search

Yelp / detect-secrets

An enterprise friendly way of detecting and preventing secrets in code.
Apache License 2.0
3.77k stars 467 forks source link

PGP armor encrypted multiline yaml blocks reporting false positives, unable to exclude with pragma or regex #708

Open benfiedler opened 1 year ago

benfiedler commented 1 year ago

somefile.yaml:

myapp:
  user: smith
  secured_credential: |
    -----BEGIN PGP MESSAGE-----
    mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv
    /seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz
    /56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/
    5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3
    -----END PGP MESSAGE-----
 another_setting: true

# pragma: nextline secret does not seem sufficient for overriding this.

Here are a few different exclude regexes I have tried in my .pre-commit-config.yaml without success:

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      -   id: detect-secrets
          name: Detect secrets
          entry: detect-secrets-hook
          # args: ['--exclude-secrets', '\-{5}BEGIN PGP MESSAGE\-{5}[\s\S]+?\-{5}END PGP MESSAGE\-{5}$']
          # args: ['--exclude-secrets', '\-{5}BEGIN PGP MESSAGE\-{5}']
          # args: ['--exclude-secrets', '"\-{5}BEGIN PGP MESSAGE\-{5}[\s\S]+?\-{5}END PGP MESSAGE\-{5}$"']
          # args: ['--exclude-secrets', '"\-{5}BEGIN PGP MESSAGE\-{5}"']