Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Tool detects integrity checksums as potential secrets (Base64 High Entropy String) #146

Open
jimjaeger opened this issue Jan 2, 2024 · 1 comment

Comments

@jimjaeger
Copy link

Describe the bug
Integrity checksums in html files css or js links or the integrity checksums in package.jsons are detected as potential secret (Base64 High Entropy String). These entries are normal behavior from the HTML standard and the npm package manager.

To Reproduce
Steps to reproduce the behavior -HTML:

  1. Use html integrity attribute as describe here https://www.w3schools.com/tags/att_script_integrity.asp
  2. Scan and audit
  3. See error

Steps to reproduce the behavior -package.json:

  1. Use npm tool to install a nodejs dependency
  2. Scan and audit
  3. See error

Expected behavior
Ignore official areas for checksums.

Impact
hundreds of false positives

@bigpick
Copy link
Member

bigpick commented May 6, 2024

I don't think this is a bug, that is just the nature of high entropy strings.

You'd be better off either

  1. ignoring the file entirely if the file is known to never have any secrets or
  2. ignore the line pattern for the lines

... both of which are already currently supported by detect-secrets

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants