diff --git a/detect_secrets/core/potential_secret.py b/detect_secrets/core/potential_secret.py index eba034c79..74b52cb01 100644 --- a/detect_secrets/core/potential_secret.py +++ b/detect_secrets/core/potential_secret.py @@ -1,4 +1,5 @@ import hashlib +import random from typing import Any from typing import Dict from typing import Optional @@ -53,7 +54,9 @@ def __init__( self.fields_to_compare = ['filename', 'secret_hash', 'type'] def set_secret(self, secret: str) -> None: - self.secret_hash: str = self.hash_secret(secret) + if(len(secret) > 4): + self.secret_hash: str = self.hash_secret(secret) + self.secret_redacted: str = self.redact_secret(secret) # Note: Originally, we never wanted to keep the secret value in memory, # after finding it in the codebase. However, to support verifiable @@ -70,6 +73,15 @@ def hash_secret(secret: str) -> str: """This offers a way to coherently test this class, without mocking self.secret_hash.""" return hashlib.sha1(secret.encode('utf-8')).hexdigest() + @staticmethod + def redact_secret(secret: str) -> str: + temp = secret[2:-2] + temp = [k for k in temp] + for j in random.sample(range(len(temp) - 1),len(temp)//2): + temp[j] = '*' + temp=''.join(temp) + return secret[0] + secret[1] + temp + secret[-2] + secret[-1] + @classmethod def load_secret_from_dict(cls, data: Dict[str, Union[str, int, bool]]) -> 'PotentialSecret': """Custom JSON decoder""" @@ -91,6 +103,7 @@ def load_secret_from_dict(cls, data: Dict[str, Union[str, int, bool]]) -> 'Poten output = cls(**kwargs) output.secret_value = None output.secret_hash = str(data['hashed_secret']) + output.secret_redacted = str(data['redacted_secret']) return output @@ -100,6 +113,7 @@ def json(self) -> Dict[str, Union[str, int, bool]]: 'type': self.type, 'filename': self.filename, 'hashed_secret': self.secret_hash, + 'redacted_secret': self.secret_redacted, 'is_verified': self.is_verified, } diff --git a/detect_secrets/core/secrets_collection.py b/detect_secrets/core/secrets_collection.py index d3fc4dd56..e48c790da 100644 --- a/detect_secrets/core/secrets_collection.py +++ b/detect_secrets/core/secrets_collection.py @@ -88,6 +88,10 @@ def scan_diff(self, diff: str) -> None: 'installing that package, and try again.', ) + def scan_line(self, line: str) -> None: + for secret in scan.scan_line(line): + self[secret.filename].add(secret) + def merge(self, old_results: 'SecretsCollection') -> None: """ We operate under an assumption that the latest results are always more accurate, diff --git a/detect_secrets/plugins/base.py b/detect_secrets/plugins/base.py index 01d0f6f14..23f492244 100644 --- a/detect_secrets/plugins/base.py +++ b/detect_secrets/plugins/base.py @@ -57,6 +57,8 @@ def analyze_line( is_verified: bool = False # If the filter is disabled it means --no-verify flag was passed # We won't run verification in that case + if(len(match) < 5): + return if ( 'detect_secrets.filters.common.is_ignored_due_to_verification_policies' in get_settings().filters diff --git a/detect_secrets/pre_commit_hook.py b/detect_secrets/pre_commit_hook.py index fb75832e3..acf98477e 100644 --- a/detect_secrets/pre_commit_hook.py +++ b/detect_secrets/pre_commit_hook.py @@ -1,3 +1,4 @@ +#!/usr/bin/env python3 import argparse import json import os @@ -18,6 +19,7 @@ def main(argv: Optional[List[str]] = None) -> int: try: args = parse_args(argv) + print(args) except ValueError: return 1 @@ -26,7 +28,9 @@ def main(argv: Optional[List[str]] = None) -> int: # Find all secrets in files to be committed secrets = SecretsCollection() + args.file for filename in args.filenames: + print(filename) secrets.scan_file(filename) new_secrets = secrets