Exclusion Parameters/Arguments Are Not Being Passed On

[blonienc]

As a SeCurLI user, when opt to exclude scanning a particular file or folder type, that excision is not not being honored and the exclusions are still being scanned. Most recent example was trying to exclude snap files but they were still being scanned.

This causes issues in the fact that if I continue to get false positive results with my SeCureLI scan.

To reproduce:

Have secrets present in file or folder
Create exclusion rule
View results

AC:

• Using inherent SeCureLI functionality I am able to exclude folder or file type from the scan
• Results are not give for the exclusions

[schuslalom]

Calling detect-secrets directly, and passing in --exclude-files works as expected:

detect-secrets scan --exclude-files '.*\.snap$'

When the following is added to .secureli/.pre-commit-config.yaml:

  - hooks:
      - args:
          - --exclude-files '.*\.snap$'
        id: detect-secrets
    repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0

The files ending in .snap are not excluded as part of the scan.

However, if the syntax is changed to:

  - hooks:
      - args: ['--exclude-files', '.*\.snap$']
        id: detect-secrets
    repo: https://github.com/Yelp/detect-secrets
    rev: v1.5.0

Then the .snap files are excluded from the scan as expected.

The last syntax works, so I think this can be solved simply with documentation in secureli on how to correctly provide arguments. The working example was taken from the detect-secrets repo: https://github.com/Yelp/detect-secrets#:~:text=args%3A%20%5B%27%2D%2Dbaseline%27%2C%20%27.secrets.baseline%27%5D

[itoltz]

It's worth noting that the two samples @schuslalom provided are slightly different. In the first case, the pattern is surrounded by single quotes ('.*/.snap$'), while in the second case it is not (.*/snap$).

That said, based on my testing I don't believe the presence of quotes makes a difference one way or the other. The salient point seems to be that the first example results in an array with a single element (["--exclude-files '.*\.snap$'"]) while the second example results in an array with two elements (["--exclude-files", ".*/snap$"]). The first example works if I split the file pattern into its own element.

- hooks:
    - args:
        - --exclude-files
        - '.*\.snap$'
      id: detect-secrets
  repo: https://github.com/Yelp/detect-secrets
  rev: v1.5.0

I'm looking into adding this quirk into our documentation.