Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configuration source misleading and can't easily be specified #367

Open
rbailey-godaddy opened this issue Jul 7, 2022 · 0 comments
Open
Labels
bug Something isn't working

Comments

@rbailey-godaddy
Copy link
Contributor

🐛 Bug Report

It's well-established that tartufo will examine configuration files in the target repository in order to parameterize a scan, but it is not possible to specify what version of those files actually get used. I polled my team regarding this behavior and they regard it as a bug rather than a feature. Basically:

  • tartufo scan-remote-repo uses the configuration that is in the "default" branch of the repository (i.e. the one that is checked out by default when a clone operation completes)
  • tartufo scan-local-repo uses the configuration that is current in the local working directory (which might well be the "default" branch in the context of a CICD workflow)
  • Using the --branch option has no effect on this behavior -- it controls only which commits are scanned

An additional parameter, such as --config-branch foo, should be provided to address the use case elaborated below.

To Reproduce

  1. Pick any arbitrary repository that has been configured to use tartufo
  2. Create a new branch (such as "test") and check it out
  3. Create a file with a forbidden expression or a high-entropy string
  4. Commit the file
  5. tartufo scan-local-repo . will report an issue
  6. Add the exclusion to the configuration file (i.e. pyproject.toml)
  7. Commit the configuration file
  8. tartufo scan-local-repo . will not report the issue
  9. Check out a different branch (for example, main)
  10. tartufo scan-local-repo . reports the issue
  11. tartufo scan-local-repo --branch test . reports the issue (use the branch created above)

Although the configuration is properly updated in the repository, it is ignored unless it happens to be in the current branch.

Expected Behavior

It should be possible to scan a repository using the configuration in a specified branch. This behavior should be independent of the decision to restrict the scope of a scan to a particular branch (with --branch).

In particular, if I have a new branch that contains both "false-positive" issues and exclusions permitting them, it should be possible to specify that branch for configuration retrieval and perform a full-repository scan which passes, instead of spuriously failing because configuration from a different branch was chosen outside of my control.

@rbailey-godaddy rbailey-godaddy added the bug Something isn't working label Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant