Yelp · domanchi · Oct 19, 2018 · Oct 18, 2018 · Oct 18, 2018
diff --git a/detect_secrets/core/audit.py b/detect_secrets/core/audit.py
@@ -9,6 +9,7 @@
 
 from ..plugins.core import initialize
 from ..plugins.high_entropy_strings import HighEntropyStringsPlugin
+from .baseline import format_baseline_for_output
 from .baseline import merge_results
 from .bidirectional_iterator import BidirectionalIterator
 from .color import BashColor
@@ -201,12 +202,7 @@ def _handle_user_decision(decision, secret):
 
 def _save_baseline_to_file(filename, data):  # pragma: no cover
     with open(filename, 'w') as f:
-        f.write(json.dumps(
-            data,
-            indent=2,
-            sort_keys=True,
-            separators=(',', ': '),
-        ))
+        f.write(format_baseline_for_output(data))
 
 
 def _get_secret_with_context(

diff --git a/detect_secrets/core/baseline.py b/detect_secrets/core/baseline.py
@@ -1,5 +1,6 @@
 from __future__ import absolute_import
 
+import json
 import os
 import re
 import subprocess
@@ -229,6 +230,25 @@ def merge_results(old_results, new_results):
     return new_results
 
 
+def format_baseline_for_output(baseline):
+    """
+    :type baseline: dict
+    :rtype: str
+    """
+    for filename, secret_list in baseline['results'].items():
+        baseline['results'][filename] = sorted(
+            secret_list,
+            key=lambda x: (x['line_number'], x['hashed_secret'],),
+        )
+
+    return json.dumps(
+        baseline,
+        indent=2,
+        sort_keys=True,
+        separators=(',', ': '),
+    )
+
+
 def _get_git_tracked_files(rootdir='.'):
     """Parsing .gitignore rules is hard.
 

diff --git a/detect_secrets/main.py b/detect_secrets/main.py
@@ -38,11 +38,8 @@ def main(argv=None):
             _scan_string(line, plugins)
 
         else:
-            output = json.dumps(
+            output = baseline.format_baseline_for_output(
                 _perform_scan(args, plugins),
-                indent=2,
-                sort_keys=True,
-                separators=(',', ': '),
             )
 
             if args.import_filename:

diff --git a/detect_secrets/pre_commit_hook.py b/detect_secrets/pre_commit_hook.py
@@ -6,6 +6,7 @@
 import textwrap
 
 from detect_secrets import VERSION
+from detect_secrets.core.baseline import format_baseline_for_output
 from detect_secrets.core.baseline import get_secrets_not_in_baseline
 from detect_secrets.core.baseline import update_baseline_with_removed_secrets
 from detect_secrets.core.log import get_logger
@@ -72,14 +73,7 @@ def main(argv=None):
 def _write_to_baseline_file(filename, payload):  # pragma: no cover
     """Breaking this function up for mockability."""
     with open(filename, 'w') as f:
-        f.write(
-            json.dumps(
-                payload,
-                indent=2,
-                sort_keys=True,
-                separators=(',', ': '),
-            ),
-        )
+        f.write(format_baseline_for_output(payload))
 
 
 def get_baseline(baseline_filename):

diff --git a/tests/core/baseline_test.py b/tests/core/baseline_test.py
@@ -1,11 +1,13 @@
 from __future__ import absolute_import
 
+import json
 import random
 
 import mock
 import pytest
 
 from detect_secrets.core import baseline
+from detect_secrets.core.baseline import format_baseline_for_output
 from detect_secrets.core.baseline import get_secrets_not_in_baseline
 from detect_secrets.core.baseline import merge_baseline
 from detect_secrets.core.baseline import merge_results
@@ -512,3 +514,33 @@ def get_secret():
             'line_number': random_number,
             'type': 'Test Type',
         }
+
+
+class TestFormatBaselineForOutput(object):
+
+    def test_sorts_by_line_number_then_hash(self):
+        output_string = format_baseline_for_output({
+            'results': {
+                'filename': [
+                    {
+                        'hashed_secret': 'a',
+                        'line_number': 3,
+                    },
+                    {
+                        'hashed_secret': 'z',
+                        'line_number': 2,
+                    },
+                    {
+                        'hashed_secret': 'f',
+                        'line_number': 3,
+                    },
+                ],
+            },
+        })
+
+        ordered_hashes = list(map(
+            lambda x: x['hashed_secret'],
+            json.loads(output_string)['results']['filename'],
+        ))
+
+        assert ordered_hashes == ['z', 'a', 'f']
diff --git a/tests/main_test.py b/tests/main_test.py
@@ -35,10 +35,9 @@ def mock_merge_baseline():
     with mock.patch(
         'detect_secrets.main.baseline.merge_baseline',
     ) as m:
-        # This return value doesn't matter, because we're not testing
-        # for it. It just needs to be a dictionary, so it can be properly
-        # JSON dumped.
-        m.return_value = {}
+        # This return value needs to have the `results` key, so that it can
+        # formatted appropriately for output.
+        m.return_value = {'results': {}}
         yield m