diff --git a/README.md b/README.md index 57fdedda..62764e44 100644 --- a/README.md +++ b/README.md @@ -57,15 +57,16 @@ Additional Commands: rules List all rules Flags: - --config string config file path - --exclude-rule strings exclude rules by name or tag to apply to the scan (removes from list, starts from all) - -h, --help help for 2ms - --include-rule strings include rules by name or tag to apply to the scan (adds to list, starts from empty) - --log-level string log level (trace, debug, info, warn, error, fatal) (default "info") - --regex stringArray custom regexes to apply to the scan, must be valid Go regex - --report-path strings path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif) - --stdout-format string stdout output format, available formats are: json, yaml, sarif (default "yaml") - -v, --version version for 2ms + --config string config file path + --exclude-rule strings exclude rules by name or tag to apply to the scan (removes from list, starts from all) + -h, --help help for 2ms + --ignore-result strings ignore specific result by id + --include-rule strings include rules by name or tag to apply to the scan (adds to list, starts from empty) + --log-level string log level (trace, debug, info, warn, error, fatal) (default "info") + --regex stringArray custom regexes to apply to the scan, must be valid Go regex + --report-path strings path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif) + --stdout-format string stdout output format, available formats are: json, yaml, sarif (default "yaml") + -v, --version version for 2ms Use "2ms [command] --help" for more information about a command. ``` diff --git a/cmd/main.go b/cmd/main.go index 66ba5ec0..bacc5fdc 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -37,6 +37,7 @@ const ( customRegexRuleFlagName = "regex" includeRuleFlagName = "include-rule" excludeRuleFlagName = "exclude-rule" + ignoreFlagName = "ignore-result" ) var ( @@ -46,6 +47,7 @@ var ( customRegexRuleVar []string includeRuleVar []string excludeRuleVar []string + ignoreVar []string ) var rootCmd = &cobra.Command{ @@ -117,10 +119,10 @@ func Execute() { rootCmd.PersistentFlags().StringSliceVar(&reportPathVar, reportPathFlagName, []string{}, "path to generate report files. The output format will be determined by the file extension (.json, .yaml, .sarif)") rootCmd.PersistentFlags().StringVar(&stdoutFormatVar, stdoutFormatFlagName, "yaml", "stdout output format, available formats are: json, yaml, sarif") rootCmd.PersistentFlags().StringArrayVar(&customRegexRuleVar, customRegexRuleFlagName, []string{}, "custom regexes to apply to the scan, must be valid Go regex") - rootCmd.PersistentFlags().StringSliceVar(&includeRuleVar, includeRuleFlagName, []string{}, "include rules by name or tag to apply to the scan (adds to list, starts from empty)") rootCmd.PersistentFlags().StringSliceVar(&excludeRuleVar, excludeRuleFlagName, []string{}, "exclude rules by name or tag to apply to the scan (removes from list, starts from all)") rootCmd.MarkFlagsMutuallyExclusive(includeRuleFlagName, excludeRuleFlagName) + rootCmd.PersistentFlags().StringSliceVar(&ignoreVar, ignoreFlagName, []string{}, "ignore specific result by id") rootCmd.AddCommand(secrets.RulesCommand) @@ -174,7 +176,7 @@ func preRun(cmd *cobra.Command, args []string) { case item := <-channels.Items: report.TotalItemsScanned++ channels.WaitGroup.Add(1) - go secrets.Detect(secretsChan, item, channels.WaitGroup) + go secrets.Detect(item, secretsChan, channels.WaitGroup, ignoreVar) case secret := <-secretsChan: report.TotalSecretsFound++ report.Results[secret.ID] = append(report.Results[secret.ID], secret) diff --git a/plugins/filesystem.go b/plugins/filesystem.go index 3f4a15ad..520d69c1 100644 --- a/plugins/filesystem.go +++ b/plugins/filesystem.go @@ -13,7 +13,7 @@ import ( const ( flagFolder = "path" flagProjectName = "project-name" - flagIgnored = "ignore" + flagIgnored = "ignore-pattern" ) var ignoredFolders = []string{".git"} diff --git a/secrets/secrets.go b/secrets/secrets.go index d5b0e452..d98bd3b0 100644 --- a/secrets/secrets.go +++ b/secrets/secrets.go @@ -11,6 +11,7 @@ import ( "github.com/checkmarx/2ms/plugins" "github.com/checkmarx/2ms/reporting" + "github.com/rs/zerolog/log" "github.com/spf13/cobra" "github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules" "github.com/zricethezav/gitleaks/v8/config" @@ -84,7 +85,7 @@ func Init(includeList, excludeList []string) (*Secrets, error) { }, nil } -func (s *Secrets) Detect(secretsChannel chan reporting.Secret, item plugins.Item, wg *sync.WaitGroup) { +func (s *Secrets) Detect(item plugins.Item, secretsChannel chan reporting.Secret, wg *sync.WaitGroup, ignoredIds []string) { defer wg.Done() fragment := detect.Fragment{ @@ -92,7 +93,7 @@ func (s *Secrets) Detect(secretsChannel chan reporting.Secret, item plugins.Item } for _, value := range s.detector.Detect(fragment) { itemId := getFindingId(item, value) - secretsChannel <- reporting.Secret{ + secret := reporting.Secret{ ID: itemId, Source: item.Source, RuleID: value.RuleID, @@ -102,6 +103,11 @@ func (s *Secrets) Detect(secretsChannel chan reporting.Secret, item plugins.Item EndColumn: value.EndColumn, Value: value.Secret, } + if !isSecretIgnored(&secret, &ignoredIds) { + secretsChannel <- secret + } else { + log.Debug().Msgf("Secret %s was ignored", secret.ID) + } } } @@ -128,6 +134,15 @@ func getFindingId(item plugins.Item, finding report.Finding) string { return fmt.Sprintf("%x", sha) } +func isSecretIgnored(secret *reporting.Secret, ignoredIds *[]string) bool { + for _, ignoredId := range *ignoredIds { + if secret.ID == ignoredId { + return true + } + } + return false +} + func selectRules(allRules []Rule, tags []string) map[string]config.Rule { rulesToBeApplied := make(map[string]config.Rule)