Closed sven-dmlr closed 2 months ago
The SecHub client per default add only source code files which is fine for SAST code scan. See https://mercedes-benz.github.io/sechub/latest/sechub-client.html#code-scan-accepted-source-code-files
Since some time SecHub is able to scan for secrets. For this almost every file should be uploaded for scan.
Currently you have to switch off the source code filters like this:
export SECHUB_WHITELIST_ALL="true" export SECHUB_IGNORE_DEFAULT_EXCLUDES="true"
and define excludes for everything that is not wanted in the upload like:
{ "apiVersion": "1.0", "secretScan": { "use": [ "src" ] }, "data": { "sources": [ { "name": "src", "fileSystem": { "folders": [ "." ] }, "excludes": [ "**/node_modules/**", "sechub_report_*.json", "sechub-false-positives*.json", "sourcecode-*.zip" ] } ] } }
The SecHub client parses the sechub.json and identifies all "sources" that are used for secret scan in these cases:
sechub.json
Documentation :-)
Situation
The SecHub client per default add only source code files which is fine for SAST code scan. See https://mercedes-benz.github.io/sechub/latest/sechub-client.html#code-scan-accepted-source-code-files
Since some time SecHub is able to scan for secrets. For this almost every file should be uploaded for scan.
Currently you have to switch off the source code filters like this:
and define excludes for everything that is not wanted in the upload like:
Wanted
The SecHub client parses the
sechub.jsonand identifies all "sources" that are used for secret scan in these cases:Documentation :-)