Merge pull request #428 from Yelp/feature/adding-alphanumerical-filter

adding filters.heuristic.is_not_alphanumeric_string

Author: domanchi

detect_secrets/filters/heuristic.py

@@ -197,6 +197,14 @@ def is_lock_file(filename: str) -> bool:
     }
 
 
+def is_not_alphanumeric_string(secret: str) -> bool:
+    """
+    This assumes that secrets should have at least ONE letter in them.
+    This helps avoid clear false positives, like `*****`.
+    """
+    return not bool(set(string.ascii_letters) & set(secret))
+
+
 def is_swagger_file(filename: str) -> bool:
     """
     Filters swagger files and paths, like swagger-ui.html or /swagger/.

detect_secrets/settings.py

@@ -119,6 +119,7 @@ def clear(self) -> None:
                 'detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign',
                 'detect_secrets.filters.heuristic.is_indirect_reference',
                 'detect_secrets.filters.heuristic.is_lock_file',
+                'detect_secrets.filters.heuristic.is_not_alphanumeric_string',
                 'detect_secrets.filters.heuristic.is_swagger_file',
             }
         }

docs/filters.md

@@ -51,6 +51,7 @@ the `detect_secrets.filters` namespace.
 | `heuristic.is_likely_id_string`                  | Ignores secret values prefixed with `id`.                                           |
 | `heuristic.is_lock_file`                         | Ignores common lock files.                                                          |
 | `heuristic.is_non_text_file`                     | Ignores non-text files (e.g. archives, images).                                     |
+| `heuristic.is_not_alphanumeric_string`           | Ignores secrets that do not have a single alphanumeric character in it.             |
 | `heuristic.is_potential_uuid`                    | Ignores uuid looking secret values.                                                 |
 | `heuristic.is_prefixed_with_dollar_sign`         | Primarily for `KeywordDetector`, filters secrets like `secret = $variableName;`.    |
 | `heuristic.is_sequential_string`                 | Ignores secrets like `abcdefg`.                                                     |

test_data/config.ini

@@ -18,8 +18,8 @@ keyA =
     value3
     ; This is another comment
 
-keyB = 456789123
-    567891234
+keyB = 456789123a
+    567891234b
 
 keyC =
 

tests/core/secrets_collection_test.py

@@ -81,9 +81,7 @@ def test_file_based_success_config():
 
         assert [str(secret).splitlines()[1] for _, secret in secrets] == [
             'Location:    test_data/config.ini:2',
-            'Location:    test_data/config.ini:6',
             'Location:    test_data/config.ini:10',
-            'Location:    test_data/config.ini:15',
             'Location:    test_data/config.ini:21',
             'Location:    test_data/config.ini:22',
             'Location:    test_data/config.ini:32',

tests/filters/heuristic_filter_test.py

@@ -134,6 +134,17 @@ def test_is_lock_file():
     assert not filters.heuristic.is_lock_file('Gemfilealock')
 
 
+@pytest.mark.parametrize(
+    'secret, result',
+    (
+        ('*****', True),
+        ('a&b23?!', False),
+    ),
+)
+def test_is_not_alphanumeric_string(secret, result):
+    assert filters.heuristic.is_not_alphanumeric_string(secret) is result
+
+
 @pytest.mark.parametrize(
     'filename, result',
     (