fix: skip scanning .cache for secrets (#5386)

* fix: skip scanning .cache for secrets * fix: add test * fix: force commit .cache fixture
netlify · Nov 17, 2023 · 97fd98c · 97fd98c
1 parent 5c48c0c
commit 97fd98c
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 1 deletion.
diff --git a/packages/build/src/plugins_core/secrets_scanning/utils.ts b/packages/build/src/plugins_core/secrets_scanning/utils.ts
@@ -87,7 +87,7 @@ export function getSecretKeysToScanFor(env: Record<string, unknown>, secretKeys:
  * @returns string[] of relative paths from base of files that should be searched
  */
 export async function getFilePathsToScan({ env, base }): Promise<string[]> {
-  const omitPathsAlways = ['.git/']
+  const omitPathsAlways = ['.git/', '.cache/']
 
   // node modules is dense and is only useful to scan if the repo itself commits these
   // files. As a simple check to understand if the repo would commit these files, we expect

diff --git a/...d/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/.cache/some-cache/data.txt b/...d/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/.cache/some-cache/data.txt
@@ -0,0 +1,2 @@
+"val1-val1-val1"
+"val2-val2-val2"
diff --git a/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/netlify.toml b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/netlify.toml
@@ -0,0 +1,8 @@
+[build]
+  command = 'cp -r ./src/static-files ./dist'
+  publish = "./dist"
+
+[build.environment]
+  ENV_VAR_1 = "val1-val1-val1"
+  ENV_VAR_2 = "val2-val2-val2"
+  SECRETS_SCAN_OMIT_PATHS = "netlify.toml"
diff --git a/...ages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/some-file.txt b/...ages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/some-file.txt
@@ -0,0 +1 @@
+safe-val
diff --git a/...ests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/static-files/static-a.txt b/...ests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/static-files/static-a.txt
@@ -0,0 +1 @@
+not secret val
diff --git a/packages/build/tests/secrets_scanning/tests.js b/packages/build/tests/secrets_scanning/tests.js
@@ -77,3 +77,10 @@ test('secrets scanning, should not fail if the secrets values are not detected i
     .runWithBuild()
   t.true(output.includes(`No secrets detected in build output or repo code!`))
 })
+
+test.only('secrets scanning should not scan .cache/ directory', async (t) => {
+  const output = await new Fixture('./fixtures/src_scanning_omit_cache_path')
+    .withFlags({ debug: false, explicitSecretKeys: 'ENV_VAR_1,ENV_VAR_2' })
+    .runWithBuild()
+  t.true(output.includes(`No secrets detected in build output or repo code!`))
+})