(fixtures, fuzzy_rule_match)
| 1 | |
| 2 | def test_secret_finder(fixtures, fuzzy_rule_match): |
| 3 | output = fixtures.scan_test_file('secrets.py') |
| 4 | |
| 5 | assert len(output['detections']) > 0 |
| 6 | |
| 7 | matches = [ |
| 8 | { |
| 9 | 'type': 'LeakingSecret', |
| 10 | 'extra': { |
| 11 | 'name': 'user1', |
| 12 | 'secret': 'pass1' |
| 13 | }, |
| 14 | 'line': "requests.get('https://api.github.com/user', auth=HTTPBasicAuth('user1', 'pass1'))" |
| 15 | }, |
| 16 | { |
| 17 | 'type': 'LeakingSecret', |
| 18 | 'extra': { |
| 19 | 'name': 'super_password', |
| 20 | 'secret': 'letmein' |
| 21 | }, |
| 22 | "line": 'super_password = "letmein"' |
| 23 | }, |
| 24 | { |
| 25 | 'type': 'LeakingSecret', |
| 26 | 'extra': { |
| 27 | 'name': 'auth_token', |
| 28 | 'secret': 'RATATATAXXX' |
| 29 | }, |
| 30 | "line": "requests.get('https://api.github.com/user?auth_token=RATATATAXXX', auth=('user2', 'pass2'))" |
| 31 | }, |
| 32 | { |
| 33 | 'type': 'LeakingSecret', |
| 34 | 'extra': { |
| 35 | 'name': 'password', |
| 36 | 'secret': 'cmp_toor' |
| 37 | }, |
| 38 | "line": 'if password == "cmp_toor":' |
| 39 | } |
| 40 | ] |
| 41 | |
| 42 | for x in matches: |
| 43 | assert any(fuzzy_rule_match(h, x) for h in output['detections']), x |
| 44 | |
| 45 | no_match = [ |
| 46 | { |
| 47 | 'type': 'LeakingSecret', |
| 48 | 'extra': { |
| 49 | 'secret': 'secret_key_var' |
| 50 | } |
| 51 | } |
| 52 | ] |
| 53 | for x in no_match: |
| 54 | for h in output['detections']: |
| 55 | assert not fuzzy_rule_match(h, x) |
nothing calls this directly
no test coverage detected