Option: “--skip-git-ignored-files” causes fatal errors in logs

[TommyE123]

Option: “--skip-git-ignored-files” causes fatal errors in logs

Hi,

When running devskim with the --skip-git-ignored-files option, multiple errors are logged before the SARIF report is generated. The error messages seem to vary slightly depending on the environment where devskim is executed. Additionally, the error messages appear to be truncated, preventing a complete understanding of the issue.

To Reproduce:

1. Run devskim in a pipeline or locally with the --skip-git-ignored-files option.
2. Observe the errors in the logs.

Expected behavior:

When running devskim with the --skip-git-ignored-files option, no errors should be logged, and files specified in the .gitignore should be ignored during the analysis.

Screenshots:

The example screenshots are taken from a number of different repositories experiencing the same similar errors.

Github Actions

Azure Devops CI pipeline

Gitlab Job

Locally

Versions:

• OS: Docker image: python:3.12.4-alpine3.19 Locally: Windows 11 23H2

• Devskim: v1.0.33

• Git: Docker image: 2.43.4 Locally: 2.45.2.windows.1

Additional Information:

• Removing the --skip-git-ignored-files option resolves the errors.
• The errors flood the logs, making it difficult to identify other relevant information.
• Once resolved, the --skip-git-ignored-files option should function as expected, ignoring files specified in the .gitignore without generating any errors.

Thanks for your time, Tom

[gfs]

Thanks for the report. It looks to me like this error message indicates usage of this flag when scanning files that are not tracked by a Git work tree. The error message in particular here is not produced by DevSkim itself but is, I believe, coming from Git itself when we call out to git to check the ignore status.

I'll try to take a look to see if I can squelch the errors from appearing to the user (since they aren't actionable anyway) either by checking that a git repo exists before checking the ignore status, but it may also work to just redirect stderr so it doesn't present to the DevSkim user.

It's not clear to me from this report if this actually effects the behavior of DevSkim itself or the output report, so I'm working off the assumption that this is just an issue with the spurious error messages appearing about checking file status for files not in a work tree. But if that's incorrect, please let me know. I realize the error says fatal, but it shouldn't be from the perspective of DevSkim, its Fatal from the perspective of Git trying to check the ignore status.

[TommyE123]

Hello @gfs,

Thanks for getting back to me. It sounds like you have a plan!

I'm guessing you haven't seen this issue before? I've tried multiple different GitHub and Azure-hosted Git repos and was consistently seeing it both locally and in CI pipelines!

I'd need to confirm if the issue still occurs even when there's no actual error found. However, it was often showing up 10's to 100's of times in the output, depending (I guess) on the size of the repo. So I think cleaning it up would be a good idea regardless.

Thanks for your time, Tom