Deciding on new feature functionality...

[tarkatronic]

Hello, tartufo users!

As we work toward a new major version, v3.0, we are fixing bugs, adding features, improving accuracy, and generally making the best new release we possibly can. Some of this change is going to be highly disruptive to users, as they may see many more findings than they previously did, and will also need to put some work into updating their configurations.

In an effort to remain transparent, I wanted to ask the community's opinion about one new feature we are adding: Scanning filenames. As noted in #188, tartufo does not currently detect secrets in filenames. @sushantmimani has just graciously provided a PR to add this functionality, but as I look at it I can't decide on what the behavior should look like, and wanted to get some more opinions.

Since GitHub Discussions does not yet have polling functionality, I'd like to ask that users react to this post with the following emoji, indicating your preference for this behavior:

• 🎉 Add a --scan-filenames option, defaulted to True (allow users to disable the functionality)
• 😕 Add a --scan-filenames option, defaulted to False (allow users to optionally enable the functionality)
• 🚀 Always scan filenames, with no option to disable or enable

Please let us know what you think!

[rbailey-godaddy]

I voted "always scan" with the expectation that existing tools for exclusion of findings would be applied consistently with existing practice.

[tarkatronic]

This is actually the exact reasoning that ran through my head, and made me second guess the new option... hence the poll! Thanks for chiming in 👍🏻

[agoel-godaddy]

+1 on "always scan"

[pmevzek-godaddy]

I voted "Always scan filenames, with no option to disable or enable" but based on the feeling that the current exclusion mechanisms (signatures exclusion notably) should apply there as well.

[nico-godaddy]

An "old behavior" or "compatibility" flag may also prove useful, like --compat=2 that results in a behavior and output as close as possible to current version 2.
This would give users a big switch to control when to handle significant changes in behavior.

[dclayton-godaddy]

I agree in most cases, but when it comes to detecting secrets and security, that is an always improving process. I can't imagine an antivirus tool waiting for users to opt-into new virus definitions. I would say enhanced security detection does not even need major version even if it produces noise as long as it supports a way to handle false-flags.

[nico-godaddy]

I see a compatibility version as a way to split one chunk of work - upgrade from version 2 to version 3 - onto multiple sessions - upgrade tartufo now, enable new detection routines later, in stages.
The alternative is to stay with the old version until you can allocate resources to upgrade.

[dclayton-godaddy]

True, however if GoDaddy repos had secrets in filenames, I would assume that should be prioritized above all other work. Even if there were false flags. Ideally the new alerts would show up as warnings for a bit, then be blocking.

[tarkatronic]

The 🎉 s have it! Unfortunately we can't keep this poll running forever, as we need to keep momentum going toward v3.0. But with a vote of 7-4, we will be adding a --scan-filenames / --no-scan-filenames option, defaulted to True.

Thanks for taking part in the discussion and development here, everybody!