Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.gitallowed is scanned for secrets making ignoring specific secrets tedious... #198

Open
jtnord opened this issue Aug 16, 2021 · 1 comment
Open

.gitallowed is scanned for secrets making ignoring specific secrets tedious... #198

jtnord opened this issue Aug 16, 2021 · 1 comment

Comments

@jtnord
Copy link

jtnord commented Aug 16, 2021

if a file has a secret you can ignore the specific instance of it using a regular expression in the .gitallowed file

However as you want the exception to be as specific as possible - generally you do not want a generic regexp but a very specific one that will match the exact secret (to prevent any other secrets).

For example a README which contains an example of how to convert an rsa private key would have the line
String s = "-----BEGIN RSA PRIVATE KEY-----\n"

And so as you do not want to genericall allow any RSA key to be added you would add a lie like the following to .gitallowed
String s = "-----BEGIN RSA PRIVATE KEY-----\\n"

This is great and allows the secret to be ignored in the file, however there is an epic fail as now you can not commit as the .gitallowed file itslef is flagged as containing a match.

c:\workarea\myrepo >git commit -a -m "Add instructions for converting a key"
README.md:72:        String s = "-----BEGIN RSA PRIVATE KEY-----\n"

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive

c:\workarea\myrepo >echo         String s = "-----BEGIN RSA PRIVATE KEY-----\\n"> .gitallowed

c:\workarea\myrepo >git add .gitallowed

c:\workarea\myrepo >git commit -a -m "Add instructions for converting a key"
.gitallowed:1:        String s = "-----BEGIN RSA PRIVATE KEY-----\\n"

[ERROR] Matched one or more prohibited patterns

Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive

as the .gitallowed file is expect to have things that would trigger secret warnings (otherwise it would not need to contain them to supress them) this file should be excluded from scanning.
@david4096
Copy link

Just ran into this as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jtnord @david4096