From 8fd712e7af57d753f8c239822f528c5d1e32b299 Mon Sep 17 00:00:00 2001 From: Sean Kelly Date: Wed, 29 Nov 2023 09:49:50 -0600 Subject: [PATCH] Fix secret detection against baseline The problem wasn't that a new secret suddenly appeared. Instead, it was that the `.pre-commit-config.yaml` wasn't included in the baseline configuration which resulted in a diff when the GitHub Action ran. The GitHub Action from SLIM is a bit primitive: it treats _any diff_ as a new secret. In this case, the diff was a difference in config, not in secrets. This also properly escapes the `.` in the regex for excluded files named `.pre-commit-config.yaml`. --- .github/workflows/secrets-detection.yaml | 1 + .secrets.baseline | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/secrets-detection.yaml b/.github/workflows/secrets-detection.yaml index 85e939c..a50b88f 100644 --- a/.github/workflows/secrets-detection.yaml +++ b/.github/workflows/secrets-detection.yaml @@ -46,6 +46,7 @@ jobs: # find the secrets in the repository detect-secrets scan --disable-plugin AbsolutePathDetectorExperimental --baseline .secrets.new \ --exclude-files '\.secrets..*' \ + --exclude-files '\.pre-commit-config\.yaml' \ --exclude-files '\.git.*' \ --exclude-files '\.mypy_cache' \ --exclude-files '\.pytest_cache' \ diff --git a/.secrets.baseline b/.secrets.baseline index 01450e0..f17d176 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -119,7 +119,7 @@ "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ "\\.secrets..*", - "\\.pre-commit-config.yaml", + "\\.pre-commit-config\\.yaml", "\\.git.*", "\\.mypy_cache", "\\.pytest_cache",