Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect-secrets-hook read file list from a file, to allow use of exit code #846

Open
1 of 2 tasks
gpflaum opened this issue May 27, 2024 · 2 comments
Open
1 of 2 tasks

detect-secrets-hook read file list from a file, to allow use of exit code #846

gpflaum opened this issue May 27, 2024 · 2 comments

Comments

@gpflaum
Copy link
Contributor

gpflaum commented May 27, 2024
edited
Loading

  • I'm submitting a ...

    • bug report
    • feature request

  • What is the current behavior?
    detect-secrets-hook gets a list of files as command line arguments.

  • What is the desired behavior?
    detect-secrets-hook optionally reads a list of files from a file.

  • What is the motivation / use case for changing the behavior?
    The documentation suggest using xargs to construct and run the detect-secrets-hook command line. A problem with this approach is that the caller of xargs, such as a git pre-commit hook or build pipeline, gets the exit code from xargs, not detect-secrets-hook.

    I want to distinguish between detect-secrets-hook's exit code 1 (found a secret) and exit code 3 (no new secrets, but updated the baseline, e.g. from 1.4.0 to 1.5.0). In the latter case I don't want to block the commit or build pipeline. But xargs returns the same exit code, 123, in both cases.

    If detect-secrets-hook could read a list of files from a file, we could call detect-secrets-hook directly, without xargs, and receive the detect-secrets-hook exit code. This would also help when there are many files to scan: If the command line constructed by xargs is long, it may call detect-secrets-hook multiple times. Using a file as input, detect-secrets-hook could run just once.

    Using xargs can also cause problems when many files are being scanned: If the detect-secrets-hook command line would be longer than xargs' limit (128 Kb characters), xargs will run detect-secrets-hook multiple times with a shorter command line. If the first run of detect-secrets-hook modifies the baseline, any additional runs will fail with "Your baseline file (.secrets.baseline) is unstaged."

    Because filenames may contain newlines, there should also be an option like xarg's --null (-0) for reading null-terminated strings from the file.

  • Please tell us about your environment:

    • detect-secrets Version: 1.5.0
    • Python Version: 3.11.2
@gpflaum
Copy link
Contributor Author

gpflaum commented May 27, 2024

Upgrading from detect-secrets 1.4 to 1.5 is causing problems for us because detect-secrets-hook 1.5 updates the baseline file even if no new secrets are found. It returns exit code 3 in this case, causing failures in our build pipelines. I'd like to ignore that case, but it's difficult to get the exit code when using xargs.

@gpflaum
Copy link
Contributor Author

gpflaum commented May 28, 2024

Updated the description with an additional problem that can happen when using xargs and scanning very many files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gpflaum