Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Fail only upon adding a secret (not when removing or when a secret is on the line above or below). #1001

Open
neraun opened this issue Nov 4, 2024 · 1 comment · May be fixed by #1010
Open

[FEATURE] Fail only upon adding a secret (not when removing or when a secret is on the line above or below). #1001

neraun opened this issue Nov 4, 2024 · 1 comment · May be fixed by #1010
Labels
status:new This issue needs to be reviewed type:feature Feature request

Comments

@neraun
Copy link

neraun commented Nov 4, 2024

Is your feature request related to a problem? Please describe.

I am using ggshield in a few projects pipeline, and first of all thanks for this great tool !

I am annoyed with a behaviour of ggshield that AFAIK, cannot be customized. Since I've started a work of taking secrets out of my project repo, I am removing secrets one by one.

Each time I am removing a secret, ggshield job is failing and need to use SKIP=ggshield as a workaround.

Example 1 (original names and value were changed) :

 10 | +define('ENV', $_ENV['ENV']);
...
25    | -$_ENV['USER'] = 'token';
26    | -$_ENV['PASSWORD'] = 'g42wyu2zA*********************************xyzxyzk7g';
27    | -$_ENV['X-OVH-TOKEN'] = '8au611**-****-****-****-******21xyq6';
                                 |______________apikey______________|
28 11 |  

>> Secret detected: Generic Password

Similar issue occurs when modifying a line below or above a secret. GGshield job fails even though the line you modified has nothing to do with a secret.

Example 2 (original names and value were changed) :

27    | -$_ENV['ELASTIC_ALIAS'] = 'logs-xt-04221-a-dev-logs';
...
   27 | +$_ENV['ELASTIC_ALIAS'] = 'logs-xt-04221-a-tests-logs';
28 28 |  $_ENV['AN_API_TOKEN'] = '6yz828**-****-****-****-******2ufg2';
                                 |______________apikey_______________|
29 29 |  
30 30 |  /**

>> Secret detected: Generic Password

Here I modified line 27 and got the job failed for an existing secret on line 28.

Describe the solution you'd like

To ensure tests hermeticity ggshield should be able to fail only when a secret has been added on a specific commit.

  • Not when removed.
  • Not when modified.
  • Not when the secret is not part of the commited changes.

It is even more relevant when several developers are working on the same repo, a developer should not be blocked for a vulnerability he did not introduced.

Describe alternatives you've considered

In case the behaviour of ggshield could not be changed (for backward compatibility), implement an option to behave the way described above.

Additional context

Add any other context or screenshots about the feature request here.
@neraun neraun added status:new This issue needs to be reviewed type:feature Feature request labels Nov 4, 2024
@pierrelalanne
Copy link
Collaborator

Hi @neraun,
Thanks for reporting this. Let me cc @Walz and @V-O: I think they'll have some insights to share regarding our plans about this.

@Walz Walz linked a pull request Nov 14, 2024 that will close this issue
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:new This issue needs to be reviewed type:feature Feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(output): Only fail secret scans when the secret is introduced GitGuardian/ggshield
2 participants
@neraun @pierrelalanne