def test_scan_patch(client, cache, name, input_patch, expected):
c = Commit()
c._patch = input_patch
with my_vcr.use_cassette(name):
results = c.scan(
client=client,
cache=cache,
matches_ignore={},
all_policies=True,
verbose=False,
)
for result in results:
if result.scan.policy_breaks:
assert len(
result.scan.policy_breaks[0].matches) == expected.matches
if expected.first_match:
assert (result.scan.policy_breaks[0].matches[0].match ==
expected.first_match)
else:
assert result.scan.policy_breaks == []
if expected.want:
assert result.content == expected.want["content"]
assert result.filename == expected.want["filename"]
assert result.filemode == expected.want["filemode"]
def test_cache_old_config_no_new_secret(client, isolated_fs):
"""
GIVEN a cache of last found secrets same as config ignored-matches
and config ignored-matches is a list of strings
WHEN I run a scan (therefore finding no secret)
THEN config matches is unchanged and cache is empty
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
config.matches_ignore = [d["match"] for d in FOUND_SECRETS]
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
with my_vcr.use_cassette("multiple_secrets"):
results = c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert results == []
assert config.matches_ignore == [d["match"] for d in FOUND_SECRETS]
assert cache.last_found_secrets == []
def test_cache_catches_last_found_secrets(client, isolated_fs):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", [])
cache = Cache()
cache.purge()
assert cache.last_found_secrets == list()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == list()
cache_found_secrets = sorted(cache.last_found_secrets, key=compare_matches_ignore)
found_secrets = sorted(FOUND_SECRETS, key=compare_matches_ignore)
assert [found_secret["match"] for found_secret in cache_found_secrets] == [
found_secret["match"] for found_secret in found_secrets
]
ignore_last_found(config, cache)
for ignore in config.matches_ignore:
assert "test.txt" in ignore["name"]
cache.load_cache()
def test_banlisted_detectors(
self,
cli_fs_runner,
banlisted_detectors,
nb_secret,
):
Path("file_secret").write_text(_ONE_LINE_AND_MULTILINE_PATCH)
with my_vcr.use_cassette("_ONE_LINE_AND_MULTILINE_PATCH"):
result = cli_fs_runner.invoke(
cli,
[
"scan",
"--exit-zero",
"-v",
*banlisted_detectors,
"path",
"file_secret",
],
)
if nb_secret:
plural = nb_secret > 1
assert (f"{nb_secret} incident{'s' if plural else ''} "
f"{'have' if plural else 'has'} been found"
) in result.output
else:
assert "No secrets have been found" in result.output
def test_cache_catches_last_found_secrets(client):
"""
GIVEN an empty cache and an empty config matches-ignore section
WHEN I run a scan with multiple secrets
THEN cache last_found_secrets is updated with these secrets and saved
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
setattr(config, "matches_ignore", set())
cache = Cache()
cache.purge()
assert cache.last_found_secrets == set()
with my_vcr.use_cassette("multiple_secrets"):
c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert config.matches_ignore == set()
assert cache.last_found_secrets == FOUND_SECRETS
cache.load_cache()
assert cache.last_found_secrets == FOUND_SECRETS
def test_cache_catches_nothing(client):
"""
GIVEN a cache of last found secrets same as config ignored-matches
WHEN I run a scan (therefore finding no secret)
THEN config matches is unchanged and cache is empty
"""
c = Commit()
c._patch = _MULTIPLE_SECRETS
config = Config()
config.matches_ignore = FOUND_SECRETS
cache = Cache()
cache.last_found_secrets = FOUND_SECRETS
with my_vcr.use_cassette("multiple_secrets"):
results = c.scan(
client=client,
cache=cache,
matches_ignore=config.matches_ignore,
all_policies=True,
verbose=False,
)
assert results == []
assert config.matches_ignore == FOUND_SECRETS
assert cache.last_found_secrets == []
def test_scan_file_secret_exit_zero(self, cli_fs_runner):
Path("file_secret").write_text(UNCHECKED_SECRET)
assert os.path.isfile("file_secret")
with my_vcr.use_cassette("test_scan_file_secret"):
result = cli_fs_runner.invoke(
cli, ["scan", "--exit-zero", "-v", "path", "file_secret"])
assert result.exit_code == 0
assert not result.exception
def test_scan_file_secret_with_validity(self, cli_fs_runner):
Path("file_secret").write_text(VALID_SECRET)
assert os.path.isfile("file_secret")
with my_vcr.use_cassette("test_scan_file_secret_with_validity"):
result = cli_fs_runner.invoke(
cli, ["-v", "scan", "path", "file_secret"])
assert result.exit_code == 1
assert result.exception
assert (
"Incident 1(Secrets detection): GitGuardian Test Token Checked (Validity: Valid) (Ignore with SHA: 56c12"
in result.output)
def test_scan_file_secret(self, cli_fs_runner):
Path("file_secret").write_text(UNCHECKED_SECRET)
assert os.path.isfile("file_secret")
with my_vcr.use_cassette("test_scan_file_secret"):
result = cli_fs_runner.invoke(
cli, ["-v", "scan", "path", "file_secret"])
assert result.exit_code == 1
assert result.exception
assert (
"GitGuardian Development Secret (Validity: Cannot Check) (Ignore with SHA: 4f307a4cae8f14cc276398c666559a6d4f959640616ed733b168a9ee7ab08fd4)" # noqa
in result.output)
def test_ignore_default_excludes_with_configuration(self, cli_fs_runner):
"""
GIVEN a path scan
WHEN ignore-default-excludes has been put to true in the configuration
THEN ignored patterns by default should NOT be used
"""
path = create_normally_ignored_file()
local_config = Path(ggshield.core.config.LOCAL_CONFIG_PATHS[0])
local_config.write_text("ignore-default-excludes: true")
with my_vcr.use_cassette("ignore_default_excludes_from_configuration"):
result = cli_fs_runner.invoke(
cli, ["scan", "-v", "path", "--recursive", "-y", "."])
assert str(path) in result.output
assert result.exit_code == 0
assert result.exception is None
def test_json_output(client, name, input_patch, expected, snapshot):
c = Commit()
c._patch = input_patch
handler = JSONHandler(verbose=True, show_secrets=False)
with my_vcr.use_cassette(name):
results = c.scan(
client=client, matches_ignore={}, all_policies=True, verbose=False
)
flat_results, exit_code = handler.process_scan(
scan=ScanCollection(id="path", type="test", results=results), top=True
)
assert exit_code == expected
json_flat_results = JSONScanCollectionSchema().dumps(flat_results)
snapshot.assert_match(JSONScanCollectionSchema().loads(json_flat_results))
async def test_success(self) -> None:
"""
Given a url,
When the `async_soupify` function is invoked,
Then an async request is made to the url and the bs4 representation is returned
"""
url = "http://httpbin.org"
with my_vcr.use_cassette(
f"{VCR_FIXTURES_DIR}/async_soupify.yaml",
serializer="response_body_compressor",
) as cass:
result = await async_soupify(url=url)
assert len(cass.requests) == 1
assert cass.requests[0].headers == {"User-agent": "Mozilla/5.0"}
assert isinstance(result, BeautifulSoup)
def test_scan_file_secret_json_with_validity(self, cli_fs_runner,
validity):
secret = VALID_SECRET if validity else UNCHECKED_SECRET
Path("file_secret").write_text(secret)
assert os.path.isfile("file_secret")
cassette_name = f"test_scan_file_secret-{validity}"
with my_vcr.use_cassette(cassette_name):
result = cli_fs_runner.invoke(
cli, ["-v", "scan", "--json", "path", "file_secret"])
assert result.exit_code == 1
assert result.exception
if validity:
assert '"validity": "valid"' in result.output
else:
assert '"validity": "valid"' not in result.output
def test_ignore_default_excludes_with_flag(self, cli_fs_runner):
"""
GIVEN a path scan
WHEN --ignore-default-excludes has been used
THEN ignored patterns by default should NOT be used
"""
path = create_normally_ignored_file()
with my_vcr.use_cassette("ignore_default_excludes_from_flag"):
result = cli_fs_runner.invoke(
cli,
[
"scan", "-v", "--ignore-default-excludes", "path",
"--recursive", "."
],
)
assert str(path) in result.output
assert result.exit_code == 0
assert result.exception is None
def test_json_output(client, cache, name, input_patch, expected, snapshot):
c = Commit()
c._patch = input_patch
handler = JSONOutputHandler(verbose=True, show_secrets=False)
with my_vcr.use_cassette(name):
results = c.scan(
client=client,
cache=cache,
matches_ignore={},
all_policies=True,
verbose=False,
banlisted_detectors=None,
)
scan = ScanCollection(id="path", type="test", results=results)
json_flat_results = handler._process_scan_impl(scan)
exit_code = OutputHandler._get_exit_code(scan)
assert exit_code == expected
snapshot.assert_match(
JSONScanCollectionSchema().loads(json_flat_results))
def test_docker_scan_archive(
self,
get_files_mock: Mock,
cli_fs_runner: click.testing.CliRunner,
image_path: Path,
):
assert image_path.exists()
get_files_mock.return_value = Files(
files=[File(document=_SIMPLE_SECRET, filename="file_secret")])
with my_vcr.use_cassette("test_scan_file_secret"):
result = cli_fs_runner.invoke(
cli,
[
"-v",
"scan",
"docker-archive",
str(image_path),
],
)
get_files_mock.assert_called_once()
assert "1 incident has been found in file file_secret" in result.output
assert result.exit_code == 1
def test_api_status(cassette, json_output, snapshot, cli_fs_runner):
with my_vcr.use_cassette(cassette):
cmd = ["api-status", "--json"] if json_output else ["api-status"]
result = cli_fs_runner.invoke(cli, cmd, color=False)
assert result.exit_code == 0
snapshot.assert_match(result.output)
