Skip to content

Commit

Permalink
[271] Add flag to only scan files that exist on head (#272)
Browse files Browse the repository at this point in the history
  • Loading branch information
AbsoLouie authored Oct 30, 2020
1 parent 934c9a1 commit 622f31e
Show file tree
Hide file tree
Showing 5 changed files with 59 additions and 10 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,7 @@ If you execute `talisman` on the command line, you will be able to view all the
-c, --checksum string checksum calculator calculates checksum and suggests .talismanrc format
-d, --debug enable debug mode (warning: very verbose)
-g, --githook string either pre-push or pre-commit (default "pre-push")
--ignoreHistory scanner scans all files on current head, will not scan through git commit history
-i, --interactive interactively update talismanrc (only makes sense with -g/--githook)
-p, --pattern string pattern (glob-like) of files to scan (ignores githooks)
-r, --reportdirectory string directory where the scan reports will be stored
Expand Down
40 changes: 40 additions & 0 deletions acceptance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,46 @@ func TestPatternFindsSecretInNestedFile(t *testing.T) {
})
}

func TestIgnoreHistoryDoesNotDetectRemovedSecrets(t *testing.T) {
withNewTmpGitRepo(func(git *git_testing.GitTesting) {
_options := options{
debug: false,
pattern: "./**/*.*",
scan: true,
ignoreHistory: true,
}

git.SetupBaselineFiles("simple-file")
git.CreateFileWithContents("some-dir/should-not-be-included.txt", awsAccessKeyIDExample)
git.AddAndcommit("*", "Initial Commit")
git.RemoveFile("some-dir/should-not-be-included.txt")
git.AddAndcommit("*", "Removed secret")
git.CreateFileWithContents("some-dir/should-be-included.txt", "safeContents")
git.AddAndcommit("*", "Start of Scan")

assert.Equal(t, 0, runTalismanWithOptions(git, _options), "Expected run() to return 0 since secret was removed from head")
})
}

func TestIgnoreHistoryDetectsExistingIssuesOnHead(t *testing.T) {
withNewTmpGitRepo(func(git *git_testing.GitTesting) {
_options := options{
debug: false,
pattern: "./**/*.*",
scan: true,
ignoreHistory: true,
}

git.SetupBaselineFiles("simple-file")
git.CreateFileWithContents("some-dir/file-with-issue.txt", awsAccessKeyIDExample)
git.AddAndcommit("*", "Commit with Secret")
git.CreateFileWithContents("some-dir/should-be-included.txt", "safeContents")
git.AddAndcommit("*", "Another Commit")

assert.Equal(t, 1, runTalismanWithOptions(git, _options), "Expected run() to return 1 since secret exists on head")
})
}

func runTalisman(git *git_testing.GitTesting) int {
_options := options{
debug: false,
Expand Down
4 changes: 2 additions & 2 deletions runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,11 @@ func (r *Runner) RunWithoutErrors(promptContext prompt.PromptContext) int {
}

//Scan scans git commit history for potential secrets and returns 0 or 1 as exit code
func (r *Runner) Scan(reportDirectory string) int {
func (r *Runner) Scan(reportDirectory string, ignoreHistory bool) int {

fmt.Printf("\n\n")
utility.CreateArt("Running Scan..")
additions := scanner.GetAdditions()
additions := scanner.GetAdditions(ignoreHistory)
ignores := &talismanrc.TalismanRC{}
detector.DefaultChain(ignores).Test(additions, ignores, r.results)
reportsPath, err := report.GenerateReport(r.results, reportDirectory)
Expand Down
16 changes: 10 additions & 6 deletions scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ type BlobsInCommits struct {
}

// GetAdditions will get all the additions for entire git history
func GetAdditions() []gitrepo.Addition {
blobsInCommits := getBlobsInCommit()
func GetAdditions(ignoreHistory bool) []gitrepo.Addition {
blobsInCommits := getBlobsInCommit(ignoreHistory)
var additions []gitrepo.Addition
for blob := range blobsInCommits.commits {
objectDetails := strings.Split(blob, "\t")
Expand All @@ -27,8 +27,8 @@ func GetAdditions() []gitrepo.Addition {
return additions
}

func getBlobsInCommit() BlobsInCommits {
commits := getAllCommits()
func getBlobsInCommit(ignoreHistory bool) BlobsInCommits {
commits := getAllCommits(ignoreHistory)
blobsInCommits := newBlobsInCommit()
result := make(chan []string, len(commits))
for _, commit := range commits {
Expand Down Expand Up @@ -62,8 +62,12 @@ func getBlobsFromChannel(blobsInCommits BlobsInCommits, result chan []string) {
}
}

func getAllCommits() []string {
out, err := exec.Command("git", "log", "--all", "--pretty=%H").CombinedOutput()
func getAllCommits(ignoreHistory bool) []string {
commitRange := "--all"
if ignoreHistory {
commitRange = "--max-count=1"
}
out, err := exec.Command("git", "log", commitRange, "--pretty=%H").CombinedOutput()
if err != nil {
log.Fatal(err)
}
Expand Down
8 changes: 6 additions & 2 deletions talisman.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ var (
//Version : Version of talisman
Version = "Development Build"
scan bool
ignoreHistory bool
checksum string
reportdirectory string
scanWithHtml bool
Expand All @@ -48,6 +49,7 @@ type options struct {
githook string
pattern string
scan bool
ignoreHistory bool
checksum string
reportdirectory string
scanWithHtml bool
Expand All @@ -60,6 +62,7 @@ func main() {
flag.StringVarP(&pattern, "pattern", "p", "", "pattern (glob-like) of files to scan (ignores githooks)")
flag.StringVarP(&githook, "githook", "g", PrePush, "either pre-push or pre-commit")
flag.BoolVarP(&scan, "scan", "s", false, "scanner scans the git commit history for potential secrets")
flag.BoolVar(&ignoreHistory, "ignoreHistory", false, "scanner scans all files on current head, will not scan through git commit history")
flag.StringVarP(&checksum, "checksum", "c", "", "checksum calculator calculates checksum and suggests .talismanrc format")
flag.StringVarP(&reportdirectory, "reportdirectory", "r", "", "directory where the scan reports will be stored")
flag.BoolVarP(&scanWithHtml, "scanWithHtml", "w", false, "generate html report (**Make sure you have installed talisman_html_report to use this, as mentioned in Readme**)")
Expand Down Expand Up @@ -89,6 +92,7 @@ func main() {
githook: githook,
pattern: pattern,
scan: scan,
ignoreHistory: ignoreHistory,
checksum: checksum,
reportdirectory: reportdirectory,
scanWithHtml: scanWithHtml,
Expand Down Expand Up @@ -122,10 +126,10 @@ func run(stdin io.Reader, _options options, promptContext prompt.PromptContext)
return NewRunner(make([]gitrepo.Addition, 0)).RunChecksumCalculator(strings.Fields(_options.checksum))
} else if _options.scan {
log.Infof("Running scanner")
return NewRunner(make([]gitrepo.Addition, 0)).Scan(_options.reportdirectory)
return NewRunner(make([]gitrepo.Addition, 0)).Scan(_options.reportdirectory, _options.ignoreHistory)
} else if _options.scanWithHtml {
log.Infof("Running scanner with html report")
return NewRunner(make([]gitrepo.Addition, 0)).Scan("talisman_html_report")
return NewRunner(make([]gitrepo.Addition, 0)).Scan("talisman_html_report", _options.ignoreHistory)
} else if _options.pattern != "" {
log.Infof("Running %s pattern", _options.pattern)
directoryHook := NewDirectoryHook()
Expand Down

0 comments on commit 622f31e

Please sign in to comment.