GitGuardian · agateau-gg · Oct 25, 2024 · Oct 14, 2024 · Oct 24, 2024
@@ -64,8 +64,7 @@ def archive_cmd(
                 client=ctx_obj.client,
                 cache=ctx_obj.cache,
                 scan_context=scan_context,
-                ignored_matches=config.user_config.secret.ignored_matches,
-                ignored_detectors=config.user_config.secret.ignored_detectors,
+                secret_config=config.user_config.secret,
             )
             results = scanner.scan(files, scanner_ui=scanner_ui)
 

@@ -52,9 +52,7 @@ def changes_cmd(ctx: click.Context, **kwargs: Any) -> int:
         commit_list=commit_list,
         output_handler=create_output_handler(ctx),
         exclusion_regexes=ctx_obj.exclusion_regexes,
-        matches_ignore=config.user_config.secret.ignored_matches,
+        secret_config=config.user_config.secret,
         scan_context=scan_context,
-        ignored_detectors=config.user_config.secret.ignored_detectors,
         verbose=config.user_config.verbose,
-        include_staged=True,
     )
@@ -51,7 +51,6 @@ def ci_cmd(ctx: click.Context, **kwargs: Any) -> int:
         commit_list=commit_list,
         output_handler=create_output_handler(ctx),
         exclusion_regexes=ctx_obj.exclusion_regexes,
-        matches_ignore=config.user_config.secret.ignored_matches,
+        secret_config=config.user_config.secret,
         scan_context=scan_context,
-        ignored_detectors=config.user_config.secret.ignored_detectors,
     )
@@ -57,9 +57,8 @@ def docker_name_cmd(
             archive_path=archive,
             client=ctx_obj.client,
             cache=ctx_obj.cache,
-            matches_ignore=config.user_config.secret.ignored_matches,
+            secret_config=config.user_config.secret,
             scan_context=scan_context,
-            ignored_detectors=config.user_config.secret.ignored_detectors,
             verbose=config.user_config.verbose,
         )
 

@@ -44,9 +44,8 @@ def docker_archive_cmd(
         archive_path=archive,
         client=ctx_obj.client,
         cache=ctx_obj.cache,
-        matches_ignore=config.user_config.secret.ignored_matches,
+        secret_config=config.user_config.secret,
         scan_context=scan_context,
-        ignored_detectors=config.user_config.secret.ignored_detectors,
     )
 
     return output_handler.process_scan(scan)
@@ -76,9 +76,8 @@ def docset_cmd(
         scanner = SecretScanner(
             client=ctx_obj.client,
             cache=ctx_obj.cache,
-            ignored_matches=config.user_config.secret.ignored_matches,
+            secret_config=config.user_config.secret,
             scan_context=scan_context,
-            ignored_detectors=config.user_config.secret.ignored_detectors,
         )
         scans = create_scans_from_docset_files(
             scanner=scanner,

@@ -81,9 +81,8 @@ def path_cmd(
         scanner = SecretScanner(
             client=ctx_obj.client,
             cache=ctx_obj.cache,
-            ignored_matches=config.user_config.secret.ignored_matches,
             scan_context=scan_context,
-            ignored_detectors=config.user_config.secret.ignored_detectors,
+            secret_config=config.user_config.secret,
         )
         results = scanner.scan(files, scanner_ui=scanner_ui)
     scan = SecretScanCollection(

@@ -66,12 +66,10 @@ def precommit_cmd(
         return 0
 
     output_handler = SecretTextOutputHandler(
-        show_secrets=config.user_config.secret.show_secrets,
         verbose=verbose,
         client=ctx_obj.client,
         output=None,
-        ignore_known_secrets=config.user_config.secret.ignore_known_secrets,
-        with_incident_details=config.user_config.secret.with_incident_details,
+        secret_config=config.user_config.secret,
     )
     check_git_dir()
 
@@ -94,8 +92,7 @@ def precommit_cmd(
         client=ctx_obj.client,
         cache=ctx_obj.cache,
         scan_context=scan_context,
-        ignored_matches=config.user_config.secret.ignored_matches,
-        ignored_detectors=config.user_config.secret.ignored_detectors,
+        secret_config=config.user_config.secret,
     )
     with ui.create_scanner_ui(len(commit.urls), verbose=verbose) as scanner_ui:
         results = scanner.scan(commit.get_files(), scanner_ui)

@@ -98,9 +98,8 @@ def prepush_cmd(ctx: click.Context, prepush_args: List[str], **kwargs: Any) -> i
         commit_list=commit_list,
         output_handler=create_output_handler(ctx),
         exclusion_regexes=ctx_obj.exclusion_regexes,
-        matches_ignore=config.user_config.secret.ignored_matches,
+        secret_config=config.user_config.secret,
         scan_context=scan_context,
-        ignored_detectors=config.user_config.secret.ignored_detectors,
     )
     if return_code:
         click.echo(

@@ -55,9 +55,8 @@ def _execute_prereceive(
             commit_list=commit_list,
             output_handler=output_handler,
             exclusion_regexes=exclusion_regexes,
-            matches_ignore=config.user_config.secret.ignored_matches,
+            secret_config=config.user_config.secret,
             scan_context=scan_context,
-            ignored_detectors=config.user_config.secret.ignored_detectors,
         )
         if return_code:
             click.echo(
@@ -95,8 +94,7 @@ def prereceive_cmd(
     if os.getenv("GL_PROTOCOL") == "web":
         # We are inside GitLab web UI
         output_handler = SecretGitLabWebUIOutputHandler(
-            show_secrets=config.user_config.secret.show_secrets,
-            ignore_known_secrets=config.user_config.secret.ignore_known_secrets,
+            secret_config=config.user_config.secret, verbose=False
         )
 
     if get_breakglass_option():

@@ -122,9 +122,8 @@ def pypi_cmd(
             scanner = SecretScanner(
                 client=ctx_obj.client,
                 cache=ctx_obj.cache,
-                ignored_matches=config.user_config.secret.ignored_matches,
+                secret_config=config.user_config.secret,
                 scan_context=scan_context,
-                ignored_detectors=config.user_config.secret.ignored_detectors,
             )
             results = scanner.scan(files, scanner_ui=scanner_ui)
         scan = SecretScanCollection(id=package_name, type="path_scan", results=results)

@@ -52,8 +52,7 @@ def range_cmd(
         commit_list=commit_list,
         output_handler=create_output_handler(ctx),
         exclusion_regexes=ctx_obj.exclusion_regexes,
-        matches_ignore=config.user_config.secret.ignored_matches,
+        secret_config=config.user_config.secret,
         scan_context=scan_context,
-        ignored_detectors=config.user_config.secret.ignored_detectors,
         verbose=config.user_config.verbose,
     )
@@ -159,10 +159,8 @@ def create_output_handler(ctx: click.Context) -> SecretOutputHandler:
     output_handler_cls = OUTPUT_HANDLER_CLASSES[ctx_obj.output_format]
     config = ctx_obj.config
     return output_handler_cls(
-        show_secrets=config.user_config.secret.show_secrets,
         verbose=config.user_config.verbose,
         client=ctx_obj.client,
         output=ctx_obj.output,
-        ignore_known_secrets=config.user_config.secret.ignore_known_secrets,
-        with_incident_details=config.user_config.secret.with_incident_details,
+        secret_config=config.user_config.secret,
     )
@@ -5,18 +5,18 @@
 from contextlib import contextmanager
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Any, Dict, Generator, Iterable, List, Optional, Set
+from typing import Any, Dict, Generator, Iterable, List
 
 from click import UsageError
 from pygitguardian import GGClient
 
 from ggshield.core import ui
 from ggshield.core.cache import Cache
+from ggshield.core.config.user_config import SecretConfig
 from ggshield.core.dirs import get_cache_dir
 from ggshield.core.errors import UnexpectedError
 from ggshield.core.scan import ScanContext, Scannable, StringScannable
 from ggshield.core.scan.id_cache import IDCache
-from ggshield.core.types import IgnoredMatch
 from ggshield.utils.files import is_path_binary
 
 from .secret_scan_collection import SecretScanCollection
@@ -325,17 +325,15 @@ def docker_scan_archive(
     archive_path: Path,
     client: GGClient,
     cache: Cache,
-    matches_ignore: Iterable[IgnoredMatch],
+    secret_config: SecretConfig,
     scan_context: ScanContext,
-    ignored_detectors: Optional[Set[str]] = None,
     verbose: bool = False,
 ) -> SecretScanCollection:
     scanner = SecretScanner(
         client=client,
         cache=cache,
         scan_context=scan_context,
-        ignored_matches=matches_ignore,
-        ignored_detectors=ignored_detectors,
+        secret_config=secret_config,
     )
     secrets_engine_version = client.secrets_engine_version
     assert secrets_engine_version is not None

@@ -32,15 +32,6 @@ class SecretGitLabWebUIOutputHandler(SecretOutputHandler):
 
     use_stderr = True
 
-    def __init__(
-        self, show_secrets: bool = False, ignore_known_secrets: bool = False
-    ) -> None:
-        super().__init__(
-            show_secrets=show_secrets,
-            verbose=False,
-            ignore_known_secrets=ignore_known_secrets,
-        )
-
     def _process_scan_impl(self, scan: SecretScanCollection) -> str:
         results = list(scan.get_all_results())
         # If no secrets or no new secrets were found

@@ -5,32 +5,30 @@
 import click
 from pygitguardian import GGClient
 
+from ggshield.core.config.user_config import SecretConfig
 from ggshield.core.errors import ExitCode
 from ggshield.verticals.secret import SecretScanCollection
 
 
 class SecretOutputHandler(ABC):
-    show_secrets: bool = False
     verbose: bool = False
     client: Optional[GGClient] = None
     output: Optional[Path] = None
     use_stderr: bool = False
 
     def __init__(
         self,
-        show_secrets: bool,
         verbose: bool,
+        secret_config: SecretConfig,
         client: Optional[GGClient] = None,
         output: Optional[Path] = None,
-        ignore_known_secrets: bool = False,
-        with_incident_details: bool = False,
     ):
-        self.show_secrets = show_secrets
+        self.show_secrets = secret_config.show_secrets
         self.verbose = verbose
         self.client = client
         self.output = output
-        self.ignore_known_secrets = ignore_known_secrets
-        self.with_incident_details = with_incident_details
+        self.ignore_known_secrets = secret_config.ignore_known_secrets
+        self.with_incident_details = secret_config.with_incident_details
 
     def process_scan(self, scan: SecretScanCollection) -> ExitCode:
         """Process a scan collection, write the report to :attr:`self.output`

@@ -1,7 +1,7 @@
 import itertools
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from pathlib import Path
-from typing import Callable, Iterable, Iterator, List, Optional, Pattern, Set
+from typing import Callable, Iterable, Iterator, List, Pattern, Set
 
 from click import UsageError
 from pygitguardian import GGClient
@@ -10,11 +10,11 @@
 from ggshield.core.cache import Cache
 from ggshield.core.client import check_client_api_key
 from ggshield.core.config import Config
+from ggshield.core.config.user_config import SecretConfig
 from ggshield.core.constants import MAX_WORKERS
 from ggshield.core.errors import ExitCode, QuotaLimitReachedError, handle_exception
 from ggshield.core.scan import Commit, ScanContext
 from ggshield.core.text_utils import STYLE, format_text
-from ggshield.core.types import IgnoredMatch
 from ggshield.utils.git_shell import get_list_commit_SHA, is_git_dir
 from ggshield.utils.os import cd
 
@@ -47,10 +47,9 @@ def scan_repo_path(
                 commit_list=get_list_commit_SHA("--all"),
                 output_handler=output_handler,
                 exclusion_regexes=exclusion_regexes,
-                matches_ignore=config.user_config.secret.ignored_matches,
                 scan_context=scan_context,
-                ignored_detectors=config.user_config.secret.ignored_detectors,
                 verbose=config.user_config.verbose,
+                secret_config=config.user_config.secret,
             )
     except Exception as error:
         return handle_exception(error, config.user_config.verbose)
@@ -60,11 +59,10 @@ def scan_commits_content(
     commits: List[Commit],
     client: GGClient,
     cache: Cache,
-    matches_ignore: Iterable[IgnoredMatch],
     scan_context: ScanContext,
+    secret_config: SecretConfig,
     progress_callback: Callable[[int], None],
     commit_scanned_callback: Callable[[Commit], None],
-    ignored_detectors: Optional[Set[str]] = None,
 ) -> SecretScanCollection:  # pragma: no cover
     try:
         commit_files = itertools.chain.from_iterable(c.get_files() for c in commits)
@@ -73,9 +71,8 @@ def scan_commits_content(
             client=client,
             cache=cache,
             scan_context=scan_context,
-            ignored_matches=matches_ignore,
-            ignored_detectors=ignored_detectors,
             check_api_key=False,  # Key has been checked in `scan_commit_range()`
+            secret_config=secret_config,
         )
         with ui.create_message_only_scanner_ui() as scanner_ui:
             results = scanner.scan(
@@ -156,9 +153,8 @@ def scan_commit_range(
     commit_list: List[str],
     output_handler: SecretOutputHandler,
     exclusion_regexes: Set[Pattern[str]],
-    matches_ignore: Iterable[IgnoredMatch],
     scan_context: ScanContext,
-    ignored_detectors: Optional[Set[str]] = None,
+    secret_config: SecretConfig,
     include_staged: bool = False,
     verbose: bool = False,
 ) -> ExitCode:
@@ -206,11 +202,10 @@ def commit_scanned_callback(commit: Commit):
                         commits,
                         client,
                         cache,
-                        matches_ignore,
                         scan_context,
+                        secret_config,
                         progress.advance,
                         commit_scanned_callback,
-                        ignored_detectors,
                     )
                 )
                 # Stop now if an exception has been raised by a future

@@ -4,14 +4,15 @@
 import sys
 from ast import literal_eval
 from concurrent.futures import Future
-from typing import Dict, Iterable, List, Optional, Set, Union
+from typing import Dict, Iterable, List, Optional, Union
 
 from pygitguardian import GGClient
 from pygitguardian.models import Detail, MultiScanResult
 
 from ggshield.core import ui
 from ggshield.core.cache import Cache
 from ggshield.core.client import check_client_api_key
+from ggshield.core.config.user_config import SecretConfig
 from ggshield.core.constants import MAX_WORKERS
 from ggshield.core.errors import handle_api_error
 from ggshield.core.filter import (
@@ -20,7 +21,6 @@
 )
 from ggshield.core.scan import DecodeError, ScanContext, Scannable
 from ggshield.core.text_utils import pluralize
-from ggshield.core.types import IgnoredMatch
 from ggshield.core.ui.scanner_ui import ScannerUI
 
 from .secret_scan_collection import Error, Result, Results
@@ -50,17 +50,16 @@ def __init__(
         client: GGClient,
         cache: Cache,
         scan_context: ScanContext,
-        ignored_matches: Optional[Iterable[IgnoredMatch]] = None,
-        ignored_detectors: Optional[Set[str]] = None,
+        secret_config: SecretConfig,
         check_api_key: Optional[bool] = True,
     ):
         if check_api_key:
             check_client_api_key(client)
 
         self.client = client
         self.cache = cache
-        self.ignored_matches = ignored_matches or []
-        self.ignored_detectors = ignored_detectors
+        self.ignored_matches = secret_config.ignored_matches or []
+        self.ignored_detectors = secret_config.ignored_detectors
         self.headers = scan_context.get_http_headers()
         self.command_id = scan_context.command_id