Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configuring Git secrets scan

David Keaveny
David Keaveny
Contributor
June 10, 2020

I'm trying to integrate the AWS Git secrets scan pipe in my pipeline (https://bitbucket.org/atlassian/git-secrets-scan/src/master/); however, I can't get the `FILES` filter to work, and the documentation doesn't give much help.

My simple pipeline builds a .NET Core 2.2 application, and checks for hardcoded AWS secrets in the source code:

image: mcr.microsoft.com/dotnet/core/sdk:2.2

pipelines: 
  default: 
    - step: 
        name: Build 
        caches:
          - dotnetcore
        script:
          - dotnet build 
    - step:
        name: Analyse
        script:
          - pipe: atlassian/git-secrets-scan:0.4.1
            variables:
              FILES: '*.cs'

However, when the pipeline runs, I see the following:

INFO: Executing the pipe...Traceback (most recent call last):  File "/pipe.py", line 112, in <module>    main()  File "/pipe.py", line 104, in main    raise Exception(result.stderr)Exception: grep: *.cs: No such file or directory

If I remove the FILES setting (so it scans all files) then the pipeline runs correctly, although the Git secrets pipe fails with false positives on a project file (which is why I wanted the file filter in the first place).

Have I set up the pipe correctly? And how can I add other file types to the filter expression?

Answer
Watch
Like Be the first to like this
3501 views

1 answer

1 accepted

1 vote
Answer accepted
Halyna Berezovska
Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2020

@David Keaveny thanks for using the pipe!

 

I checked git secrets scan and such error is appearing when you do not have files with this extension.

For example, at the snippet below  command scanning txt files gives nothing, so it is all right and searching for *.cs files does not work, because such do not exist

$ ls test.txt 
test.txt

$ git secrets --scan *.txt
$ git secrets --scan *.cs
grep: *.cs: No such file or directory
$ ls *.cs
ls: *.cs: No such file or directory

If you propose to catch this , to ensure that nothing sensitive does not appear during the build (when such files could be created), we can discuss it as a proposition for the future improvement.

For now I just would like to understand your case

View More Comments
David Keaveny
David Keaveny
Contributor
June 14, 2020

Hi Galyna,

Thanks for your response!

The *.cs files will be in subfolders of the project root, so I'm guessing that it's not searching recursively?

 

As a side question, if I wanted to search *.cs and *.json files, would I configure it as:

FILES: '*.cs;*.json'

?

Like
Halyna Berezovska
Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 19, 2020

@David Keaveny hello, we released new version of git-secrets-scan 0.4.3, there is a fix of wildcard issue, indeed , subprocess tool did not work with wildcard *.

Now it should work in 0.4.3 and your example

FILES: '*.cs;*.json'

also will work, but you need specify this variable like this:

FILES: '*.cs *.json'

 without semicolon.

Regards, Galyna

Like
David Keaveny
David Keaveny
Contributor
June 19, 2020

Hi @Halyna Berezovska ,

I gave the 0.4.3 image a go, and it seems to be ignoring the `FILES` parameter, as it is giving a false positive on a .DotSettings file. My configuration is now:

- step:
    name: Analyse
    script:
      - pipe: atlassian/git-secrets-scan:0.4.3
        variables:
          FILES: '*.cs *.json'
Like
Halyna Berezovska
Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 22, 2020

@David Keaveny yes, this is because you are trying to find files in no-root directories.

In python glob that we use there is such specific to search recursively:

script:
  - pipe: atlassian/git-secrets-scan:0.4.3
    variables:
      FILES: "**/*.txt **/*.json"

 This is not obvious, see how it should work in our doc: Git Secrets Scan, Advanced examples .

Also, check your dot settings extension. If you suspect sensitive string to be found in such files as *.DotSettings , include this, too.

Like
David Keaveny
David Keaveny
Contributor
June 22, 2020

Ah yes, that fixed it, many thanks!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.