.gitallowed not respected in ASH

[bestickley]

When I add the following .gitallowed in the root of my repo:

# aws account numbers are ok
.*\d{12}.*

and run git secrets --scan locally (not in ash) with aws patterns registered I get no errors. BUT, when I commit file and run ash then I get error:

OK
git config --local --get-regexp "^secrets\..*$" output:
secrets.providers git secrets --aws-provider
secrets.patterns (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}
secrets.patterns ("|')?(AWS|aws|Aws)?_?(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)("|')?\s*(:|=>|=)\s*("|')?[A-Za-z0-9/\+=]{40}("|')?
secrets.patterns ("|')?(AWS|aws|Aws)?_?(ACCOUNT|account|Account)_?(ID|id|Id)?("|')?\s*(:|=>|=)\s*("|')?[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}("|')?
secrets.allowed AKIAIOSFODNN7EXAMPLE
secrets.allowed wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
>>>>>> begin git secrets --scan result >>>>>>
infra/cdk.context.json:2:  "availability-zones:account=211125606836:region=us-east-1": [
infra/cdk.context.json:10:  "ssm:account=211125606836:parameterName=/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64:region=us-east-1": "ami-0277155c3f0ab2930",
infra/cdk.context.json:11:  "availability-zones:account=905418358903:region=us-east-1": [
infra/cdk.context.json:19:  "ssm:account=905418358903:parameterName=/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-6.1-x86_64:region=us-east-1": "ami-0440d3b780d96b29d"

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive

From the du command above in aggregated_results.txt, I know that .gitallowed is making it's way into ash.

Please help. Thank you!

[climbertjh2]

My testing, with a different string in .gitallowed indicated that the file IS being utilized.

I will try again with a couple of other regular expressions to see if this can be narrowed down.

[climbertjh2]

@bestickley - would you please try the following regexp in place of the one you had specified?

.*[0-9]{12}.*

That one seemed to work for me.

Also, I noticed that on the Ubuntu image that is being used, the expressions .*\d{12}.* and .*[0-9]{12}.* produce different results when used with grep -E . The latter finds/matches 12-digit strings on a line, the former does not.

[bestickley]

@climbertjh2, you're a genius, that worked! Thank you very much.