lorenzodb1
commented
2 months ago Hi @jamesbraza 👋🏼 thanks for opening this issue! How would you envision this allowlist?
Closed jamesbraza closed 2 months ago
lorenzodb1
commented
2 months ago Hi @jamesbraza 👋🏼 thanks for opening this issue! How would you envision this allowlist?
jamesbraza
commented
2 months ago Thanks for asking! To be more concise, the idea of the allowlist is going from many # pragma: allowlist secret comments in my code base to just 1 entry in an allowlist file.
I think a YAML or TOML config file is fine, where allowed secrets show up in a YAML list. Open to anything really, and ideally it plays nicely with detect-secrets scan --baseline .secrets.baseline
gpflaum
commented
2 months ago @jamesbraza I think the existing --exclude-secrets option is what you're looking for. There's a corresponding setting you can put in your baseline file.
jamesbraza
commented
2 months ago You are correct! It ends up in the baseline looking like this:
{
"path": "detect_secrets.filters.regex.should_exclude_secret",
"pattern": [
"abc123",
"def456",
"test_value"
]
}That being said, I ended up going with the word_list extra and invoking like so:
detect-secrets scan --word-list=.secrets.allowlistGoing to close this out, thank you both!
lorenzodb1
commented
2 months ago No worries, glad we could help out! @gpflaum thanks for helping out :)
I'm submitting a ...
What is the current behavior?
detect-secrets==1.4.0is flagging"doi"as a secret. This is an acronym for Digital Object Identifier, and is not a secret.To solve this issue, I would have to:
# pragma: allowlist secretfor each"doi"instance--exclude-secretsWhat is the expected behavior?
I would like to:
detect-secrets scan --baseline .secrets.baselineCan we make some argument that allows one to use the
"results"in a baseline file as an allow list for secrets?What is the motivation / use case for changing the behavior?
I like the baseline file concept, it's basically a config file for
detect-secrets.Please tell us about your environment:
Other information
N/a