diff --git a/packages/build/src/plugins_core/secrets_scanning/utils.ts b/packages/build/src/plugins_core/secrets_scanning/utils.ts index 6ef31c0add..5c4855cb5c 100644 --- a/packages/build/src/plugins_core/secrets_scanning/utils.ts +++ b/packages/build/src/plugins_core/secrets_scanning/utils.ts @@ -87,7 +87,7 @@ export function getSecretKeysToScanFor(env: Record, secretKeys: * @returns string[] of relative paths from base of files that should be searched */ export async function getFilePathsToScan({ env, base }): Promise { - const omitPathsAlways = ['.git/'] + const omitPathsAlways = ['.git/', '.cache/'] // node modules is dense and is only useful to scan if the repo itself commits these // files. As a simple check to understand if the repo would commit these files, we expect diff --git a/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/.cache/some-cache/data.txt b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/.cache/some-cache/data.txt new file mode 100644 index 0000000000..677477b509 --- /dev/null +++ b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/.cache/some-cache/data.txt @@ -0,0 +1,2 @@ +"val1-val1-val1" +"val2-val2-val2" \ No newline at end of file diff --git a/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/netlify.toml b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/netlify.toml new file mode 100644 index 0000000000..1eaa7e015a --- /dev/null +++ b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/netlify.toml @@ -0,0 +1,8 @@ +[build] + command = 'cp -r ./src/static-files ./dist' + publish = "./dist" + +[build.environment] + ENV_VAR_1 = "val1-val1-val1" + ENV_VAR_2 = "val2-val2-val2" + SECRETS_SCAN_OMIT_PATHS = "netlify.toml" \ No newline at end of file diff --git a/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/some-file.txt b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/some-file.txt new file mode 100644 index 0000000000..9e17ce1142 --- /dev/null +++ b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/some-file.txt @@ -0,0 +1 @@ +safe-val diff --git a/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/static-files/static-a.txt b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/static-files/static-a.txt new file mode 100644 index 0000000000..88132c9912 --- /dev/null +++ b/packages/build/tests/secrets_scanning/fixtures/src_scanning_omit_cache_path/src/static-files/static-a.txt @@ -0,0 +1 @@ +not secret val diff --git a/packages/build/tests/secrets_scanning/tests.js b/packages/build/tests/secrets_scanning/tests.js index 919a252730..dd27be32ce 100644 --- a/packages/build/tests/secrets_scanning/tests.js +++ b/packages/build/tests/secrets_scanning/tests.js @@ -77,3 +77,10 @@ test('secrets scanning, should not fail if the secrets values are not detected i .runWithBuild() t.true(output.includes(`No secrets detected in build output or repo code!`)) }) + +test.only('secrets scanning should not scan .cache/ directory', async (t) => { + const output = await new Fixture('./fixtures/src_scanning_omit_cache_path') + .withFlags({ debug: false, explicitSecretKeys: 'ENV_VAR_1,ENV_VAR_2' }) + .runWithBuild() + t.true(output.includes(`No secrets detected in build output or repo code!`)) +})