Secret detection: handle surrounding quotes, expand AST parser usage #87
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We've identified a couple ways secret detection can be improved. This PR adds them:
Allow language-specific parsers to be applied in more scenarios.
Currently we only check the language ID of a file to determine if an AST parser should be applied. Specifically in
.env
file cases, support for the specific language ID we were checking (dotenv
) requires the installation of another extension, but a user might not have it installed. So now we're also going allow the file extension to be used as a qualifier for applying an AST parser. For example, a file ending in.env
will now use the DotEnv parser.Account for secrets wrapped in quotes.
When looking for secrets we check before and after the secret to make sure that it's not part of a larger string in order to avoid false positives. However, this meant that it excluded secrets if they were surrounded by quotation marks.
That means this wouldn't be detected:
But this would:
We're now going to allow for secret detection if the matched secret is surrounded by single or double quotes.