def _update_tracked_repo(repo): """Save and update records, since the latest scan indicates that the most recent commit is clean. """ log.info('No secrets found for %s', repo.name) repo.update() repo.save(OverrideLevel.ALWAYS)
def _extract_secrets_from_file(self, f, filename): """Extract secrets from a given file object. :type f: File object :type filename: string """ try: log.info('Checking file: %s', filename) for results, plugin in self._results_accumulator(filename): results.update(plugin.analyze(f, filename)) f.seek(0) except UnicodeDecodeError: log.warning('%s failed to load.', filename)
def _extract_secrets_from_file(self, f, filename): """Extract secrets from a given file object. :type f: File object :type filename: string """ try: log.info("Checking file: %s", filename) for results, plugin in self._results_accumulator(filename): results.update(plugin.analyze(f, filename)) f.seek(0) except UnicodeDecodeError: log.warning("%s failed to load.", filename)
def main(argv=None): """ Expected Usage: 1. Initialize TrackedRepos from config.yaml, and save to crontab. 2. Each cron command will run and scan git diff from previous commit saved, to now. 3. If something is found, alert. :return: shell error code """ if len(sys.argv) == 1: # pragma: no cover sys.argv.append('-h') args = parse_args(argv) if args.verbose: # pragma: no cover log.set_debug_level(args.verbose) plugin_sensitivity = parse_sensitivity_values(args) repo_config = parse_repo_config(args) s3_config = parse_s3_config(args) if args.initialize: # initialize sets up the local file storage for tracking try: tracked_repos = initialize_repos_from_repo_yaml( args.initialize, plugin_sensitivity, repo_config, s3_config, ) except IOError: # Error handled in initialize_repos_from_repo_yaml return 1 cron_repos = [repo for repo in tracked_repos if repo.save()] if not cron_repos: return 0 print('# detect-secrets scanner') for repo in cron_repos: print('{} {}'.format( repo.cron(), args.output_hook_command, )) elif args.add_repo: add_repo( args.add_repo[0], plugin_sensitivity, is_local_repo=args.local, s3_config=s3_config, repo_config=repo_config, ) elif args.scan_repo: repo_name = args.scan_repo[0] repo = tracked_repo_factory(args.local, bool(s3_config)) \ .load_from_file(repo_name, repo_config, s3_config) if not repo: return 1 secrets = repo.scan() if not secrets: return 1 if len(secrets.data) > 0: log.error('SCAN COMPLETE - We found secrets in: %s', repo.name) secrets = secrets.json() set_authors_for_found_secrets(secrets, repo) alert = { 'alert': 'Secrets found', 'repo_name': repo.name, 'secrets': secrets, } log.error(alert) args.output_hook.alert(repo.name, secrets) else: log.info('SCAN COMPLETE - STATUS: clean for %s', repo.name) # Save records, since the latest scan indicates that the most recent commit is clean repo.update() repo.save(OverrideLevel.ALWAYS) return 0