Open
Conversation
…ecret, not the secret value itself. for CICD processes, and potential implementation of Issue awslabs#187
sparr reviewed Jun 15, 2023
| repo_run git-secrets --scan --name-only | ||
| [ $status -eq 1 ] | ||
| } | ||
| |
Contributor
There was a problem hiding this comment.
This or another test should confirm that the output doesn't include the secret
Contributor
| This PR doesn't seem to actually include the new functionality. It adds the option, but doesn't use the option. Is there a commit missing? |
sparr reviewed Jun 15, 2023
| | ||
| NONGIT_OK=1 OPTIONS_SPEC="\ | ||
| git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...] | ||
| git secrets --scan [-r|--recursive] [--cached] [--name-only] [--no-index] [--untracked] [<files>...] |
Contributor
There was a problem hiding this comment.
This should also be mentioned at README.rst#synopsis
Contributor
There was a problem hiding this comment.
And an update to README.rst requires make man.
sparr reviewed Jun 15, 2023
| NONGIT_OK=1 OPTIONS_SPEC="\ | ||
| git secrets --scan [-r|--recursive] [--cached] [--no-index] [--untracked] [<files>...] | ||
| git secrets --scan [-r|--recursive] [--cached] [--name-only] [--no-index] [--untracked] [<files>...] | ||
| git secrets --scan-history |
Contributor
There was a problem hiding this comment.
Should this also apply to --scan-history?
Contributor
| If you rebase this on master you can skip the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes:
--name-onlycommand line optionThe PR adds a
--name-onlyoption, to print only the file name containing the secret, not the secret value itself.This is for useful for CICD processes, in the case that someone actually commits and pushes a credential that gets caught by the CICD script. You want the file to get flagged, but you don't want the actual credential echoed into the CICD log files.
This is a potential solution for Issue #187
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.