Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PGP armor encrypted multiline yaml blocks reporting false positives, unable to exclude with pragma or regex #708

Open
1 of 2 tasks
benfiedler opened this issue Aug 9, 2023 · 0 comments
Labels
false positives triaged The issue has been reviewed but has not been solved yet.

Comments

@benfiedler
Copy link

benfiedler commented Aug 9, 2023

  • I'm submitting a ...

    • bug report
    • feature request
  • What is the current behavior?
    When using detect-secrets in a repository containing yaml with PGP armor'ed multiline message blocks, each individual line underneath BEGIN PGP MESSAGE is reported as a Base64 High Entropy String.

  • If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem

somefile.yaml:

myapp:
  user: smith
  secured_credential: |
    -----BEGIN PGP MESSAGE-----
    mQGNBF2lnPIBDAC5cL9PQoQLTMuhjbYvb4Ncuuo0bfmgPRFywX53jPhoFf4Zg6mv
    /seOXpgecTdOcVttfzC8ycIKrt3aQTiwOG/ctaR4Bk/t6ayNFfdUNxHWk4WCKzdz
    /56fW2O0F23qIRd8UUJp5IIlN4RDdRCtdhVQIAuzvp2oVy/LaS2kxQoKvph/5pQ/
    5whqsyroEWDJoSV0yOb25B/iwk/pLUFoyhDG9bj0kIzDxrEqW+7Ba8nocQlecMF3
    -----END PGP MESSAGE-----
 another_setting: true

# pragma: nextline secret does not seem sufficient for overriding this.

Here are a few different exclude regexes I have tried in my .pre-commit-config.yaml without success:

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      -   id: detect-secrets
          name: Detect secrets
          entry: detect-secrets-hook
          # args: ['--exclude-secrets', '\-{5}BEGIN PGP MESSAGE\-{5}[\s\S]+?\-{5}END PGP MESSAGE\-{5}$']
          # args: ['--exclude-secrets', '\-{5}BEGIN PGP MESSAGE\-{5}']
          # args: ['--exclude-secrets', '"\-{5}BEGIN PGP MESSAGE\-{5}[\s\S]+?\-{5}END PGP MESSAGE\-{5}$"']
          # args: ['--exclude-secrets', '"\-{5}BEGIN PGP MESSAGE\-{5}"']
  • What is the expected behavior?
    I would think either multiline encrypted PGP Messages should be parsed and automatically permitted, or I should be able to exclude the entire block.

  • What is the motivation / use case for changing the behavior?
    Permit multiline YAML PGP secrets without excluding the entire file, or without each line being considered a secret.

  • Please tell us about your environment:

    • detect-secrets Version: v1.4.0
    • Python Version: 3.9.2
    • OS Version: Debian 11 bullseye
    • File type (if applicable): yaml
  • Other information

@lorenzodb1 lorenzodb1 added the pending The issue still needs to be reviewed by one of the maintainers. label Nov 17, 2023
Jayman2000 added a commit to Jayman2000/jasons-pre-commit-hooks that referenced this issue Jan 10, 2024
In a future commit, I’m going to add something to
.pre-commit-config.yaml that looks like this:

    repo: https://github.com/Jayman2000/yamllint-pr
    rev: 8cedbee40606fcf9f9bd202206692e26dff854b7

detect-secrets was incorrectly detecting that hash as a secret, so I
tried allowlisting it [1]:

    repo: https://github.com/Jayman2000/yamllint-pr
    # pragma: allowlist nextline secret
    rev: 8cedbee40606fcf9f9bd202206692e26dff854b7

That should have worked, but it didn’t. At the moment, there are two
open issue about this problem [2][3].

I don’t have any particular preference for detect-secrets over any other
secret-detecting tool. I only chose it because it was the first
general-purpose secret-detecting tool on pre-commit’s list of supported
hooks [4]. I chose it as an experiment to see if I would like using it,
and it turns out that like I don’t like using it.

[1]: <https://github.com/Yelp/detect-secrets#inline-allowlisting>
[2]: <Yelp/detect-secrets#435>
[3]: <Yelp/detect-secrets#708>
[4]: <https://pre-commit.com/hooks.html>
@lorenzodb1 lorenzodb1 added false positives triaged The issue has been reviewed but has not been solved yet. and removed pending The issue still needs to be reviewed by one of the maintainers. labels May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
false positives triaged The issue has been reviewed but has not been solved yet.
Projects
None yet
Development

No branches or pull requests

2 participants