def _update_tracked_repo(repo):
"""Save and update records, since the latest scan indicates that the
most recent commit is clean.
"""
log.info('No secrets found for %s', repo.name)
repo.update()
repo.save(OverrideLevel.ALWAYS)
def _extract_secrets_from_file(self, f, filename):
"""Extract secrets from a given file object.
:type f: File object
:type filename: string
"""
try:
log.info('Checking file: %s', filename)
for results, plugin in self._results_accumulator(filename):
results.update(plugin.analyze(f, filename))
f.seek(0)
except UnicodeDecodeError:
log.warning('%s failed to load.', filename)
def _extract_secrets_from_file(self, f, filename):
"""Extract secrets from a given file object.
:type f: File object
:type filename: string
"""
try:
log.info("Checking file: %s", filename)
for results, plugin in self._results_accumulator(filename):
results.update(plugin.analyze(f, filename))
f.seek(0)
except UnicodeDecodeError:
log.warning("%s failed to load.", filename)
def main(argv=None):
"""
Expected Usage:
1. Initialize TrackedRepos from config.yaml, and save to crontab.
2. Each cron command will run and scan git diff from previous commit saved, to now.
3. If something is found, alert.
:return: shell error code
"""
if len(sys.argv) == 1: # pragma: no cover
sys.argv.append('-h')
args = parse_args(argv)
if args.verbose: # pragma: no cover
log.set_debug_level(args.verbose)
plugin_sensitivity = parse_sensitivity_values(args)
repo_config = parse_repo_config(args)
s3_config = parse_s3_config(args)
if args.initialize:
# initialize sets up the local file storage for tracking
try:
tracked_repos = initialize_repos_from_repo_yaml(
args.initialize,
plugin_sensitivity,
repo_config,
s3_config,
)
except IOError:
# Error handled in initialize_repos_from_repo_yaml
return 1
cron_repos = [repo for repo in tracked_repos if repo.save()]
if not cron_repos:
return 0
print('# detect-secrets scanner')
for repo in cron_repos:
print('{} {}'.format(
repo.cron(),
args.output_hook_command,
))
elif args.add_repo:
add_repo(
args.add_repo[0],
plugin_sensitivity,
is_local_repo=args.local,
s3_config=s3_config,
repo_config=repo_config,
)
elif args.scan_repo:
repo_name = args.scan_repo[0]
repo = tracked_repo_factory(args.local, bool(s3_config)) \
.load_from_file(repo_name, repo_config, s3_config)
if not repo:
return 1
secrets = repo.scan()
if not secrets:
return 1
if len(secrets.data) > 0:
log.error('SCAN COMPLETE - We found secrets in: %s', repo.name)
secrets = secrets.json()
set_authors_for_found_secrets(secrets, repo)
alert = {
'alert': 'Secrets found',
'repo_name': repo.name,
'secrets': secrets,
}
log.error(alert)
args.output_hook.alert(repo.name, secrets)
else:
log.info('SCAN COMPLETE - STATUS: clean for %s', repo.name)
# Save records, since the latest scan indicates that the most recent commit is clean
repo.update()
repo.save(OverrideLevel.ALWAYS)
return 0
