Expected result: package-lock.json is ignored on the scan
Actual result: package-lock.json is scanned by horusec
Column: 11
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /runner/_work/FeeRavManagerAPI/FeeRavManagerAPI/package-lock.json
Code: "pgpass": "1.x"
RuleID: HS-LEAKS-26
Type: Vulnerability
ReferenceHash: dce09eb1eb793933fbfe57a3088b23d04e9a760c5d8fbddf6f1e9a95e222f71e
Details: (1/1) * Possible vulnerability detected: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Also using the VsCode addon with the above horusec-config the folders like distare still being scanned.
Anything else we need to know?:
Environment:
Horusec version (use horusec version):
In the CI I use the config from de docs: curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh
Operating System: In the CI Ubuntu, my machine: Arch Linux
What happened: I have configured the horusecCliFilesOrPathsToIgnore option to ignore some folders and files.
How to reproduce it (as minimally and precisely as possible): NodeJS project with a package-lock.json with pgpass installed.
Horusec-config:
Expected result: package-lock.json is ignored on the scan
Actual result: package-lock.json is scanned by horusec
Also using the VsCode addon with the above horusec-config the folders like
dist
are still being scanned.Anything else we need to know?:
Environment:
horusec version
): In the CI I use the config from de docs:curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh