search

thoughtworks / talisman

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
https://thoughtworks.github.io/talisman/
MIT License
1.9k stars 243 forks source link

Potentially invalid checksum in githook report #416

Open second-frank opened 1 year ago

second-frank commented 1 year ago

Describe the bug

The proposed .talismanrc format of a --githook report might contain checksums that have no effect when used in the .talismanrc file, so the same finding is reported again on next run.

Seems to happen with files whose name is used multiple times within the repository folder structure, typically readmes or scripts.

To Reproduce

git init
mkdir -p sub-folder
echo 'hello world' > sub-folder/readme.md
echo 'password = "some-secret-value"' > readme.md
git add *
talisman --githook pre-commit

When putting the reported fileignoreconfig section into a .talismanrc file and running talisman --githook pre-commit again, the same finding is reported.

Expected behavior

The proposed format by Talisman to whitelist findings should work by simply copy & pasting.

Additional context

There is a workaround by creating the checksum value explicitly via talisman --checksum command, but the typical user would not be aware of that.

Desktop (please complete the following information):

Frank Seidel frank.seidel@mercedes-benz.com, Mercedes-Benz Tech Innovation GmbH
Provider Information

karlbrown-va commented 5 months ago

I just ran into this as well with 1.32.0.

karlbrown-va commented 5 months ago

This previously closed issue may be related: https://github.com/thoughtworks/talisman/issues/344