Skip to content
This repository has been archived by the owner on Jan 10, 2024. It is now read-only.

Add report functionality for detect-secrets + tests #235

Closed
wants to merge 2 commits into from
Closed

Add report functionality for detect-secrets + tests #235

wants to merge 2 commits into from

Conversation

MVrachev
Copy link
Contributor

@MVrachev MVrachev commented May 15, 2019
edited
Loading

This is the reporting functionality for detect_secrets which will
process the results from the detect_secrets detect_secrets scan
and it will create valid GitHub annotation objects for the issues.

All upcoming pull requests to integrate detect_secrets
into Precaution can be found here:
#209 (comment)

Related to: #209

Signed-off-by: Martin Vrachev [email protected]

@MVrachev MVrachev requested review from joshuagl and ericwb May 15, 2019 17:57
ericwb
ericwb suggested changes May 15, 2019
View reviewed changes
Copy link
Collaborator

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this PR covers only partial functionality. So what other PRs are you planning to submit? It would be good to get in the practice of documenting your planned PRs in the Issue. And but more discussion on the design there as well. You PR message added design questions, but the PR is not really a good place for that.

linters/detect_secrets/detect_secrets_annotations.js Outdated Show resolved Hide resolved
linters/detect_secrets/detect_secrets_report.js Show resolved Hide resolved
linters/detect_secrets/detect_secrets_annotations.js
const path = filePath
const startLine = issue.line_number
const endLine = startLine
const annotationLevel = getAnnotationLevel('HIGH', 'LOW')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the severity always be high and confidence always low for these results?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's something we should discuss in our issue tracker
#209
I just put the severity and confidence Bandit uses when reporting hardcoded credentials.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might want to look at https://github.com/lyft/bandit-high-entropy-string. This is a bandit plugin to do detect-secrets like testing. As part of the plugin, it defines severity and confidence.

@MVrachev
Copy link
Contributor Author

So this PR covers only partial functionality. So what other PRs are you planning to submit? It would be good to get in the practice of documenting your planned PRs in the Issue.

I am doing that already: #160 I was just not sure where to put my planned pull requests.
I mean should I put them in the existing issue tracker as a comment: #209 or should I create another issue where it will be more visible the progress?

You PR message added design questions, but the PR is not really a good place for that.

Yes, you are right. I just thought about those design questions just before I submitted the pr and I didn't realize that they are better to be placed in the issue tracker.
I will fix that.

@MVrachev
Copy link
Contributor Author

I moved the design discussion in our issue tracker: #209 (comment)
and I gave planning how many pull requests we need to fully integrate detect-secrets here: #209 (comment)

@MVrachev MVrachev requested a review from ericwb May 16, 2019 10:48
MVrachev added 2 commits May 21, 2019 11:49
@MVrachev
Add report functionality for detect-secrets
d059bd1 
This is the reporting functionality for detect_secrets which will
process the results from the detect_secrets detect_secrets scan
and it will create valid GitHub annotation objects for the issues.

All upcoming pull requests to integrate detect_secrets
into Precaution can be found here:
#209 (comment)

Related to: #209

Signed-off-by: Martin Vrachev <[email protected]>∂
@MVrachev
Add unit tests for the report of detect_secrets
6b680d1 
Added a few standart tests for the report functionality of
detect_secrets.

Signed-off-by: Martin Vrachev <[email protected]>
@MVrachev
Copy link
Contributor Author

MVrachev commented Jun 13, 2019
edited
Loading

As I explained here #209 (comment) we decided that we won't use detect-secret.
That's why I will close this pr.

@MVrachev MVrachev closed this Jun 13, 2019
@MVrachev MVrachev deleted the detect-secrets-report branch August 23, 2020 16:57
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@joshuagl joshuagl Awaiting requested review from joshuagl

@ericwb ericwb Awaiting requested review from ericwb

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MVrachev @ericwb @vmwclabot