def _perform_scan(args):
old_baseline = _get_existing_baseline(args.import_filename)
# Plugins are *always* rescanned with fresh settings, because
# we want to get the latest updates.
plugins = initialize.from_parser_builder(args.plugins)
# Favors --exclude argument over existing baseline's regex (if exists)
if args.exclude:
args.exclude = args.exclude[0]
elif old_baseline and old_baseline.get('exclude_regex'):
args.exclude = old_baseline['exclude_regex']
# If we have knowledge of an existing baseline file, we should use
# that knowledge and *not* scan that file.
if args.import_filename and args.exclude:
args.exclude += r'|^{}$'.format(args.import_filename[0])
new_baseline = baseline.initialize(
plugins,
args.exclude,
args.path,
args.all_files,
).format_for_baseline_output()
if old_baseline:
new_baseline = baseline.merge_baseline(
old_baseline,
new_baseline,
)
return new_baseline
def _perform_scan(args):
old_baseline = _get_existing_baseline(args)
# Plugins are *always* rescanned with fresh settings, because
# we want to get the latest updates.
plugins = initialize.from_parser_builder(args.plugins)
# Favors --exclude argument over existing baseline's regex (if exists)
if args.exclude:
args.exclude = args.exclude[0]
elif old_baseline and old_baseline.get('exclude_regex'):
args.exclude = old_baseline['exclude_regex']
new_baseline = baseline.initialize(
plugins,
args.exclude,
args.scan,
).format_for_baseline_output()
if old_baseline:
new_baseline = baseline.merge_baseline(
old_baseline,
new_baseline,
)
return new_baseline
def _perform_scan(args):
old_baseline = _get_existing_baseline(args)
# Plugins are *always* rescanned with fresh settings, because
# we want to get the latest updates.
plugins = initialize.from_parser_builder(args.plugins)
# Favors --exclude argument over existing baseline's regex (if exists)
if args.exclude:
args.exclude = args.exclude[0]
elif old_baseline and old_baseline.get('exclude_regex'):
args.exclude = old_baseline['exclude_regex']
new_baseline = baseline.initialize(
plugins,
args.exclude,
args.scan,
).format_for_baseline_output()
if old_baseline:
new_baseline = baseline.merge_baseline(
old_baseline,
new_baseline,
)
return new_baseline
def main(argv=None):
args = parse_args(argv)
if args.verbose: # pragma: no cover
log.set_debug_level(args.verbose)
try:
# If baseline is provided, we first want to make sure
# it's valid, before doing any further computation.
baseline_collection = get_baseline(args.baseline[0])
except (IOError, ValueError):
# Error logs handled within logic.
return 1
plugins = initialize.from_parser_builder(args.plugins)
results = find_secrets_in_files(args, plugins)
if baseline_collection:
original_results = results
results = get_secrets_not_in_baseline(
results,
baseline_collection,
)
if len(results.data) > 0:
pretty_print_diagnostics(results)
return 1
if not baseline_collection:
return 0
# Only attempt baseline modifications if we don't find any new secrets
baseline_modified = trim_baseline_of_removed_secrets(
original_results,
baseline_collection,
args.filenames,
)
if VERSION != baseline_collection.version:
baseline_collection.plugins = plugins
baseline_collection.version = VERSION
baseline_modified = True
if baseline_modified:
_write_to_baseline_file(
args.baseline[0],
baseline_collection.format_for_baseline_output(),
)
log.error(
'The baseline file was updated.\n'
'Probably to keep line numbers of secrets up-to-date.\n'
'Please `git add {}`, thank you.\n\n'.format(args.baseline[0]), )
return 1
return 0
def find_secrets_in_files(args):
plugins = initialize.from_parser_builder(args.plugins)
collection = SecretsCollection(plugins)
for filename in args.filenames:
if filename == args.baseline[0]:
# Obviously, don't detect the baseline file
continue
collection.scan_file(filename)
return collection
def find_secrets_in_files(args):
plugins = initialize.from_parser_builder(args.plugins)
collection = SecretsCollection(plugins)
for filename in args.filenames:
if filename == args.baseline[0]:
# Obviously, don't detect the baseline file
continue
collection.scan_file(filename)
return collection
def main(argv=None):
if len(sys.argv) == 1: # pragma: no cover
sys.argv.append('-h')
args = parse_args(argv)
if args.verbose: # pragma: no cover
log.set_debug_level(args.verbose)
if args.action == 'scan':
# Plugins are *always* rescanned with fresh settings, because
# we want to get the latest updates.
plugins = initialize.from_parser_builder(args.plugins)
if args.string:
line = args.string
if isinstance(args.string, bool):
line = sys.stdin.read().splitlines()[0]
_scan_string(line, plugins)
else:
output = baseline.format_baseline_for_output(
_perform_scan(args, plugins), )
if args.import_filename:
_write_to_file(args.import_filename[0], output)
else:
print(output)
elif args.action == 'audit':
if not args.diff:
audit.audit_baseline(args.filename[0])
return 0
if len(args.filename) != 2:
print(
'Must specify two files to compare!',
file=sys.stderr,
)
return 1
try:
audit.compare_baselines(args.filename[0], args.filename[1])
except audit.RedundantComparisonError:
print(
'No difference, because it\'s the same file!',
file=sys.stderr,
)
return 0
def main(argv=None):
if len(sys.argv) == 1: # pragma: no cover
sys.argv.append('-h')
args = parse_args(argv)
if args.verbose: # pragma: no cover
log.set_debug_level(args.verbose)
if args.action == 'scan':
# Plugins are *always* rescanned with fresh settings, because
# we want to get the latest updates.
plugins = initialize.from_parser_builder(args.plugins)
if args.string:
line = args.string
if isinstance(args.string, bool):
line = sys.stdin.read().splitlines()[0]
_scan_string(line, plugins)
else:
output = json.dumps(
_perform_scan(args, plugins),
indent=2,
sort_keys=True,
separators=(',', ': '),
)
if args.import_filename:
_write_to_file(args.import_filename[0], output)
else:
print(output)
elif args.action == 'audit':
audit.audit_baseline(args.filename[0])
return 0