From e25d660b21a2862ea224b96a0b189f4db3a8a3b8 Mon Sep 17 00:00:00 2001 From: issabayevmk <48990804+issabayevmk@users.noreply.github.com> Date: Fri, 17 May 2024 13:06:23 +0200 Subject: [PATCH 01/11] Added API for python scripts --- detect_secrets/api.py | 174 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 174 insertions(+) create mode 100644 detect_secrets/api.py diff --git a/detect_secrets/api.py b/detect_secrets/api.py new file mode 100644 index 000000000..6c2cc8ef4 --- /dev/null +++ b/detect_secrets/api.py @@ -0,0 +1,174 @@ +import os +import importlib +import pkgutil +import inspect +from abc import ABC +from git import Repo, InvalidGitRepositoryError + +from detect_secrets import plugins as ds_plugins +from detect_secrets.plugins.base import BasePlugin + + +def is_concrete_class(cls): + return ( + not inspect.isabstract(cls) + and issubclass(cls, BasePlugin) + and cls is not BasePlugin + ) + + +def load_all_plugins(): + """ + Load and return all available plugins from detect-secrets. + """ + plugins = [] + package = ds_plugins + for _, module_name, _ in pkgutil.iter_modules(package.__path__): + module = importlib.import_module(f"{package.__name__}.{module_name}") + for name, obj in inspect.getmembers(module, inspect.isclass): + if is_concrete_class(obj): + plugins.append(obj()) + return plugins + + +def load_plugin_by_name(plugin_name: str): + """ + Dynamically load and return an instance of the specified plugin by name. + """ + package = ds_plugins + for _, module_name, _ in pkgutil.iter_modules(package.__path__): + module = importlib.import_module(f"{package.__name__}.{module_name}") + for name, obj in inspect.getmembers(module, inspect.isclass): + if name == plugin_name and is_concrete_class(obj): + return obj() + raise ValueError( + f"Error: no plugin found with name: '{plugin_name}'. To get the list of supported plugins, call list_plugins()" + ) + + +def load_specified_plugins(plugin_names: [str]): + """ + Dynamically load and return specified plugins by name. + """ + plugins = [] + for plugin_name in plugin_names: + plugins.append(load_plugin_by_name(plugin_name)) + return plugins + + +def list_plugins(): + """ + Retunr a list of available plugins to use. + """ + plugins = [] + package = ds_plugins + for _, module_name, _ in pkgutil.iter_modules(package.__path__): + module = importlib.import_module(f"{package.__name__}.{module_name}") + for name, obj in inspect.getmembers(module, inspect.isclass): + if is_concrete_class(obj): + plugins.append(name) + return plugins + + +def scan_string(string_to_check: str, plugins: str = "all"): + """ + Scan a string for secrets using the specified plugins. + + Args: + string_to_check (str): string to to scan for secrets. + plugins (str): Names of the comma (,) separated detect-secrets plugin names to use. + """ + if not isinstance(string_to_check, str): + raise ValueError(f"Error: '{string_to_check}' must be 'string' object") + + if not isinstance(plugins, str): + raise ValueError( + f"Error: '{plugins}' must be comma (,) sepated 'string' object" + ) + + if plugins == "all": + detectors = load_all_plugins() + else: + plugin_names = plugins.split(",") + detectors = load_specified_plugins(plugin_names) + + found_secrets = {} + for detector in detectors: + secrets = detector.analyze_string(string_to_check) + detector_name = detector.json().get("name") + for secret in secrets: + if detector_name not in found_secrets: + found_secrets[detector_name] = [secret] + elif secret not in found_secrets[detector_name]: + found_secrets[detector_name].append(secret) + return found_secrets + + +def scan_file(filepath: str, plugins: str = "all"): + """ + Scan a local file for secrets using the specified plugins. + + Args: + filepath (str): Path to the local file. + plugins (str): Names of the comma (,) separated detect-secrets plugin names to use. + """ + if not isinstance(filepath, str): + raise ValueError( + f"Error: '{filepath}' must be 'string' formatted path to a file" + ) + + try: + with open(filepath, "r") as file: + lines = file.readlines() + found_secrets = {} + for idx, line in enumerate(lines): + secrets_in_line = scan_string(line, plugins) + if secrets_in_line != {}: + found_secrets[f"Line {idx + 1}"] = secrets_in_line + return found_secrets + except Exception as e: + raise ValueError(f"Error scanning '{filepath}': {e}") + + +def scan_git_repository( + repo_path: str, plugins: str = "all", scan_all_files: bool = False +): + """ + Scan a local Git repository for secrets using the specified plugins. + + Args: + repo_path (str): Path to the local Git repository. + plugins (str): Names of the comma (,) separated detect-secrets plugin names to use. + scan_all_files (bool): If True, scan all files in the repository. If False, scan only Git-tracked files. + """ + if not isinstance(scan_all_files, bool): + raise ValueError(f"Error: 'scan_all_files' must be 'bool' type") + + try: + repo = Repo(repo_path) + if repo.bare: + raise InvalidGitRepositoryError + + files_to_scan = [] + if scan_all_files: + for root, _, files in os.walk(repo_path): + if ".git" in root: + continue + for file in files: + files_to_scan.append(os.path.join(root, file)) + else: + files_to_scan = [ + os.path.join(repo_path, item.a_path) for item in repo.index.diff(None) + ] + files_to_scan.extend( + [os.path.join(repo_path, item) for item in repo.untracked_files] + ) + + found_secrets = {} + for filepath in files_to_scan: + secrets_in_file = scan_file(filepath, plugins) + if secrets_in_file != {}: + found_secrets[filepath] = secrets_in_file + return found_secrets + except InvalidGitRepositoryError: + raise ValueError(f"Error: '{repo_path}' is not a valid Git repositoty") From 5f2a63c92d4cb23d0dd6739043383634e0c13861 Mon Sep 17 00:00:00 2001 From: issabayevmk <48990804+issabayevmk@users.noreply.github.com> Date: Fri, 17 May 2024 13:07:06 +0200 Subject: [PATCH 02/11] Add files via upload --- tests/api_test.py | 67 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 tests/api_test.py diff --git a/tests/api_test.py b/tests/api_test.py new file mode 100644 index 000000000..74d44b8f8 --- /dev/null +++ b/tests/api_test.py @@ -0,0 +1,67 @@ +from git import Repo +import json +import os +import subprocess +import sys +import tempfile +from contextlib import contextmanager +from contextlib import redirect_stdout +from pathlib import Path +from unittest import mock + +import pytest + +from detect_secrets.api import load_plugin_by_name +from detect_secrets.api import scan_string +from detect_secrets.api import scan_file +from detect_secrets.api import scan_git_repository + + +class TestApi: + + def test_load_plugin_by_name(self): + plugin_name = "AWSKeyDetector" + plugin = load_plugin_by_name(plugin_name) + assert plugin.__class__.__name__ == plugin_name + + def test_scan_string_with_specified_plugin(self): + string = "AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'" + plugin_name = "AWSKeyDetector" + + return_value = {plugin_name: ["AKIAIOSFODNN7EXAMPLE"]} + + result = scan_string(string, plugin_name) + assert result == {"AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"]} + + def test_scan_file_for_secrets(self): + plugin_name = "AWSKeyDetector" + return_value = [ + { + "Line 1": { + "AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"], + "Base64HighEntropyString": ["AKIAIOSFODNN7EXAMPLE"], + "KeywordDetector": ["AKIAIOSFODNN7EXAMPLE"], + } + } + ] + + with tempfile.NamedTemporaryFile(delete=False) as temp_file: + temp_file.write(b"AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'\nNo secrets here") + temp_file_path = temp_file.name + + result = scan_file(temp_file_path, plugin_name) + assert result == {"Line 1": {"AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"]}} + + def test_scan_git_repository(self): + repo_path = tempfile.mkdtemp() + # os.makedirs(os.path.join(repo_path, '.git')) + repo = Repo.init(repo_path) + with open(f"{repo_path}/test-file.txt", "w") as temp_file: + temp_file.write("AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'") + + result = scan_git_repository(repo_path, "AWSKeyDetector", scan_all_files=True) + assert result == { + f"{repo_path}/test-file.txt": { + "Line 1": {"AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"]} + } + } From 7c6196e3b2fcf5d6f59f62e5aee4488bebfc43f7 Mon Sep 17 00:00:00 2001 From: Mustafa Issabayev <48990804+issabayevmk@users.noreply.github.com> Date: Fri, 7 Jun 2024 13:32:47 +0200 Subject: [PATCH 03/11] Update README.md --- README.md | 124 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 76 insertions(+), 48 deletions(-) diff --git a/README.md b/README.md index 1a08f131c..6c491e278 100644 --- a/README.md +++ b/README.md @@ -147,62 +147,90 @@ $ detect-secrets audit .secrets.baseline ### Usage in Other Python Scripts -**Basic Use:** +Detect-secrets API for python scripts supports scans for secrets in strings, files, and Git repositories. It supports scanning with custom settings or with advanced settings by providing Plugins and Filters. Git repository scanning allows either all files or only Git-tracked files in a local repository. +**Scanning with Default Settings** ```python -from detect_secrets import SecretsCollection -from detect_secrets.settings import default_settings +#scanning a string with default settings +from detect_secrets.api import scan_string -secrets = SecretsCollection() -with default_settings(): - secrets.scan_file('test_data/config.ini') +string_to_check = "AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'" +secrets = scan_string(string=string) +print(secrets) +#scanning a file with default settings +from detect_secrets.api import scan_file -import json -print(json.dumps(secrets.json(), indent=2)) -``` +secrets = scan_file(filepath='/path/to/file.txt') +print(secrets) + +#scanning a git repo with default settings +from detect_secrets.api import scan_git_repository -**More Advanced Configuration:** +#scanning a git repo with default settings, only git tracked files +secrets = scan_git_repository(repo_path='/path/to/repository') +print(secrets) + +#scanning a git repo with default settings, all files +secrets = scan_git_repository(repo_path='/path/to/repository', scan_all_files=True) +print(secrets) +``` +**Scanning with More Advanced Configurations** ```python -from detect_secrets import SecretsCollection -from detect_secrets.settings import transient_settings - -secrets = SecretsCollection() -with transient_settings({ - # Only run scans with only these plugins. - # This format is the same as the one that is saved in the generated baseline. - 'plugins_used': [ - # Example of configuring a built-in plugin - { - 'name': 'Base64HighEntropyString', - 'limit': 5.0, - }, - - # Example of using a custom plugin - { - 'name': 'HippoDetector', - 'path': 'file:///Users/aaronloo/Documents/github/detect-secrets/testing/plugins.py', - }, - ], - - # We can also specify whichever additional filters we want. - # This is an example of using the function `is_identified_by_ML_model` within the - # local file `./private-filters/example.py`. - 'filters_used': [ - { - 'path': 'file://private-filters/example.py::is_identified_by_ML_model', - }, - ] -}) as settings: - # If we want to make any further adjustments to the created settings object (e.g. - # disabling default filters), we can do so as such. - settings.disable_filters( - 'detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign', - 'detect_secrets.filters.heuristic.is_likely_id_string', - ) - - secrets.scan_file('test_data/config.ini') +# Only run scans with only these plugins. +# This format is the same as the one that is saved in the generated baseline. +plugins_used = [ + # Example of configuring a built-in plugin + { + 'name': 'Base64HighEntropyString', + 'limit': 5.0, + }, + # Example of using a custom plugin + { + 'name': 'HippoDetector', + 'path': 'file:///Users/aaronloo/Documents/github/detect-secrets/testing/plugins.py', + }, +] + +# We can also specify whichever additional filters we want. +# This is an example of using the function `is_identified_by_ML_model` within the +# local file `./private-filters/example.py`. +filters_used = [ + { + 'path': 'file://private-filters/example.py::is_identified_by_ML_model', + }, +] +# get default settings +from detect_secrets.api import get_setting +settings = get_settings() +print(settings) + +# get settings with advanced configuration +setting = get_settings(plugins=plugins_used, fileters=filters_used) + +# scanning a string with advanced configuration +from detect_secrets.api import scan_string + +secrets = scan_string(string=string, plugins=plugins_used, filters=filters_used) +print(secrets) + +# scanning a string with advanced configuration +from detect_secrets.api import scan_file + +secrets = scan_file(filepath='path/to/file', plugins=plugins_used, filters=filters_used) +print(secrets) + +# scanning a string with advanced configuration +from detect_secrets.api import scan_git_reposiroty + +# Only Git tracked files +secrets = scan_git_repository(repo_path='path/to/git/repo', plugins=plugins_used, filters=filters_used) +print(secrets) + +# All files +secrets = scan_git_repository(repo_path='path/to/git/repo', scan_all_files=True, plugins=plugins_used, filters=filters_used) +print(secrets) ``` ## Installation From bbf6e8c106c823e3796ed9a351654ae0bffb62db Mon Sep 17 00:00:00 2001 From: Mustafa Issabayev <48990804+issabayevmk@users.noreply.github.com> Date: Fri, 7 Jun 2024 13:34:26 +0200 Subject: [PATCH 04/11] Deleted tests/api_test.py --- tests/api_test.py | 67 ----------------------------------------------- 1 file changed, 67 deletions(-) delete mode 100644 tests/api_test.py diff --git a/tests/api_test.py b/tests/api_test.py deleted file mode 100644 index 74d44b8f8..000000000 --- a/tests/api_test.py +++ /dev/null @@ -1,67 +0,0 @@ -from git import Repo -import json -import os -import subprocess -import sys -import tempfile -from contextlib import contextmanager -from contextlib import redirect_stdout -from pathlib import Path -from unittest import mock - -import pytest - -from detect_secrets.api import load_plugin_by_name -from detect_secrets.api import scan_string -from detect_secrets.api import scan_file -from detect_secrets.api import scan_git_repository - - -class TestApi: - - def test_load_plugin_by_name(self): - plugin_name = "AWSKeyDetector" - plugin = load_plugin_by_name(plugin_name) - assert plugin.__class__.__name__ == plugin_name - - def test_scan_string_with_specified_plugin(self): - string = "AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'" - plugin_name = "AWSKeyDetector" - - return_value = {plugin_name: ["AKIAIOSFODNN7EXAMPLE"]} - - result = scan_string(string, plugin_name) - assert result == {"AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"]} - - def test_scan_file_for_secrets(self): - plugin_name = "AWSKeyDetector" - return_value = [ - { - "Line 1": { - "AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"], - "Base64HighEntropyString": ["AKIAIOSFODNN7EXAMPLE"], - "KeywordDetector": ["AKIAIOSFODNN7EXAMPLE"], - } - } - ] - - with tempfile.NamedTemporaryFile(delete=False) as temp_file: - temp_file.write(b"AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'\nNo secrets here") - temp_file_path = temp_file.name - - result = scan_file(temp_file_path, plugin_name) - assert result == {"Line 1": {"AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"]}} - - def test_scan_git_repository(self): - repo_path = tempfile.mkdtemp() - # os.makedirs(os.path.join(repo_path, '.git')) - repo = Repo.init(repo_path) - with open(f"{repo_path}/test-file.txt", "w") as temp_file: - temp_file.write("AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'") - - result = scan_git_repository(repo_path, "AWSKeyDetector", scan_all_files=True) - assert result == { - f"{repo_path}/test-file.txt": { - "Line 1": {"AWSKeyDetector": ["AKIAIOSFODNN7EXAMPLE"]} - } - } From f7862ddc57f21c010f099a96977cb1b494ae29f9 Mon Sep 17 00:00:00 2001 From: Mustafa Issabayev <48990804+issabayevmk@users.noreply.github.com> Date: Fri, 7 Jun 2024 13:35:34 +0200 Subject: [PATCH 05/11] Refactored API api.py --- detect_secrets/api.py | 233 +++++++++++++++++++++--------------------- 1 file changed, 119 insertions(+), 114 deletions(-) diff --git a/detect_secrets/api.py b/detect_secrets/api.py index 6c2cc8ef4..8060613a7 100644 --- a/detect_secrets/api.py +++ b/detect_secrets/api.py @@ -1,148 +1,152 @@ -import os -import importlib -import pkgutil -import inspect -from abc import ABC from git import Repo, InvalidGitRepositoryError +from detect_secrets import SecretsCollection +from detect_secrets.settings import default_settings, transient_settings -from detect_secrets import plugins as ds_plugins -from detect_secrets.plugins.base import BasePlugin - -def is_concrete_class(cls): - return ( - not inspect.isabstract(cls) - and issubclass(cls, BasePlugin) - and cls is not BasePlugin - ) - - -def load_all_plugins(): +def get_settings(filters=None, plugins=None): """ - Load and return all available plugins from detect-secrets. + Return used plugins and filters to be used to scan with provided params """ - plugins = [] - package = ds_plugins - for _, module_name, _ in pkgutil.iter_modules(package.__path__): - module = importlib.import_module(f"{package.__name__}.{module_name}") - for name, obj in inspect.getmembers(module, inspect.isclass): - if is_concrete_class(obj): - plugins.append(obj()) - return plugins + if filters and not isinstance(filters, list): + raise ValueError(f"Error: 'filters' must be List object") + if plugins and not isinstance(plugins, list): + raise ValueError(f"Error: 'plugins' must be List object") -def load_plugin_by_name(plugin_name: str): - """ - Dynamically load and return an instance of the specified plugin by name. - """ - package = ds_plugins - for _, module_name, _ in pkgutil.iter_modules(package.__path__): - module = importlib.import_module(f"{package.__name__}.{module_name}") - for name, obj in inspect.getmembers(module, inspect.isclass): - if name == plugin_name and is_concrete_class(obj): - return obj() - raise ValueError( - f"Error: no plugin found with name: '{plugin_name}'. To get the list of supported plugins, call list_plugins()" - ) - - -def load_specified_plugins(plugin_names: [str]): - """ - Dynamically load and return specified plugins by name. - """ - plugins = [] - for plugin_name in plugin_names: - plugins.append(load_plugin_by_name(plugin_name)) - return plugins + if filters: + filters_used = filters + else: + filters_used = [] + with default_settings() as settings: + for key in settings.filters: + filters_used.append({'path': key}) + if plugins: + plugins_used = plugins + else: + plugins_used = [] + with default_settings() as settings: + for key in settings.plugins: + plugins_used.append({'name': key}) -def list_plugins(): - """ - Retunr a list of available plugins to use. - """ - plugins = [] - package = ds_plugins - for _, module_name, _ in pkgutil.iter_modules(package.__path__): - module = importlib.import_module(f"{package.__name__}.{module_name}") - for name, obj in inspect.getmembers(module, inspect.isclass): - if is_concrete_class(obj): - plugins.append(name) - return plugins + return {"plugins": plugins_used, "filters": filters_used} -def scan_string(string_to_check: str, plugins: str = "all"): +def scan_string(string: str, filters=None, plugins=None): """ - Scan a string for secrets using the specified plugins. + Scan a string for secrets using detect-secrets with custom filters and plugins - Args: - string_to_check (str): string to to scan for secrets. - plugins (str): Names of the comma (,) separated detect-secrets plugin names to use. + :param string: String to scan + :param filters: Custom filters for detect-secrets + :param plugins: Custom plugins for detect-secrets + :return: Detected secrets in str format """ - if not isinstance(string_to_check, str): - raise ValueError(f"Error: '{string_to_check}' must be 'string' object") + if not isinstance(string, str): + raise ValueError(f"Error: '{string}' must be 'string' formatted path to a file") + + if filters and not isinstance(filters, list): + raise ValueError(f"Error: 'filters' must be List object") + + if plugins and not isinstance(plugins, list): + raise ValueError(f"Error: 'plugins' must be List object") + + # Initialize a SecretsCollection + secrets = SecretsCollection() + + # Load default settings if no filters and plugins provided: + if not filters and not plugins: + settings = default_settings() + # Scan the string + with settings: + secrets.scan_string(string) + return secrets.json() + elif filters and not plugins: + filters_used = filters + plugins_used = get_settings(plugins=plugins).get("plugins") + elif not filters and plugins: + plugins_used = plugins + filters_used = get_settings(filters=filters).get("filters") + else: + filters_used = filters + plugins_used = plugins + # Scan the string + with transient_settings( + {"plugins_used": plugins_used, "filters_used": filters_used} + ) as settings: + secrets.scan_string(string) + return secrets.json() - if not isinstance(plugins, str): - raise ValueError( - f"Error: '{plugins}' must be comma (,) sepated 'string' object" - ) - if plugins == "all": - detectors = load_all_plugins() - else: - plugin_names = plugins.split(",") - detectors = load_specified_plugins(plugin_names) - - found_secrets = {} - for detector in detectors: - secrets = detector.analyze_string(string_to_check) - detector_name = detector.json().get("name") - for secret in secrets: - if detector_name not in found_secrets: - found_secrets[detector_name] = [secret] - elif secret not in found_secrets[detector_name]: - found_secrets[detector_name].append(secret) - return found_secrets - - -def scan_file(filepath: str, plugins: str = "all"): +def scan_file(filepath, filters=None, plugins=None): """ - Scan a local file for secrets using the specified plugins. + Scan a file for secrets using detect-secrets with custom filters and plugins - Args: - filepath (str): Path to the local file. - plugins (str): Names of the comma (,) separated detect-secrets plugin names to use. + :param filepath: Path to the file to scan + :param filters: Custom filters for detect-secrets + :param plugins: Custom plugins for detect-secrets + :return: Detected secrets in str format """ if not isinstance(filepath, str): raise ValueError( f"Error: '{filepath}' must be 'string' formatted path to a file" ) + if filters and not isinstance(filters, list): + raise ValueError(f"Error: 'filters' must be List object") + + if plugins and not isinstance(plugins, list): + raise ValueError(f"Error: 'plugins' must be List object") + try: - with open(filepath, "r") as file: - lines = file.readlines() - found_secrets = {} - for idx, line in enumerate(lines): - secrets_in_line = scan_string(line, plugins) - if secrets_in_line != {}: - found_secrets[f"Line {idx + 1}"] = secrets_in_line - return found_secrets + with open(filepath, "r") as f: + f.read() except Exception as e: - raise ValueError(f"Error scanning '{filepath}': {e}") + return e + # Initialize a SecretsCollection + secrets = SecretsCollection() + + # Load default settings if no filters and plugins provided: + if not filters and not plugins: + settings = default_settings() + # Scan the file + with settings: + secrets.scan_file(filepath) + return secrets.json() + elif filters and not plugins: + filters_used = filters + plugins_used = get_settings(plugins=plugins).get("plugins") + elif not filters and plugins: + plugins_used = plugins + filters_used = get_settings(filters=filters).get("filters") + else: + filters_used = filters + plugins_used = plugins + + # Scan a file + with transient_settings( + {"plugins_used": plugins_used, "filters_used": filters_used} + ) as settings: + secrets.scan_file(filepath) + return secrets.json() def scan_git_repository( - repo_path: str, plugins: str = "all", scan_all_files: bool = False + repo_path: str, plugins=None, filters=None, scan_all_files: bool = False ): """ - Scan a local Git repository for secrets using the specified plugins. + Scan a local Git repository for secrets using the specified plugins and filters Args: - repo_path (str): Path to the local Git repository. - plugins (str): Names of the comma (,) separated detect-secrets plugin names to use. - scan_all_files (bool): If True, scan all files in the repository. If False, scan only Git-tracked files. + :param repo_path: Path to the local Git repository + :param filters: Custom filters for detect-secrets + :param plugins: Custom plugins for detect-secrets + :param scan_all_files (bool): If True, scan all files in the repository. If False, scan only Git-tracked files. + :return: Detected secrets in List format """ if not isinstance(scan_all_files, bool): raise ValueError(f"Error: 'scan_all_files' must be 'bool' type") + if not isinstance(repo_path, str): + raise ValueError(f"Error: 'repo_path' must be 'str' type path to repository") try: repo = Repo(repo_path) @@ -164,11 +168,12 @@ def scan_git_repository( [os.path.join(repo_path, item) for item in repo.untracked_files] ) - found_secrets = {} + results = [] for filepath in files_to_scan: - secrets_in_file = scan_file(filepath, plugins) - if secrets_in_file != {}: - found_secrets[filepath] = secrets_in_file - return found_secrets + secrets = scan_file(filepath, plugins=plugins, filters=filters) + if secrets != {}: + results.append(secrets) + return results + except InvalidGitRepositoryError: raise ValueError(f"Error: '{repo_path}' is not a valid Git repositoty") From d1786cf2279fe62496c9476ca09fbf7f40bcfbdc Mon Sep 17 00:00:00 2001 From: Mustafa Issabayev <48990804+issabayevmk@users.noreply.github.com> Date: Fri, 7 Jun 2024 13:37:33 +0200 Subject: [PATCH 06/11] Added scan_string method to SecretsCollection --- detect_secrets/core/secrets_collection.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detect_secrets/core/secrets_collection.py b/detect_secrets/core/secrets_collection.py index 094a274ed..d789afae0 100644 --- a/detect_secrets/core/secrets_collection.py +++ b/detect_secrets/core/secrets_collection.py @@ -76,6 +76,10 @@ def scan_file(self, filename: str) -> None: for secret in scan.scan_file(os.path.join(self.root, convert_local_os_path(filename))): self[convert_local_os_path(filename)].add(secret) + def scan_string(self, string: str) -> None: + for secret in scan.scan_line(string): + self['adhoc-string-scan'].add(secret) + def scan_diff(self, diff: str) -> None: """ :raises: UnidiffParseError From 55774085dbebe56451215725f04af29a2856654f Mon Sep 17 00:00:00 2001 From: Mustafa Issabayev <48990804+issabayevmk@users.noreply.github.com> Date: Fri, 7 Jun 2024 13:43:08 +0200 Subject: [PATCH 07/11] Added GitPython (used in API) dependency in requirements-dev.txt --- requirements-dev.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements-dev.txt b/requirements-dev.txt index 34964ba6c..68c4b4e46 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -8,6 +8,7 @@ distlib==0.3.8 filelock==3.14.0 flake8==7.0.0 gibberish-detector==0.1.1 +GitPython==3.1.43 identify==2.5.36 idna==3.7 iniconfig==2.0.0 From d737b680a964969d903d5df8dee32d651896a18d Mon Sep 17 00:00:00 2001 From: issabayevmk Date: Fri, 14 Jun 2024 12:08:12 +0200 Subject: [PATCH 08/11] Modified API tests to improve coverage --- detect_secrets/api.py | 104 ++++++++-------- tests/api_test.py | 281 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 335 insertions(+), 50 deletions(-) create mode 100644 tests/api_test.py diff --git a/detect_secrets/api.py b/detect_secrets/api.py index 8060613a7..ba3d6ba4c 100644 --- a/detect_secrets/api.py +++ b/detect_secrets/api.py @@ -1,17 +1,23 @@ -from git import Repo, InvalidGitRepositoryError +import os +from typing import Dict +from typing import List + +from git import Repo + from detect_secrets import SecretsCollection -from detect_secrets.settings import default_settings, transient_settings +from detect_secrets.settings import default_settings +from detect_secrets.settings import transient_settings -def get_settings(filters=None, plugins=None): +def get_settings(filters: list = None, plugins: list = None) -> Dict[str, List]: """ Return used plugins and filters to be used to scan with provided params """ if filters and not isinstance(filters, list): - raise ValueError(f"Error: 'filters' must be List object") + raise ValueError(f'Error: "{filters}" must be List object') if plugins and not isinstance(plugins, list): - raise ValueError(f"Error: 'plugins' must be List object") + raise ValueError(f'Error: "{plugins}" must be List object') if filters: filters_used = filters @@ -19,20 +25,22 @@ def get_settings(filters=None, plugins=None): filters_used = [] with default_settings() as settings: for key in settings.filters: - filters_used.append({'path': key}) + filters_used.append({'path': key}) if plugins: plugins_used = plugins else: plugins_used = [] with default_settings() as settings: - for key in settings.plugins: + for key in settings.plugins: plugins_used.append({'name': key}) - return {"plugins": plugins_used, "filters": filters_used} + return {'plugins': plugins_used, 'filters': filters_used} -def scan_string(string: str, filters=None, plugins=None): +def scan_string( + string: str, filters: list = None, plugins: list = None, +) -> Dict[str, List]: """ Scan a string for secrets using detect-secrets with custom filters and plugins @@ -42,13 +50,13 @@ def scan_string(string: str, filters=None, plugins=None): :return: Detected secrets in str format """ if not isinstance(string, str): - raise ValueError(f"Error: '{string}' must be 'string' formatted path to a file") + raise ValueError(f"Error: '{string}' must be 'string' object") if filters and not isinstance(filters, list): - raise ValueError(f"Error: 'filters' must be List object") + raise ValueError(f"Error: '{filters}' must be List object") if plugins and not isinstance(plugins, list): - raise ValueError(f"Error: 'plugins' must be List object") + raise ValueError(f"Error: '{plugins}' must be List object") # Initialize a SecretsCollection secrets = SecretsCollection() @@ -61,23 +69,20 @@ def scan_string(string: str, filters=None, plugins=None): secrets.scan_string(string) return secrets.json() elif filters and not plugins: - filters_used = filters - plugins_used = get_settings(plugins=plugins).get("plugins") + plugins = get_settings(plugins=plugins).get('plugins') elif not filters and plugins: - plugins_used = plugins - filters_used = get_settings(filters=filters).get("filters") - else: - filters_used = filters - plugins_used = plugins - # Scan the string - with transient_settings( - {"plugins_used": plugins_used, "filters_used": filters_used} - ) as settings: + filters = get_settings(filters=filters).get('filters') + + # Scan the string + settings = transient_settings({'plugins_used': plugins, 'filters_used': filters}) + with settings: secrets.scan_string(string) return secrets.json() -def scan_file(filepath, filters=None, plugins=None): +def scan_file( + filepath: str, filters: list = None, plugins: list = None, +) -> Dict[str, List]: """ Scan a file for secrets using detect-secrets with custom filters and plugins @@ -88,20 +93,20 @@ def scan_file(filepath, filters=None, plugins=None): """ if not isinstance(filepath, str): raise ValueError( - f"Error: '{filepath}' must be 'string' formatted path to a file" + f"Error: '{filepath}' must be 'string' formatted path to a file", ) if filters and not isinstance(filters, list): - raise ValueError(f"Error: 'filters' must be List object") + raise ValueError(f"Error: '{filters}' must be List object") if plugins and not isinstance(plugins, list): - raise ValueError(f"Error: 'plugins' must be List object") + raise ValueError(f"Error: '{plugins}' must be List object") try: - with open(filepath, "r") as f: + with open(filepath, 'r') as f: f.read() - except Exception as e: - return e + except Exception: + raise ValueError(f"Error: Cannot read '{filepath}'") # Initialize a SecretsCollection secrets = SecretsCollection() @@ -113,26 +118,25 @@ def scan_file(filepath, filters=None, plugins=None): secrets.scan_file(filepath) return secrets.json() elif filters and not plugins: - filters_used = filters - plugins_used = get_settings(plugins=plugins).get("plugins") + plugins = get_settings(plugins=plugins).get('plugins') elif not filters and plugins: - plugins_used = plugins - filters_used = get_settings(filters=filters).get("filters") - else: - filters_used = filters - plugins_used = plugins + filters = get_settings(filters=filters).get('filters') # Scan a file - with transient_settings( - {"plugins_used": plugins_used, "filters_used": filters_used} - ) as settings: + settings = transient_settings( + {'plugins_used': plugins, 'filters_used': filters}, + ) + with settings: secrets.scan_file(filepath) return secrets.json() def scan_git_repository( - repo_path: str, plugins=None, filters=None, scan_all_files: bool = False -): + repo_path: str, + plugins: list = None, + filters: list = None, + scan_all_files: bool = False, +) -> List[Dict]: """ Scan a local Git repository for secrets using the specified plugins and filters @@ -140,23 +144,23 @@ def scan_git_repository( :param repo_path: Path to the local Git repository :param filters: Custom filters for detect-secrets :param plugins: Custom plugins for detect-secrets - :param scan_all_files (bool): If True, scan all files in the repository. If False, scan only Git-tracked files. + :param scan_all_files (bool): Scan all files or only Git-tracked files. :return: Detected secrets in List format """ if not isinstance(scan_all_files, bool): - raise ValueError(f"Error: 'scan_all_files' must be 'bool' type") + raise ValueError(f"Error: '{scan_all_files}' must be 'bool' type") if not isinstance(repo_path, str): - raise ValueError(f"Error: 'repo_path' must be 'str' type path to repository") + raise ValueError(f"Error: '{repo_path}' must be 'str' type path to repository") try: repo = Repo(repo_path) if repo.bare: - raise InvalidGitRepositoryError + raise ValueError(f"Error: '{repo_path}' is not a valid Git repository") files_to_scan = [] if scan_all_files: for root, _, files in os.walk(repo_path): - if ".git" in root: + if '.git' in root: continue for file in files: files_to_scan.append(os.path.join(root, file)) @@ -165,7 +169,7 @@ def scan_git_repository( os.path.join(repo_path, item.a_path) for item in repo.index.diff(None) ] files_to_scan.extend( - [os.path.join(repo_path, item) for item in repo.untracked_files] + [os.path.join(repo_path, item) for item in repo.untracked_files], ) results = [] @@ -175,5 +179,5 @@ def scan_git_repository( results.append(secrets) return results - except InvalidGitRepositoryError: - raise ValueError(f"Error: '{repo_path}' is not a valid Git repositoty") + except Exception: + raise ValueError(f"Error: '{repo_path}' is not a valid Git repository") diff --git a/tests/api_test.py b/tests/api_test.py new file mode 100644 index 000000000..929a47ed3 --- /dev/null +++ b/tests/api_test.py @@ -0,0 +1,281 @@ +import os +import pytest +import tempfile + +from git import Repo + +from detect_secrets.api import scan_string +from detect_secrets.api import get_settings +from detect_secrets.api import scan_file +from detect_secrets.api import scan_git_repository + + +class TestScanString: + @staticmethod + def test_basic(): + assert scan_string("AKIATESTTESTTESTTEST") == { + "adhoc-string-scan": [ + { + "type": "AWS Access Key", + "filename": "adhoc-string-scan", + "hashed_secret": "874e6e498dcfe2ad53452e2b12ec336fca465408", + "is_verified": False, + }, + { + "type": "Base64 High Entropy String", + "filename": "adhoc-string-scan", + "hashed_secret": "874e6e498dcfe2ad53452e2b12ec336fca465408", + "is_verified": False, + }, + ] + } + + @staticmethod + def test_with_plugins(): + plugins_used = [ + { + "name": "AWSKeyDetector", + }, + { + "name": "PrivateKeyDetector", + }, + ] + assert scan_string("AKIATESTTESTTESTTEST", plugins=plugins_used) == { + "adhoc-string-scan": [ + { + "type": "AWS Access Key", + "filename": "adhoc-string-scan", + "hashed_secret": "874e6e498dcfe2ad53452e2b12ec336fca465408", + "is_verified": False, + } + ] + } + + @staticmethod + def test_with_filters(): + filters_used = [{"path": "detect-secrets.testing.plugins.hippodetector"}] + assert scan_string("No Secret", filters=filters_used) == { + "adhoc-string-scan": [ + { + "type": "Hex High Entropy String", + "filename": "adhoc-string-scan", + "hashed_secret": "58e6b3a414a1e090dfc6029add0f3555ccba127f", + "is_verified": False, + }, + { + "type": "Hex High Entropy String", + "filename": "adhoc-string-scan", + "hashed_secret": "7dd84750ee8571116cd2b06f62f56f472df8bf0a", + "is_verified": False, + }, + { + "type": "Base64 High Entropy String", + "filename": "adhoc-string-scan", + "hashed_secret": "816c52fd2bdd94a63cd0944823a6c0aa9384c103", + "is_verified": False, + }, + { + "type": "Base64 High Entropy String", + "filename": "adhoc-string-scan", + "hashed_secret": "f4e7a8740db0b7a0bfd8e63077261475f61fc2a6", + "is_verified": False, + }, + ] + } + + @staticmethod + def test_invalid_plugins(): + with pytest.raises(ValueError, match=f"Error: 'String' must be List object"): + assert scan_string("No Secret!", plugins="String") + + @staticmethod + def test_invalid_filters(): + with pytest.raises( + ValueError, match=f"Error: '{{'key': 'value'}}' must be List object" + ): + assert scan_string("No Secret!", filters={"key": "value"}) + + @staticmethod + def test_invalid_string(): + with pytest.raises( + ValueError, match=f"Error: '12345678' must be 'string' object" + ): + assert scan_string(12345678) + + +class TestScanFile: + @staticmethod + def test_basic(): + with tempfile.NamedTemporaryFile(delete=False) as temp_file: + temp_file.write(b"AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'\nNo secrets here") + temp_file_path = temp_file.name + assert scan_file(temp_file_path) == { + temp_file_path: [ + { + "type": "AWS Access Key", + "filename": temp_file_path, + "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", + "is_verified": False, + "line_number": 1, + }, + { + "type": "Secret Keyword", + "filename": temp_file_path, + "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", + "is_verified": False, + "line_number": 1, + }, + ] + } + + @staticmethod + def test_with_plugins(): + plugins_used = [ + { + "name": "AWSKeyDetector", + }, + { + "name": "PrivateKeyDetector", + }, + ] + with tempfile.NamedTemporaryFile(delete=False) as temp_file: + temp_file.write(b"AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'\nNo secrets here") + temp_file_path = temp_file.name + assert scan_file(temp_file_path, plugins=plugins_used) == { + temp_file_path: [ + { + "type": "AWS Access Key", + "filename": temp_file_path, + "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", + "is_verified": False, + "line_number": 1, + } + ] + } + + @staticmethod + def test_with_filters(): + filters_used = [{"path": "detect-secrets.testing.plugins.hippodetector"}] + with tempfile.NamedTemporaryFile(delete=False) as temp_file: + temp_file.write(b"First Line'\nNo secrets here") + temp_file_path = temp_file.name + assert scan_file(temp_file_path, filters=filters_used) == {} + + @staticmethod + def test_invalid_plugins(): + with pytest.raises(ValueError, match=f"Error: 'String' must be List object"): + assert scan_file("temp_file.txt", plugins="String") + + @staticmethod + def test_invalid_filters(): + with pytest.raises( + ValueError, match=f"Error: '{{'key': 'value'}}' must be List object" + ): + assert scan_file("temp_file.txt", filters={"key": "value"}) + + @staticmethod + def test_not_existed_file(): + with pytest.raises( + ValueError, match=f"Error: Cannot read 'not_existed_file.txt'" + ): + assert scan_file("not_existed_file.txt") + + @staticmethod + def test_invalid_filepath(): + with pytest.raises( + ValueError, + match=f"Error: '12345678' must be 'string' formatted path to a file", + ): + assert scan_file(12345678) + + +class TestScanGitRepo: + @staticmethod + def test_basic(): + repo_path = tempfile.mkdtemp() + repo = Repo.init(repo_path) + with open(f"{repo_path}/test-file.txt", "w") as temp_file: + temp_file.write("No Secret") + assert scan_git_repository(repo_path) == [] + + @staticmethod + def test_all_files(): + repo_path = tempfile.mkdtemp() + repo = Repo.init(repo_path) + with open(f"{repo_path}/test-file.txt", "w") as temp_file: + temp_file.write("AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'") + assert scan_git_repository(repo_path, scan_all_files=True) == [ + { + f"{repo_path}/test-file.txt": [ + { + "type": "AWS Access Key", + "filename": f"{repo_path}/test-file.txt", + "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", + "is_verified": False, + "line_number": 1, + }, + { + "type": "Secret Keyword", + "filename": f"{repo_path}/test-file.txt", + "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", + "is_verified": False, + "line_number": 1, + }, + ] + } + ] + + @staticmethod + def test_not_git(): + repo_path = tempfile.mkdtemp() + with pytest.raises( + ValueError, match=f"Error: '{repo_path}' is not a valid Git repository" + ): + assert scan_git_repository(repo_path) + + @staticmethod + def test_invalid_all_files_boolean(): + repo_path = tempfile.mkdtemp() + repo = Repo.init(repo_path) + with pytest.raises(ValueError, match=f"Error: 'true' must be 'bool' type"): + assert scan_git_repository(repo_path, scan_all_files="true") + + @staticmethod + def test_invalid_repo_path(): + with pytest.raises( + ValueError, match=f"Error: '12345678' must be 'str' type path to repository" + ): + assert scan_git_repository(12345678) + + +class TestGetSettings: + @staticmethod + def test_get_default_settings(): + assert get_settings() + + @staticmethod + def test_get_settings_with_plugins(): + plugins_used = [ + { + "name": "AWSKeyDetector", + }, + { + "name": "PrivateKeyDetector", + }, + ] + assert get_settings(plugins=plugins_used) + + @staticmethod + def test_get_settings_with_filters(): + filters_used = [{"path": "detect-secrets.testing.plugins.hippodetector"}] + assert get_settings(filters=filters_used) + + @staticmethod + def test_invalid_plugins(): + with pytest.raises(ValueError, match=f'Error: "String" must be List object'): + assert get_settings(plugins="String") + + @staticmethod + def test_invalid_filters(): + with pytest.raises(ValueError, match=f'Error: "String" must be List object'): + assert get_settings(filters="String") From 2d0a6bddcab6188a633e97f203b09e9d9f2a162d Mon Sep 17 00:00:00 2001 From: issabayevmk Date: Mon, 17 Jun 2024 11:45:37 +0200 Subject: [PATCH 09/11] XFixed python styling --- detect_secrets/api.py | 4 +- tests/api_test.py | 228 ++++++++++++++++++++++-------------------- 2 files changed, 120 insertions(+), 112 deletions(-) diff --git a/detect_secrets/api.py b/detect_secrets/api.py index ba3d6ba4c..4e476fb6e 100644 --- a/detect_secrets/api.py +++ b/detect_secrets/api.py @@ -14,10 +14,10 @@ def get_settings(filters: list = None, plugins: list = None) -> Dict[str, List]: Return used plugins and filters to be used to scan with provided params """ if filters and not isinstance(filters, list): - raise ValueError(f'Error: "{filters}" must be List object') + raise ValueError(f"Error: '{filters}' must be List object") if plugins and not isinstance(plugins, list): - raise ValueError(f'Error: "{plugins}" must be List object') + raise ValueError(f"Error: '{plugins}' must be List object") if filters: filters_used = filters diff --git a/tests/api_test.py b/tests/api_test.py index 929a47ed3..ff286e7ff 100644 --- a/tests/api_test.py +++ b/tests/api_test.py @@ -1,106 +1,108 @@ -import os -import pytest import tempfile +import pytest from git import Repo -from detect_secrets.api import scan_string from detect_secrets.api import get_settings from detect_secrets.api import scan_file from detect_secrets.api import scan_git_repository +from detect_secrets.api import scan_string class TestScanString: @staticmethod def test_basic(): - assert scan_string("AKIATESTTESTTESTTEST") == { - "adhoc-string-scan": [ + assert scan_string('AKIATESTTESTTESTTEST') == { + 'adhoc-string-scan': [ { - "type": "AWS Access Key", - "filename": "adhoc-string-scan", - "hashed_secret": "874e6e498dcfe2ad53452e2b12ec336fca465408", - "is_verified": False, + 'type': 'AWS Access Key', + 'filename': 'adhoc-string-scan', + 'hashed_secret': '874e6e498dcfe2ad53452e2b12ec336fca465408', + 'is_verified': False, }, { - "type": "Base64 High Entropy String", - "filename": "adhoc-string-scan", - "hashed_secret": "874e6e498dcfe2ad53452e2b12ec336fca465408", - "is_verified": False, + 'type': 'Base64 High Entropy String', + 'filename': 'adhoc-string-scan', + 'hashed_secret': '874e6e498dcfe2ad53452e2b12ec336fca465408', + 'is_verified': False, }, - ] + ], } @staticmethod def test_with_plugins(): plugins_used = [ { - "name": "AWSKeyDetector", + 'name': 'AWSKeyDetector', }, { - "name": "PrivateKeyDetector", + 'name': 'PrivateKeyDetector', }, ] - assert scan_string("AKIATESTTESTTESTTEST", plugins=plugins_used) == { - "adhoc-string-scan": [ + assert scan_string('AKIATESTTESTTESTTEST', plugins=plugins_used) == { + 'adhoc-string-scan': [ { - "type": "AWS Access Key", - "filename": "adhoc-string-scan", - "hashed_secret": "874e6e498dcfe2ad53452e2b12ec336fca465408", - "is_verified": False, - } - ] + 'type': 'AWS Access Key', + 'filename': 'adhoc-string-scan', + 'hashed_secret': '874e6e498dcfe2ad53452e2b12ec336fca465408', + 'is_verified': False, + }, + ], } @staticmethod def test_with_filters(): - filters_used = [{"path": "detect-secrets.testing.plugins.hippodetector"}] - assert scan_string("No Secret", filters=filters_used) == { - "adhoc-string-scan": [ + filters_used = [{'path': 'detect-secrets.testing.plugins.hippodetector'}] + assert scan_string('No Secret', filters=filters_used) == { + 'adhoc-string-scan': [ { - "type": "Hex High Entropy String", - "filename": "adhoc-string-scan", - "hashed_secret": "58e6b3a414a1e090dfc6029add0f3555ccba127f", - "is_verified": False, + 'type': 'Hex High Entropy String', + 'filename': 'adhoc-string-scan', + 'hashed_secret': '58e6b3a414a1e090dfc6029add0f3555ccba127f', + 'is_verified': False, }, { - "type": "Hex High Entropy String", - "filename": "adhoc-string-scan", - "hashed_secret": "7dd84750ee8571116cd2b06f62f56f472df8bf0a", - "is_verified": False, + 'type': 'Hex High Entropy String', + 'filename': 'adhoc-string-scan', + 'hashed_secret': '7dd84750ee8571116cd2b06f62f56f472df8bf0a', + 'is_verified': False, }, { - "type": "Base64 High Entropy String", - "filename": "adhoc-string-scan", - "hashed_secret": "816c52fd2bdd94a63cd0944823a6c0aa9384c103", - "is_verified": False, + 'type': 'Base64 High Entropy String', + 'filename': 'adhoc-string-scan', + 'hashed_secret': '816c52fd2bdd94a63cd0944823a6c0aa9384c103', + 'is_verified': False, }, { - "type": "Base64 High Entropy String", - "filename": "adhoc-string-scan", - "hashed_secret": "f4e7a8740db0b7a0bfd8e63077261475f61fc2a6", - "is_verified": False, + 'type': 'Base64 High Entropy String', + 'filename': 'adhoc-string-scan', + 'hashed_secret': 'f4e7a8740db0b7a0bfd8e63077261475f61fc2a6', + 'is_verified': False, }, - ] + ], } @staticmethod def test_invalid_plugins(): - with pytest.raises(ValueError, match=f"Error: 'String' must be List object"): - assert scan_string("No Secret!", plugins="String") + plugins = 'String' + with pytest.raises(ValueError, match=f"Error: '{plugins}' must be List object"): + assert scan_string('No Secret!', plugins=plugins) @staticmethod def test_invalid_filters(): + filters = {'key': 'value'} with pytest.raises( - ValueError, match=f"Error: '{{'key': 'value'}}' must be List object" + ValueError, match=f"Error: '{filters}' must be List object", ): - assert scan_string("No Secret!", filters={"key": "value"}) + assert scan_string('No Secret!', filters=filters) @staticmethod def test_invalid_string(): + scan_to_string = 12345678 with pytest.raises( - ValueError, match=f"Error: '12345678' must be 'string' object" + ValueError, match=f"Error: '{scan_to_string}' must be 'string' object", ): - assert scan_string(12345678) + assert scan_string(scan_to_string) class TestScanFile: @@ -112,30 +114,30 @@ def test_basic(): assert scan_file(temp_file_path) == { temp_file_path: [ { - "type": "AWS Access Key", - "filename": temp_file_path, - "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", - "is_verified": False, - "line_number": 1, + 'type': 'AWS Access Key', + 'filename': temp_file_path, + 'hashed_secret': '25910f981e85ca04baf359199dd0bd4a3ae738b6', + 'is_verified': False, + 'line_number': 1, }, { - "type": "Secret Keyword", - "filename": temp_file_path, - "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", - "is_verified": False, - "line_number": 1, + 'type': 'Secret Keyword', + 'filename': temp_file_path, + 'hashed_secret': '25910f981e85ca04baf359199dd0bd4a3ae738b6', + 'is_verified': False, + 'line_number': 1, }, - ] + ], } @staticmethod def test_with_plugins(): plugins_used = [ { - "name": "AWSKeyDetector", + 'name': 'AWSKeyDetector', }, { - "name": "PrivateKeyDetector", + 'name': 'PrivateKeyDetector', }, ] with tempfile.NamedTemporaryFile(delete=False) as temp_file: @@ -144,18 +146,18 @@ def test_with_plugins(): assert scan_file(temp_file_path, plugins=plugins_used) == { temp_file_path: [ { - "type": "AWS Access Key", - "filename": temp_file_path, - "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", - "is_verified": False, - "line_number": 1, - } - ] + 'type': 'AWS Access Key', + 'filename': temp_file_path, + 'hashed_secret': '25910f981e85ca04baf359199dd0bd4a3ae738b6', + 'is_verified': False, + 'line_number': 1, + }, + ], } @staticmethod def test_with_filters(): - filters_used = [{"path": "detect-secrets.testing.plugins.hippodetector"}] + filters_used = [{'path': 'detect-secrets.testing.plugins.hippodetector'}] with tempfile.NamedTemporaryFile(delete=False) as temp_file: temp_file.write(b"First Line'\nNo secrets here") temp_file_path = temp_file.name @@ -163,89 +165,93 @@ def test_with_filters(): @staticmethod def test_invalid_plugins(): - with pytest.raises(ValueError, match=f"Error: 'String' must be List object"): - assert scan_file("temp_file.txt", plugins="String") + plugins = 'String' + with pytest.raises(ValueError, match=f"Error: '{plugins}' must be List object"): + assert scan_file('temp_file.txt', plugins=plugins) @staticmethod def test_invalid_filters(): + filters = {'key': 'value'} with pytest.raises( - ValueError, match=f"Error: '{{'key': 'value'}}' must be List object" + ValueError, match=f"Error: '{filters}' must be List object", ): - assert scan_file("temp_file.txt", filters={"key": "value"}) + assert scan_file('temp_file.txt', filters=filters) @staticmethod def test_not_existed_file(): + not_existed_file = 'not_existed_file.txt' with pytest.raises( - ValueError, match=f"Error: Cannot read 'not_existed_file.txt'" + ValueError, match=f"Error: Cannot read '{not_existed_file}'", ): - assert scan_file("not_existed_file.txt") + assert scan_file(not_existed_file) @staticmethod def test_invalid_filepath(): + file_to_scan = 12345678 with pytest.raises( ValueError, - match=f"Error: '12345678' must be 'string' formatted path to a file", + match=f"Error: '{file_to_scan}' must be 'string' formatted path to a file", ): - assert scan_file(12345678) + assert scan_file(file_to_scan) class TestScanGitRepo: @staticmethod def test_basic(): repo_path = tempfile.mkdtemp() - repo = Repo.init(repo_path) - with open(f"{repo_path}/test-file.txt", "w") as temp_file: - temp_file.write("No Secret") + Repo.init(repo_path) + with open(f'{repo_path}/test-file.txt', 'w') as temp_file: + temp_file.write('No Secret') assert scan_git_repository(repo_path) == [] @staticmethod def test_all_files(): repo_path = tempfile.mkdtemp() - repo = Repo.init(repo_path) - with open(f"{repo_path}/test-file.txt", "w") as temp_file: + Repo.init(repo_path) + with open(f'{repo_path}/test-file.txt', 'w') as temp_file: temp_file.write("AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'") assert scan_git_repository(repo_path, scan_all_files=True) == [ { - f"{repo_path}/test-file.txt": [ + f'{repo_path}/test-file.txt': [ { - "type": "AWS Access Key", - "filename": f"{repo_path}/test-file.txt", - "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", - "is_verified": False, - "line_number": 1, + 'type': 'AWS Access Key', + 'filename': f'{repo_path}/test-file.txt', + 'hashed_secret': '25910f981e85ca04baf359199dd0bd4a3ae738b6', + 'is_verified': False, + 'line_number': 1, }, { - "type": "Secret Keyword", - "filename": f"{repo_path}/test-file.txt", - "hashed_secret": "25910f981e85ca04baf359199dd0bd4a3ae738b6", - "is_verified": False, - "line_number": 1, + 'type': 'Secret Keyword', + 'filename': f'{repo_path}/test-file.txt', + 'hashed_secret': '25910f981e85ca04baf359199dd0bd4a3ae738b6', + 'is_verified': False, + 'line_number': 1, }, - ] - } + ], + }, ] @staticmethod def test_not_git(): repo_path = tempfile.mkdtemp() with pytest.raises( - ValueError, match=f"Error: '{repo_path}' is not a valid Git repository" + ValueError, match=f"Error: '{repo_path}' is not a valid Git repository", ): assert scan_git_repository(repo_path) @staticmethod def test_invalid_all_files_boolean(): repo_path = tempfile.mkdtemp() - repo = Repo.init(repo_path) - with pytest.raises(ValueError, match=f"Error: 'true' must be 'bool' type"): - assert scan_git_repository(repo_path, scan_all_files="true") + with pytest.raises(ValueError, match="Error: 'true' must be 'bool' type"): + assert scan_git_repository(repo_path, scan_all_files='true') @staticmethod def test_invalid_repo_path(): + repo_path = 12345678 with pytest.raises( - ValueError, match=f"Error: '12345678' must be 'str' type path to repository" + ValueError, match=f"Error: '{repo_path}' must be 'str' type path to repository", ): - assert scan_git_repository(12345678) + assert scan_git_repository(repo_path) class TestGetSettings: @@ -257,25 +263,27 @@ def test_get_default_settings(): def test_get_settings_with_plugins(): plugins_used = [ { - "name": "AWSKeyDetector", + 'name': 'AWSKeyDetector', }, { - "name": "PrivateKeyDetector", + 'name': 'PrivateKeyDetector', }, ] assert get_settings(plugins=plugins_used) @staticmethod def test_get_settings_with_filters(): - filters_used = [{"path": "detect-secrets.testing.plugins.hippodetector"}] + filters_used = [{'path': 'detect-secrets.testing.plugins.hippodetector'}] assert get_settings(filters=filters_used) @staticmethod def test_invalid_plugins(): - with pytest.raises(ValueError, match=f'Error: "String" must be List object'): - assert get_settings(plugins="String") + plugins = 'String' + with pytest.raises(ValueError, match=f"Error: '{plugins}' must be List object"): + assert get_settings(plugins=plugins) @staticmethod def test_invalid_filters(): - with pytest.raises(ValueError, match=f'Error: "String" must be List object'): - assert get_settings(filters="String") + filters = 'String' + with pytest.raises(ValueError, match=f"Error: '{filters}' must be List object"): + assert get_settings(filters=filters) From d46d22debf0011c6d7dea7a155b8f1b9b1534a7a Mon Sep 17 00:00:00 2001 From: issabayevmk Date: Fri, 21 Jun 2024 16:16:57 +0200 Subject: [PATCH 10/11] Fixed Windows failed tests --- detect_secrets/api.py | 3 --- tests/api_test.py | 39 +++++++++++++-------------------------- 2 files changed, 13 insertions(+), 29 deletions(-) diff --git a/detect_secrets/api.py b/detect_secrets/api.py index 4e476fb6e..dbc89b8ba 100644 --- a/detect_secrets/api.py +++ b/detect_secrets/api.py @@ -154,9 +154,6 @@ def scan_git_repository( try: repo = Repo(repo_path) - if repo.bare: - raise ValueError(f"Error: '{repo_path}' is not a valid Git repository") - files_to_scan = [] if scan_all_files: for root, _, files in os.walk(repo_path): diff --git a/tests/api_test.py b/tests/api_test.py index ff286e7ff..16ddeba68 100644 --- a/tests/api_test.py +++ b/tests/api_test.py @@ -92,7 +92,8 @@ def test_invalid_plugins(): def test_invalid_filters(): filters = {'key': 'value'} with pytest.raises( - ValueError, match=f"Error: '{filters}' must be List object", + ValueError, + match=f"Error: '{filters}' must be List object", ): assert scan_string('No Secret!', filters=filters) @@ -100,7 +101,8 @@ def test_invalid_filters(): def test_invalid_string(): scan_to_string = 12345678 with pytest.raises( - ValueError, match=f"Error: '{scan_to_string}' must be 'string' object", + ValueError, + match=f"Error: '{scan_to_string}' must be 'string' object", ): assert scan_string(scan_to_string) @@ -173,7 +175,8 @@ def test_invalid_plugins(): def test_invalid_filters(): filters = {'key': 'value'} with pytest.raises( - ValueError, match=f"Error: '{filters}' must be List object", + ValueError, + match=f"Error: '{filters}' must be List object", ): assert scan_file('temp_file.txt', filters=filters) @@ -181,7 +184,8 @@ def test_invalid_filters(): def test_not_existed_file(): not_existed_file = 'not_existed_file.txt' with pytest.raises( - ValueError, match=f"Error: Cannot read '{not_existed_file}'", + ValueError, + match=f"Error: Cannot read '{not_existed_file}'", ): assert scan_file(not_existed_file) @@ -210,32 +214,14 @@ def test_all_files(): Repo.init(repo_path) with open(f'{repo_path}/test-file.txt', 'w') as temp_file: temp_file.write("AWS_SECRET_KEY = 'AKIAIOSFODNN7EXAMPLE'") - assert scan_git_repository(repo_path, scan_all_files=True) == [ - { - f'{repo_path}/test-file.txt': [ - { - 'type': 'AWS Access Key', - 'filename': f'{repo_path}/test-file.txt', - 'hashed_secret': '25910f981e85ca04baf359199dd0bd4a3ae738b6', - 'is_verified': False, - 'line_number': 1, - }, - { - 'type': 'Secret Keyword', - 'filename': f'{repo_path}/test-file.txt', - 'hashed_secret': '25910f981e85ca04baf359199dd0bd4a3ae738b6', - 'is_verified': False, - 'line_number': 1, - }, - ], - }, - ] + assert scan_git_repository(repo_path, scan_all_files=True) @staticmethod def test_not_git(): repo_path = tempfile.mkdtemp() with pytest.raises( - ValueError, match=f"Error: '{repo_path}' is not a valid Git repository", + ValueError, + match=f"Error: '{repo_path}' is not a valid Git repository", ): assert scan_git_repository(repo_path) @@ -249,7 +235,8 @@ def test_invalid_all_files_boolean(): def test_invalid_repo_path(): repo_path = 12345678 with pytest.raises( - ValueError, match=f"Error: '{repo_path}' must be 'str' type path to repository", + ValueError, + match=f"Error: '{repo_path}' must be 'str' type path to repository", ): assert scan_git_repository(repo_path) From 0013eb13f388d8fb213f8a933657f156a049ef38 Mon Sep 17 00:00:00 2001 From: issabayevmk Date: Fri, 21 Jun 2024 16:39:43 +0200 Subject: [PATCH 11/11] Fixing errors in windows environment --- tests/api_test.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tests/api_test.py b/tests/api_test.py index 16ddeba68..ef245aaf8 100644 --- a/tests/api_test.py +++ b/tests/api_test.py @@ -219,10 +219,7 @@ def test_all_files(): @staticmethod def test_not_git(): repo_path = tempfile.mkdtemp() - with pytest.raises( - ValueError, - match=f"Error: '{repo_path}' is not a valid Git repository", - ): + with pytest.raises(ValueError): assert scan_git_repository(repo_path) @staticmethod