scopeconfig doesn't seem to ignore package-lock.json

thoughtworks / talisman

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.

https://thoughtworks.github.io/talisman/

MIT License

1.89k stars 241 forks source link

scopeconfig doesn't seem to ignore package-lock.json #360

Closed varaamo closed 2 years ago

varaamo commented 2 years ago

Adding the following lines to .talismanrc doesn't seem to ignore the package-lock.json file. I added these lines and ran talisman --scan and it still reports the integrity fields as potential issues

scopeconfig:

scope: go
scope: node

tinamthomas commented 2 years ago

Talisman does not use the .talismanrc in the scan mode. It is used for the pre-hook mode.

This is mentioneded here. : "Talisman currently does not support ignoring of files for scanning".

varaamo commented 2 years ago

Note sure if that's accurate. I'm running the following command: ./talisman_linux_amd64 --scan with contents of .talismanrc as follows. It's picking the custom patterns correctly but not the scopeconfig.

scopeconfig:

scope: go
scope: node custom_patterns:
- (?i)(.password)\s=\s[0-9a-zA-Z/+=_]{32}
- (?i)(password)\s=\s[0-9a-zA-Z/+=_]+
- (?i)(pwd)\s=\s[0-9a-zA-Z/+=_]+
- (?i)(password)\s:\s[0-9a-zA-Z/+=_]+
- (?i)(pwd)\s:\s[0-9a-zA-Z/+=_]+
- (?i)(.secret)\s=\s[0-9a-zA-Z/+=_]{32}
- (?i)(_secret)\s=\s[0-9a-zA-Z/+=_]{32}
- (?i)(ApiKey)\s=\s[0-9a-zA-Z/+=_]{32}
- (?s) AKIA[0-9A-Z]{16}
- (?s)AIza[0-9A-Za-z-_]{35}
- (?s)[0-9]+-[0-9A-Za-z_]{32}.apps.googleusercontent.com
- (?s)eyJ[A-Za-z0-9\/+-]*.[A-Za-z0-9.\/+-]*

svishwanath-tw commented 2 years ago

@varaamo : Scan with ignores was a special build created a long time ago for your usage. The mainline scan feature does not support ignores or custom and allowed patterns. The key problem being a way to identify a particular version of the file that is also easy for users to specify (blob-id vs commit/tag + file path vs what other options).

varaamo commented 2 years ago

@svishwanath-tw: Is there a way you can build me a version of a scan with scopeconfig and custom_patterns. We are using a pre-receive secrets scanning hook that I built at my work place using the version of talisman cli you'd provided me earlier. Currently there is a need to ignore package-lock.json and other manifest files from the scans due to the false positives. Much appreciated if you can help.

svishwanath-tw commented 2 years ago

@varaamo : Please check using release v1.27.0 and close this issue if it suits you.

svishwanath-tw commented 2 years ago

@varaamo : I'm closing this issue now. Please consider open-sourcing the pre-receive script. I think others would find it useful.