Closed estyxx closed 10 months ago
Hi @estyxx, the line you posted contains a high entropy string, so detect-secrets
isn't wrong in that. Have you thought of excluding pyproject.toml
as a whole?
Ohh okay, I will just add the comment then!
I thought it was a little bit "smarter" detecting that that was a dependency and it's ok within the pyproject but nevermind!
I don't think I will exclude the file entirely because in there we can put tool configurations, so it's unusual to put secrets in there, but you never know!
so it's unusual to put secrets in there, but you never know!
that's exactly the reason why we don't exclude files by default :)
I'm submitting a:
What is the current behavior?
detect-secrets
(v1.4.0) is incorrectly flagging a Git revision hash inpyproject.toml
as a potential secret (High Entropy String). This occurs when specifying a dependency in Poetry using a Git repository and a specific revision. The line in question is:Steps to reproduce:
pyproject.toml
using Poetry with a specific Git revision.detect-secrets
(v1.4.0) as a pre-commit hook.detect-secrets
pre-commit hook failing, flagging the Git revision hash as a high entropy string.What is the expected behavior? The tool should not flag Git revision hashes in
pyproject.toml
as high entropy strings, as these are typically not secrets.What is the motivation/use case for changing the behavior? Preventing false positives in projects that use Poetry for dependency management alongside
detect-secrets
for secret scanning is essential for accurate secret detection and smooth developer workflows.Environment:
pyproject.toml
Other information:
pragma: allowlist secret
, but ideally,detect-secrets
should automatically recognize and handle this case.pyproject.toml
files, so I'm opening this new issue.