing password and add a new password this will alert.
There is a difference between detect-secrets scan
and detect-secrets-hook
- the prior adds secrets to your baseline and the later alerts on new secrets.
When you run detect-secrets scan --baseline .baseline > .newsecrets
- This does not work since adding the --baseline
command initiates an update to that file with the results - there is no stdout which is why there is nothing in .newsecrets
.
Running detect-secrets scan --baseline .baseline
would correctly update the baseline file with the changed secret and the new secret.
If you want to alert (on the changed and new secret) - you can see the functionality below:
detect-secrets-hook --baseline .baseline
with the updated baseline would produce no results since both the changed secret and new secret are in the baseline. If you did not update the baseline and just ran this command - you would see an alert for the changed and new secret. detect-secrets-hook
will alert on both secrets - since it has no idea about the baseline file. If you have any other questions let me know.
As this is intended behavior. I will go ahead and close out this issue. If you have any other questions or this answer was not sufficient. Please feel free to open another issue.
I'm submitting a possible bug but probable user error
What is the current behavior? I have generated a baseline file and specified some known passwords. When I change that password, or add another password elsewhere in the file, it is not picked up by either detect-secrets scan or detect-secrets-hook
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem I have a compose file with this section in it:
When I run
detect-secrets scan > .baseline
I get the baseline file. I then audit it, see the password and say that yes, it should be commited.I commit the baseline file then modify my compose file to
I then run
detect-secrets scan --baseline .baseline > .newsecrets
but the resulting file is empty. I can also rundetect-secrets-hook --baseline .baseline
and see no results there either.What is the expected behavior? I would expect both the changed password token and the new password to have been flagged to me by the subsequent commands. Hopefully I'm just missing a parameter or something? This seems basic so it must be user error!
Please tell us about your environment: