adding filters.heuristic.is_not_alphanumeric_string

Aaron Loo · Aaron Loo · commit e819add5fe2b · 2021-03-11T10:39:06.000-08:00
diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py
@@ -195,3 +195,11 @@ def is_lock_file(filename: str) -> bool:
         'Podfile.lock',
         'yarn.lock',
     }
+
+
+def is_not_alphanumeric_string(secret: str) -> bool:
+    """
+    This assumes that secrets should have at least ONE letter in them.
+    This helps avoid clear false positives, like `*****`.
+    """
+    return not bool(set(string.ascii_letters) & set(secret))
diff --git a/detect_secrets/settings.py b/detect_secrets/settings.py
@@ -119,6 +119,7 @@ def clear(self) -> None:
                 'detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign',
                 'detect_secrets.filters.heuristic.is_indirect_reference',
                 'detect_secrets.filters.heuristic.is_lock_file',
+                'detect_secrets.filters.heuristic.is_not_alphanumeric_string',
             }
         }
 
diff --git a/docs/filters.md b/docs/filters.md
@@ -51,6 +51,7 @@ the `detect_secrets.filters` namespace.
 | `heuristic.is_likely_id_string`                  | Ignores secret values prefixed with `id`.                                           |
 | `heuristic.is_lock_file`                         | Ignores common lock files.                                                          |
 | `heuristic.is_non_text_file`                     | Ignores non-text files (e.g. archives, images).                                     |
+| `heuristic.is_not_alphanumeric_string`           | Ignores secrets that do not have a single alphanumeric character in it.             |
 | `heuristic.is_potential_uuid`                    | Ignores uuid looking secret values.                                                 |
 | `heuristic.is_prefixed_with_dollar_sign`         | Primarily for `KeywordDetector`, filters secrets like `secret = $variableName;`.    |
 | `heuristic.is_sequential_string`                 | Ignores secrets like `abcdefg`.                                                     |
diff --git a/tests/filters/heuristic_filter_test.py b/tests/filters/heuristic_filter_test.py
@@ -130,3 +130,14 @@ def test_is_lock_file():
 
     # assert non-regex
     assert not filters.heuristic.is_lock_file('Gemfilealock')
+
+
+@pytest.mark.parametrize(
+    'secret, result',
+    (
+        ('*****', True),
+        ('a&b23?!', False),
+    ),
+)
+def test_is_not_alphanumeric_string(secret, result):
+    assert filters.heuristic.is_not_alphanumeric_string(secret) is result

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,7 @@ def clear(self) -> None:`
`119`	`119`	`'detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign',`
`120`	`120`	`'detect_secrets.filters.heuristic.is_indirect_reference',`
`121`	`121`	`'detect_secrets.filters.heuristic.is_lock_file',`
	`122`	`+ 'detect_secrets.filters.heuristic.is_not_alphanumeric_string',`
`122`	`123`	`}`
`123`	`124`	`}`
`124`	`125`