False positive detection of Git revision hash as high entropy string in `pyproject.toml`

[estyxx]

• I'm submitting a:

  • [x] bug report
  • [ ] feature request

• What is the current behavior? detect-secrets (v1.4.0) is incorrectly flagging a Git revision hash in pyproject.toml as a potential secret (High Entropy String). This occurs when specifying a dependency in Poetry using a Git repository and a specific revision. The line in question is:

  wagtail-django-recaptcha = {git = "https://github.com/springload/wagtail-django-recaptcha.git", rev = "c23696f5c55824a8abd86e13f13da4a90d437d75"}

• Steps to reproduce:

  1. Add a dependency in pyproject.toml using Poetry with a specific Git revision.
  2. Set up detect-secrets (v1.4.0) as a pre-commit hook.
  3. Attempt to commit the changes.
  4. Observe the detect-secrets pre-commit hook failing, flagging the Git revision hash as a high entropy string.

• What is the expected behavior? The tool should not flag Git revision hashes in pyproject.toml as high entropy strings, as these are typically not secrets.

• What is the motivation/use case for changing the behavior? Preventing false positives in projects that use Poetry for dependency management alongside detect-secrets for secret scanning is essential for accurate secret detection and smooth developer workflows.

• Environment:

  • detect-secrets Version: v1.4.0
  • Python Version: 3.11
  • OS Version: macOS ventura
  • File type: pyproject.toml

• Other information:

  • A workaround is to use pragma: allowlist secret, but ideally, detect-secrets should automatically recognize and handle this case.
  • I searched through existing issues and didn't find any mention of similar problems related to referencing Git revisions or pyproject.toml files, so I'm opening this new issue.

[lorenzodb1]

Hi @estyxx, the line you posted contains a high entropy string, so detect-secrets isn't wrong in that. Have you thought of excluding pyproject.toml as a whole?

[estyxx]

Ohh okay, I will just add the comment then!
I thought it was a little bit "smarter" detecting that that was a dependency and it's ok within the pyproject but nevermind! I don't think I will exclude the file entirely because in there we can put tool configurations, so it's unusual to put secrets in there, but you never know!

[lorenzodb1]

so it's unusual to put secrets in there, but you never know!

that's exactly the reason why we don't exclude files by default :)