You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What is the current behavior?
When using detect-secrets in a repository containing yaml with PGP armor'ed multiline message blocks, each individual line underneath BEGIN PGP MESSAGE is reported as a Base64 High Entropy String.
If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem
What is the expected behavior?
I would think either multiline encrypted PGP Messages should be parsed and automatically permitted, or I should be able to exclude the entire block.
What is the motivation / use case for changing the behavior?
Permit multiline YAML PGP secrets without excluding the entire file, or without each line being considered a secret.
Please tell us about your environment:
detect-secrets Version: v1.4.0
Python Version: 3.9.2
OS Version: Debian 11 bullseye
File type (if applicable): yaml
Other information
The text was updated successfully, but these errors were encountered:
In a future commit, I’m going to add something to
.pre-commit-config.yaml that looks like this:
repo: https://github.com/Jayman2000/yamllint-pr
rev: 8cedbee40606fcf9f9bd202206692e26dff854b7
detect-secrets was incorrectly detecting that hash as a secret, so I
tried allowlisting it [1]:
repo: https://github.com/Jayman2000/yamllint-pr
# pragma: allowlist nextline secret
rev: 8cedbee40606fcf9f9bd202206692e26dff854b7
That should have worked, but it didn’t. At the moment, there are two
open issue about this problem [2][3].
I don’t have any particular preference for detect-secrets over any other
secret-detecting tool. I only chose it because it was the first
general-purpose secret-detecting tool on pre-commit’s list of supported
hooks [4]. I chose it as an experiment to see if I would like using it,
and it turns out that like I don’t like using it.
[1]: <https://github.com/Yelp/detect-secrets#inline-allowlisting>
[2]: <Yelp/detect-secrets#435>
[3]: <Yelp/detect-secrets#708>
[4]: <https://pre-commit.com/hooks.html>
I'm submitting a ...
What is the current behavior?
When using detect-secrets in a repository containing yaml with PGP armor'ed multiline message blocks, each individual line underneath
BEGIN PGP MESSAGE
is reported as a Base64 High Entropy String.If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem
somefile.yaml:
# pragma: nextline secret
does not seem sufficient for overriding this.Here are a few different exclude regexes I have tried in my
.pre-commit-config.yaml
without success:What is the expected behavior?
I would think either multiline encrypted PGP Messages should be parsed and automatically permitted, or I should be able to exclude the entire block.
What is the motivation / use case for changing the behavior?
Permit multiline YAML PGP secrets without excluding the entire file, or without each line being considered a secret.
Please tell us about your environment:
Other information
The text was updated successfully, but these errors were encountered: