Skip to content

Commit

Permalink
fix(secrets): remove duplications in secrets (#6648)
Browse files Browse the repository at this point in the history
* fix dup

* fix

* fix lint

* fix lint
  • Loading branch information
RabeaZr authored Aug 13, 2024
1 parent 20bcb3e commit f539e8b
Showing 1 changed file with 18 additions and 16 deletions.
34 changes: 18 additions & 16 deletions checkov/secrets/runner.py
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,6 @@

CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()}


MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000')) # 5 MB is default limit


Expand Down Expand Up @@ -138,7 +137,7 @@ def run(
customer_run_config = bc_integration.customer_run_config_response
plugins_index = 0
work_dir_obj = None
secret_suppressions_id: list[str] = []
secret_suppressions_ids: list[str] = []
work_path = str(os.getenv('WORKDIR')) if os.getenv('WORKDIR') else None
if work_path is None:
work_dir_obj = tempfile.TemporaryDirectory()
Expand All @@ -148,8 +147,10 @@ def run(
policies_list = customer_run_config.get('secretsPolicies', [])
suppressions = customer_run_config.get('suppressions', [])
if suppressions:
secret_suppressions_id = [suppression['policyId']
for suppression in suppressions if suppression['suppressionType'] == 'SecretsPolicy']
secret_suppressions_ids = [
suppression['policyId'] for suppression in suppressions
if suppression['suppressionType'] == 'SecretsPolicy' or suppression['suppressionType'] == 'Policy'
]
if policies_list:
runnable_plugins: dict[str, str] = get_runnable_plugins(policies_list)
logging.info(f"Found {len(runnable_plugins)} runnable plugins")
Expand Down Expand Up @@ -240,29 +241,26 @@ def run(
# secret history
added_commit_hash, removed_commit_hash, code_line, added_by, removed_date, added_date = '', '', '', '', '', ''
if runner_filter.enable_git_history_secret_scan:
enriched_potential_secret = git_history_scanner.\
enriched_potential_secret = git_history_scanner. \
history_store.get_added_and_removed_commit_hash(key, secret, root_folder)
added_commit_hash = enriched_potential_secret.get('added_commit_hash') or ''
removed_commit_hash = enriched_potential_secret.get('removed_commit_hash') or ''
code_line = enriched_potential_secret.get('code_line') or ''
added_by = enriched_potential_secret.get('added_by') or ''
removed_date = enriched_potential_secret.get('removed_date') or ''
added_date = enriched_potential_secret.get('added_date') or ''
# run over secret key
if isinstance(secret.secret_value, str) and secret.secret_value:
stripped = secret.secret_value.strip(',"')
if stripped != secret.secret_value:
secret_key = f'{key}_{secret.line_number}_{PotentialSecret.hash_secret(stripped)}'
if secret.secret_value and is_potential_uuid(secret.secret_value) and secret.check_id not in secrets_in_uuid_form:
# run over secret key
if isinstance(secret.secret_value, str) and secret.secret_value:
stripped = secret.secret_value.strip(',"')
if stripped != secret.secret_value:
secret_key = f'{key}_{secret.line_number}_{PotentialSecret.hash_secret(stripped)}'
if secret.secret_value and is_potential_uuid(
secret.secret_value) and secret.check_id not in secrets_in_uuid_form:
logging.info(
f"Removing secret due to UUID filtering: {PotentialSecret.hash_secret(secret.secret_value)}")
continue
if secret_key in secret_records.keys():
is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id)
if not is_prioritise:
continue
bc_check_id = metadata_integration.get_bc_id(check_id)
if bc_check_id in secret_suppressions_id:
if bc_check_id in secret_suppressions_ids:
logging.debug(f'Secret was filtered - check {check_id} was suppressed')
continue
severity = metadata_integration.get_severity(check_id)
Expand All @@ -271,6 +269,10 @@ def run(
logging.debug(
f'Check was suppress - should_run_check. check_id {check_id}')
continue
if secret_key in secret_records.keys():
is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id)
if not is_prioritise:
continue
result: _CheckResult = {'result': CheckResult.FAILED}
try:
if runner_filter.enable_git_history_secret_scan and code_line is not None:
Expand Down

0 comments on commit f539e8b

Please sign in to comment.