Skip to content

GitGuardian: Generate a descriptive output about findings

Igor Drozdov requested to merge id-git-guardian-descriptive-output into master

What does this MR do and why?

Related issue: GitGuardian: Generate a descriptive output abou... (#451113 - closed)

Within GitGuardian pre-receive secrets detection (&11494 - closed) we implemented a GitGuardian integration that rejects the pushes if a commit violated a policy check. We output something like:

Secrets detection policy violated at .env for Basic Auth String 'jen_barber'`

However, the json returned by API also returns indexes to get the place in the file that actually violated a policy:

JSON content 
{
    "policies": [
        "Secrets detection"
    ],
    "policy_break_count": 1,
    "policy_breaks": [
        {
            "incident_url": "",
            "known_secret": false,
            "matches": [
                {
                    "index_end": 48,
                    "index_start": 39,
                    "line_end": 1,
                    "line_start": 1,
                    "match": "jen_barber",
                    "type": "username"
                },
                {
                    "index_end": 74,
                    "index_start": 50,
                    "line_end": 1,
                    "line_start": 1,
                    "match": "correcthorsebatterystaple",
                    "type": "password"
                },
                {
                    "index_end": 95,
                    "index_start": 76,
                    "line_end": 1,
                    "line_start": 1,
                    "match": "cake.gitguardian.com",
                    "type": "host"
                }
            ],
            "policy": "Secrets detection",
            "type": "Basic Auth String",
            "validity": "no_checker"
        }
    ]
}

What changed

After this MR, if a commit contains violations according to GitGuardian service, a user gets the following info:

> git push --set-upstream origin new-branch-1

Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 10 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 399 bytes | 399.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
remote: GitLab: .env: 2 incidents detected:
remote:
remote:  >> Filenames: .env
remote:     Validity: N/A
remote:     Known by GitGuardian: No
remote:     Incident URL: N/A
remote:     Violation: filename `.env` detected
remote:
remote:  >> Secrets detection: Basic Auth String
remote:     Validity: No checker
remote:     Known by GitGuardian: No
remote:     Incident URL: N/A
remote:     Violation: username `jen_barber1` detected
remote:     2 | url = 'http://jen_barber1:correcthorsebatterystaple@cake.gitguardian.com/isreal.json'
remote:                       |username_|
remote:     Violation: password `correcthorsebatterystaple` detected
remote:     2 | url = 'http://jen_barber1:correcthorsebatterystaple@cake.gitguardian.com/isreal.json'
remote:                                   |_______password________|
remote:     Violation: host `cake.gitguardian.com` detected
remote:     2 | url = 'http://jen_barber1:correcthorsebatterystaple@cake.gitguardian.com/isreal.json'
remote:                                                             |_______host_______|
remote:
remote: How to remediate:
remote:
remote: The violation was detected before the commit was pushed:
remote:
remote: 1. Fix the violation in the detected files.
remote: 2. Commit and try pushing again.
remote:
remote: [To apply with caution] If you want to bypass the secrets check:
remote:
remote: 1. Add [skip secret detection] flag to the commit message.
remote: 2. Commit and try pushing again.

Merge request reports