Exclusion Parameters/Arguments Are Not Being Passed On

slalombuild / secureli

seCureLI is a tool that enables you to experience the delight of building products by helping you get ideas from your head into working software as frictionlessly as possible, in a reliable, secure, scalable, and observable way.

Apache License 2.0

29 stars 3 forks source link

Exclusion Parameters/Arguments Are Not Being Passed On #540

Open blonienc opened 2 months ago

blonienc commented 2 months ago

As a SeCurLI user, when opt to exclude scanning a particular file or folder type, that excision is not not being honored and the exclusions are still being scanned. Most recent example was trying to exclude snap files but they were still being scanned.

This causes issues in the fact that if I continue to get false positive results with my SeCureLI scan.

To reproduce:

Have secrets present in file or folder Create exclusion rule View results

AC:

Using inherent SeCureLI functionality I am able to exclude folder or file type from the scan
Results are not give for the exclusions

schuslalom commented 1 month ago

Calling detect-secrets directly, and passing in --exclude-files works as expected:

detect-secrets scan --exclude-files '.*\.snap$'

When the following is added to .secureli/.pre-commit-config.yaml:

  - hooks:
      - args:
          - --exclude-files '.*\.snap$'
        id: detect-secrets
    repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0

The files ending in .snap are not excluded as part of the scan.

However, if the syntax is changed to:

  - hooks:
      - args: ['--exclude-files', '.*\.snap$']
        id: detect-secrets
    repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0

Then the .snap files are excluded from the scan as expected.

The last syntax works, so I think this can be solved simply with documentation in secureli on how to correctly provide arguments. The working example was taken from the detect-secrets repo: https://github.com/Yelp/detect-secrets#:~:text=args%3A%20%5B%27%2D%2Dbaseline%27%2C%20%27.secrets.baseline%27%5D

itoltz commented 1 month ago

It's worth noting that the two samples @schuslalom provided are slightly different. In the first case, the pattern is surrounded by single quotes ('.*/.snap$'), while in the second case it is not (.*/snap$).

That said, based on my testing I don't believe the presence of quotes makes a difference one way or the other. The salient point seems to be that the first example results in an array with a single element (["--exclude-files '.*\.snap$'"]) while the second example results in an array with two elements (["--exclude-files", ".*/snap$"]). The first example works if I split the file pattern into its own element.

- hooks:
    - args:
        - --exclude-files
        - '.*\.snap$'
      id: detect-secrets
  repo: https://github.com/Yelp/detect-secrets
  rev: v1.5.0

I'm looking into adding this quirk into our documentation.