feat(nhi): add secret is_vaulted info in ggshield output

Author: amascia-gg

changelog.d/20250507_145529_achille.mascia_add_nhi_option.md

@@ -0,0 +1,42 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+For top level release notes, leave all the headers commented out.
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+
+### Added
+
+- Added a new section in ggshield's outputs (text and json) to notify if a secret is in one of the accounts' secrets managers.
+
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category.
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->

doc/schemas/secret.json

@@ -96,6 +96,9 @@
               "known_secret": {
                 "type": "boolean"
               },
+              "secret_vaulted": {
+                "type": "boolean"
+              },
               "occurrences": {
                 "type": "array",
                 "items": {

ggshield/verticals/secret/output/schemas.py

@@ -22,6 +22,7 @@ class FlattenedPolicyBreak(BaseSchema):
     incident_details = fields.Nested(SecretIncidentSchema)
     known_secret = fields.Bool(required=True, dump_default=False)
     ignore_reason = fields.Nested(IgnoreReasonSchema, dump_default=None)
+    secret_vaulted = fields.Bool(required=True, dump_default=False)
 
 
 class JSONResultSchema(BaseSchema):

ggshield/verticals/secret/output/secret_json_output_handler.py

@@ -141,6 +141,8 @@ def serialized_secret(
                 secrets[0].ignore_reason
             )
 
+        if secrets[0].is_vaulted:
+            flattened_dict["secret_vaulted"] = secrets[0].is_vaulted
         for secret in secrets:
             flattened_dict["occurrences"].extend(self.serialize_secret_matches(secret))
 

ggshield/verticals/secret/output/secret_sarif_output_handler.py

@@ -83,6 +83,7 @@ def _create_sarif_result_dict(
         markdown_message = f"Secret detected: [{secret.detector_display_name}]({secret.documentation_url})"
     else:
         markdown_message = f"Secret detected: {secret.detector_display_name}"
+    markdown_message += f"\nSecret in Secrets Manager: {secret.is_vaulted}"
     markdown_message += f"\nMatches:\n{matches_li}"
 
     # Create dict

ggshield/verticals/secret/output/secret_text_output_handler.py

@@ -305,8 +305,9 @@ def secret_header(
 {start_line} Secret detected: {secret_type}{validity_msg}
 {indent}Occurrences: {number_occurrences}
 {indent}Known by GitGuardian dashboard: {"YES" if known_secret else "NO"}
-{indent}Incident URL: {secrets[0].incident_url if known_secret and secret.incident_url else "N/A"}
+{indent}Incident URL: {secret.incident_url if known_secret and secret.incident_url else "N/A"}
 {indent}Secret SHA: {ignore_sha}
+{indent}Secret in Secrets Manager: {secret.is_vaulted}
 """
     if secret.documentation_url is not None:
         message += f"{indent}Detector documentation: {secret.documentation_url}\n"

ggshield/verticals/secret/secret_scan_collection.py

@@ -93,6 +93,7 @@ class Secret:
     matches: List[ExtendedMatch]
     ignore_reason: Optional[IgnoreReason]
     diff_kind: Optional[DiffKind]
+    is_vaulted: bool
 
     @property
     def policy(self) -> str:
@@ -199,6 +200,7 @@ def from_scan_result(
                 ],
                 ignore_reason=ignore_reason,
                 diff_kind=policy_break.diff_kind,
+                is_vaulted=policy_break.is_vaulted,
             )
             for policy_break, ignore_reason in to_keep
         ]

tests/factories.py

@@ -67,6 +67,7 @@ class Meta:
     known_secret = False
     incident_url = None
     is_excluded = False
+    is_vaulted = False
     exclude_reason = None
     diff_kind = None
     content = factory.Faker("text")
@@ -109,3 +110,4 @@ class Meta:
     matches = []
     ignore_reason = None
     diff_kind = None
+    is_vaulted = False

tests/unit/verticals/secret/output/snapshots/snap_test_text_output.py

@@ -15,6 +15,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -34,6 +35,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -55,6 +57,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -76,6 +79,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -95,6 +99,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -114,6 +119,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -135,6 +141,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -156,6 +163,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1 @@
@@ -175,6 +183,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +2 @@
@@ -194,6 +203,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +2 @@
@@ -215,6 +225,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +2 @@
@@ -236,6 +247,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 38d9d3464520ed68f18d16e640a4a8b37ef5b17608b455267d100aa487ead314
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +2 @@
@@ -255,6 +267,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 1945f4a0c42abb19c1a420ddd09b4b4681249a3057c427b95f794b18595e7ffa
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1,29 @@
@@ -270,6 +283,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
     | @@ -0,0 +1,29 @@
@@ -289,6 +303,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 530e5a4a7ea00814db8845dd0cae5efaa4b974a3ce1c76d0384ba715248a5dc1
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/sendgrid_key
 
   7 | +**********************+*****************************************
@@ -307,6 +322,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 1945f4a0c42abb19c1a420ddd09b4b4681249a3057c427b95f794b18595e7ffa
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1,29 @@
@@ -322,6 +338,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
     | @@ -0,0 +1,29 @@
@@ -341,6 +358,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 530e5a4a7ea00814db8845dd0cae5efaa4b974a3ce1c76d0384ba715248a5dc1
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/sendgrid_key
 
   7 | +bLaA/DCNPniBAiA0l//bzg+M3srIhm04xzLdR9Vb9IjPRlkvN074zdKDVwIhAKJb
@@ -361,6 +379,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 1945f4a0c42abb19c1a420ddd09b4b4681249a3057c427b95f794b18595e7ffa
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1,29 @@
@@ -376,6 +395,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
     | @@ -0,0 +1,29 @@
@@ -395,6 +415,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 530e5a4a7ea00814db8845dd0cae5efaa4b974a3ce1c76d0384ba715248a5dc1
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/sendgrid_key
 
   7 | +**********************+*****************************************
@@ -415,6 +436,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 1945f4a0c42abb19c1a420ddd09b4b4681249a3057c427b95f794b18595e7ffa
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/facebook_access_token
 
     | @@ -0,0 +1,29 @@
@@ -430,6 +452,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
     | @@ -0,0 +1,29 @@
@@ -449,6 +472,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 530e5a4a7ea00814db8845dd0cae5efaa4b974a3ce1c76d0384ba715248a5dc1
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/sendgrid_key
 
   7 | +bLaA/DCNPniBAiA0l//bzg+M3srIhm04xzLdR9Vb9IjPRlkvN074zdKDVwIhAKJb
@@ -467,6 +491,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
       | @@ -0,0 +1,29 @@
@@ -493,6 +518,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
       | @@ -0,0 +1,29 @@
@@ -521,6 +547,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
       | @@ -0,0 +1,29 @@
@@ -549,6 +576,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 060bf63de122848f5efa122fe6cea504aae3b24cea393d887fdefa1529c6a02e
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/private_key_rsa
 
       | @@ -0,0 +1,29 @@
@@ -575,6 +603,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 2b5840babacb6f089ddcce1fe5a56b803f8b1f636c6f44cdbf14b0c77a194c93
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token
 
     | @@ -0,0 +1 @@
@@ -592,6 +621,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 2b5840babacb6f089ddcce1fe5a56b803f8b1f636c6f44cdbf14b0c77a194c93
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token
 
     | @@ -0,0 +1 @@
@@ -611,6 +641,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 2b5840babacb6f089ddcce1fe5a56b803f8b1f636c6f44cdbf14b0c77a194c93
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token
 
     | @@ -0,0 +1 @@
@@ -630,6 +661,7 @@
    Known by GitGuardian dashboard: NO
    Incident URL: N/A
    Secret SHA: 2b5840babacb6f089ddcce1fe5a56b803f8b1f636c6f44cdbf14b0c77a194c93
+   Secret in Secrets Manager: False
    Detector documentation: https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/github_access_token
 
     | @@ -0,0 +1 @@