[feat] - Add Option to Retain False Positives During Detection

trufflesecurity / trufflehog

Find, verify, and analyze leaked credentials

https://trufflesecurity.com

GNU Affero General Public License v3.0

15.83k stars 1.65k forks source link

[feat] - Add Option to Retain False Positives During Detection #2967

Closed ahrav closed 3 months ago

ahrav commented 3 months ago

Description:

This PR introduces a new configuration option to retain false positives during the detection process. By default, the detection engine filters out false positives, but this option allows users to retain them when necessary.

Checklist:

[ ] Tests passing (make test-community)?
[ ] Lint passing (make lint this requires golangci-lint)?

rgmz commented 3 months ago

Wouldn't it make sense for filtered_unverified to do this rather than logging?

Right now, it's inconsistent behave compared to the rest of the --results options.

ahrav commented 3 months ago

Wouldn't it make sense for filtered_unverified to do this rather than logging?

I’ll defer to @rosecodym for the specifics about logging false positives. My understanding is that this change aims to make the engine more ergonomic for the enterprise product, and there might be different use cases involved. Cody has extensive experience with the false positive logic, so I’ll wait for his input.

rgmz commented 3 months ago

I think that @rgmz is noting inconsistent implementation of filtered_unverified, not the new thing you're adding. But maybe I'm misunderstanding!

It's both.

The implementation of filtered_unverified is inconsistent
If the implementation was consistent, wouldn't it look exactly like this? Is it necessary to add a new option?

ahrav commented 3 months ago

Decided to use filter_unverified to handle this case.