Closed rosskarchner closed 5 years ago
Here is the current output when run against cato, the test repo for Clouseau:
cato $ git secrets --scan-history
b4658804c116fdc99b8a8de7509499cced8d4771:data/data_1.json:11: "id": "321-32-1233",
b4658804c116fdc99b8a8de7509499cced8d4771:email.py:44:s = smtplib.SMTP('10.123.12.123')
b4658804c116fdc99b8a8de7509499cced8d4771:private_key.pem:1:-----BEGIN RSA PRIVATE KEY-----zffEpAfBAAKCAQEAss9Jbp6xxt9DD/k9qK+LK+s0fTf/OXBa99fQBoDYDVz1Scc+e9Pzt4ndhf1Mzaz+0z1n+SgDg6hLHaHMHVrYHBMolJl9nMxh5zzl9bsMQeaCBZjLKzVMaByfzeJCkVznqoCA++kCbt/LopfJb+NoZQ4BxY9zzZnCVcM19olV6TfGl6LJD7q5RjTrDzNQdD5/BZJSE6HhN6KfBKfC4CAH6tA5lBOYe0zBB996EgeXS4TvnffCBA5ZfX+X9BYrznzBAZ/glAql1RfCleaM99sjKjjKzOyEoqNVvx49cbATRBzzOy5f1f/s+Y/OkDjBXjQfYnzNb16M6LOlJHG+qqDEBQfDAQABAofBAQCBtopVLdtaoahLMk9c6nz9R7B9N9XDDbd96k1R6nbSc+Lc9yahPoDJ9cf+bQL70lDn9Zv++OdvBa96l7kgKp9NAftAYz7VPhroVzqvGvYddvaMczsy+ohSaPNK9THhsrx9/O9BhNC+DrP0JG9kNh9tajV/znGYpOtO9yfZ1nM0y5LSCJnsE1syZzOZ45G0Bor/1RbpvB/RSe/HdlSnqkNSgBL0MJq0eV4Nv6njNoBKzCzzcrDBcM7zvXoyDEHErZpp9blVXk1ez5Nl+t9okjVKf99Pa9sajl+gpEzf9z9TV99Okk6M9fzSCr+ok/fTDMeov5Dxnf0+K4fzBn4BkbBBAoGBAP55DB+jS+clqS1DcyHHBePf+OM6kgYvGzh69rfGgpGzdakl7Ztx+AnSl5xB76YACazyynTlA5RJl64/GQGHa+B54zk+9j/ogzrvlanc+Tf990+9B7b060akqoPbN9snyJvz66B+BHKjQXOfz5JqXE9qH5OvZ7eZ9MoMkBrfhe4hAoGBALPgOlPPzDMAzZgkRrBgBdJzf9P6QsNOLSjRxfHHKbNzBPR70+g6B4oBzZSl99KZnzfb9bfAQKl4cOzBtrJZazcvNMgB69sRq9gMYCRKJyabLzzVRnB+MBnA0gSYgaBGDdNO7Bz9ZDSKTQ+ctB9BSkvvjbR/BM1CSM9ArYKbhbMlAoGAOOBl9PyBozMQhsVknlAVfOBEzoMq0ecMSATtjgDCMj5Br6bCjNPOEoP+TBf/XfL0BH+9slLdke9A77k6pZTB9+EsYEBZzH7zZ9NV0dCKA5N6qjyDjOkBDxdq5T+BaJ1bBTzDvq/746OJpYEBo+sR5zn+1NKHpAzoY/xaAShQNBECgYBnVrPLBGVzdjMH01d1LvBLjSaY9aeXcstf/zJo6JXRhn/zNVlpYgBDH6asGpjkxCKYsLj+9BNs9VAJas9eLPBgz9NeQ0Szr4sz6zGyN5PEMzOa+/Cz+hQzOz6s+z+9aYEx9a69XRL7fMT6BzhBpNBdQhPkMdza9yMsCyaj9V9BbQKBgQDvYa9Pa+az9G+n+QzCDsz0M1ZXstqTnd7vdsZRv+zMchrH9fQzSTPMhZzMgpc1f1ZMagptLvG5Gh7pJnzOrE9JDB9RhE1kPBnkLs4XOg99aCGSzQ9g9qBHr9bVZO6SaHzl10R5oHq1+ocB99Zc+9D90b1AJKBBxVVC9A6vXkCZKB==-----END RSA PRIVATE KEY-----
b4658804c116fdc99b8a8de7509499cced8d4771:ssn.py:20: ssn = '632-11-1234'
b4658804c116fdc99b8a8de7509499cced8d4771:ssn.py:22: ssn = '970.00.0123'
a84f0a1474946ecb1ba1eb8fdea2b8a0e8865517:data/data_1.json:11: "id": "321-32-1233",
a84f0a1474946ecb1ba1eb8fdea2b8a0e8865517:email.py:44:s = smtplib.SMTP('10.123.12.123')
a84f0a1474946ecb1ba1eb8fdea2b8a0e8865517:ssn.py:20: ssn = '632-11-1234'
a84f0a1474946ecb1ba1eb8fdea2b8a0e8865517:ssn.py:22: ssn = '970.00.0123'
02432ae0267f5362a38da28ed55dc7ff35849972:data/data_1.json:11: "id": "321-32-1233",
02432ae0267f5362a38da28ed55dc7ff35849972:ssn.py:20: ssn = '632-11-1234'
02432ae0267f5362a38da28ed55dc7ff35849972:ssn.py:22: ssn = '970.00.0123'
0acdead318a5d478ae3ab7d1f9a00956520d8d0f:buried_in_history.py:11: if (data.ssn == '123-22-4321'):
0acdead318a5d478ae3ab7d1f9a00956520d8d0f:data/data_1.json:11: "id": "321-32-1233",
0acdead318a5d478ae3ab7d1f9a00956520d8d0f:ssn.py:20: ssn = '632-11-1234'
0acdead318a5d478ae3ab7d1f9a00956520d8d0f:ssn.py:22: ssn = '970.00.0123'
a1f1e9891553395ae71885a7795d0e2155c7195f:data/data_1.json:11: "id": "321-32-1233",
a1f1e9891553395ae71885a7795d0e2155c7195f:ssn.py:20: ssn = '632-11-1234'
a1f1e9891553395ae71885a7795d0e2155c7195f:ssn.py:22: ssn = '970.00.0123'
[ERROR] Matched one or more prohibited patterns
Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
I do note that cato includes some data in commit messages, which git-secrets doesn't seem to care about-- but I don't see that called out in the clouseau output either.
@higs4281 those typos have been fixed
Thanks for the fix, @willbarton
@rosskarchner any reason not to merge?
@willbarton I've been wondering if it needs some wider circulation before we do that. Maybe I'll post something to dev chat.
@rosskarchner Alrighty — I was thinking it'd be good to get it merged and then integrate it into the mac setup scripts before the new laptop distribution.
The thinking here: git-secrets seems to be a pretty complete implementation of the vision we had for Closeau-- complete enough that I think it might be worth making the switch.
So, this PR strips out everything but the patterns themselves, which have been tweaked in a few places to work better as a 'provider' for git-secrets.
There are alternatives to git-secrets we might consider