Closed uditgpt5 closed 3 years ago
@jparise detect-secrets gives output in following format: "/home/uditgupta/code/pinboard/api/handlers/v3/login_handlers.py": [ { "hashed_secret": "e80b685c2cea92fe1970765ab5efcfdd5115hif5", "is_verified": false, "line_number": 76, "type": "Secret Keyword" } ] As you can see it gives information about line number so that it'll be easier for developers to fix.
@jparise detect-secrets gives output in following format: "/home/uditgupta/code/pinboard/api/handlers/v3/login_handlers.py": [ { "hashed_secret": "e80b685c2cea92fe1970765ab5efcfdd5115hif5", "is_verified": false, "line_number": 76, "type": "Secret Keyword" } ] As you can see it gives information about line number so that it'll be easier for developers to fix.
Oh good! That should be easy to parse (as JSON) using $json = json_decode($string, true)
. You can then extract the line_number
value and set it using $message->setLine()
.
@jparise changes parsing logic to make it more short and crisp. Here's the sample output:
Looks like you are about to commit secrets to this repo. Please avoid this practice
Possible mitigations:
1. For information about putting your secrets in a safer place, please
refer pinch/knox
2. If secret has already been committed please rotate that secret. If
rotation is taking significant time then please contact #security_related
slack channel
3. If its a test file with secrets (not belonging to any prod service)
mark false positives with an inline `pragma: allowlist secret` comment
{"hashed_secret":"dcac4032617d96b26e5b4ae626ee69be1c2ed481","is_verified":false,"line_number":15,"type":"Secret
Keyword"}
>>> 15 SECRET = 'secret'
^
16
17
18 class <ClassName>(TestJob):
@jparise we want to make error message more specific otherwise users will get confused on what needs to be done. At the same time we want to deploy this linter to as many repos as possible.
Yelp released an open source repo (https://github.com/Yelp/detect-secrets) which is used to detect potential secrets in code base. Adding this open source repo as part of pinterest linters will allow us to prevent users from committing secrets in Phabricator.