-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not require leading quotes for high-entropy strings #697
base: master
Are you sure you want to change the base?
Conversation
I have not yet added any tests. I am happy to do so if this change is likely to be accepted. |
Hi @robinbowes, thank you for your contribution 😄 I'll have to look a bit into this to make sure everything is right. In the meantime, could you please merge master into your branch so you get the latest fixes I pushed? |
@lorenzodb1 Any news about this PR, I still have issue with secrets detect with |
@alexrepetskyi unfortunately I'd need the author of this PR (@robinbowes) to merge master to this branch so that the CI can run tests before approval. As the author hasn't really replied in a while, you're more than welcome to create a PR yourself with the changes contained in this branch and we can take it from there. If you can do this by the end of this month we'll include the changes in the next release. |
Apologies for the delay - my branch is now up-to-date. |
@robinbowes looks like some tests are failing. If you could take care of them before the end of the month I'll make sure to include these changes in the coming-up release |
I'll take a look when I get a moment. At first glance, it seems that it will just need some of the tests tweaking. This could be quite an intrusive change, btw. Existing users could hit many more false positives. Conversely, they could find many more secrets that were not previously detected! |
I guess we'll have to be careful about how we release these changes. Once this PR it's ready to be merged, @jpdakran and I will discuss this and release it in the least disruptive way possible. |
Make the quotes around high-entropy strings optional
We found that secrets are being missed if they are not quoted.
What is the current behavior?
High-entropy strings are currently required to be quoted "to reduce noise". This results in unquoted secrets being ignored, as reported in Most secrets are not detected #458
What is the new behavior (if this is a feature change)?
With this change, high-entropy strings are no longer required to be quoted. 3 of the secrets not detected in Most secrets are not detected #458 are detected with this change.
Does this PR introduce a breaking change?
Users may find previously-undetected secrets. They may also run into additional false positives when scanning.