Merge pull request #1095 from GitGuardian/amascia/nhi-651/add-nhi-option

feat(nhi): add secret is_vaulted info in ggshield output

Author: agateau-gg

changelog.d/20250507_145529_achille.mascia_add_nhi_option.md

@@ -0,0 +1,42 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+For top level release notes, leave all the headers commented out.
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+
+### Added
+
+- Added a new section in ggshield's outputs (text and json) to notify if a secret is in one of the accounts' secrets managers.
+
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category.
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->

doc/schemas/secret.json

@@ -96,6 +96,9 @@
               "known_secret": {
                 "type": "boolean"
               },
+              "secret_vaulted": {
+                "type": "boolean"
+              },
               "occurrences": {
                 "type": "array",
                 "items": {

ggshield/verticals/secret/output/schemas.py

@@ -22,6 +22,7 @@ class FlattenedPolicyBreak(BaseSchema):
     incident_details = fields.Nested(SecretIncidentSchema)
     known_secret = fields.Bool(required=True, dump_default=False)
     ignore_reason = fields.Nested(IgnoreReasonSchema, dump_default=None)
+    secret_vaulted = fields.Bool(required=True, dump_default=False)
 
 
 class JSONResultSchema(BaseSchema):

ggshield/verticals/secret/output/secret_json_output_handler.py

@@ -141,6 +141,8 @@ def serialized_secret(
                 secrets[0].ignore_reason
             )
 
+        if secrets[0].is_vaulted:
+            flattened_dict["secret_vaulted"] = secrets[0].is_vaulted
         for secret in secrets:
             flattened_dict["occurrences"].extend(self.serialize_secret_matches(secret))
 

ggshield/verticals/secret/output/secret_sarif_output_handler.py

@@ -83,6 +83,7 @@ def _create_sarif_result_dict(
         markdown_message = f"Secret detected: [{secret.detector_display_name}]({secret.documentation_url})"
     else:
         markdown_message = f"Secret detected: {secret.detector_display_name}"
+    markdown_message += f"\nSecret in Secrets Manager: {secret.is_vaulted}"
     markdown_message += f"\nMatches:\n{matches_li}"
 
     # Create dict

ggshield/verticals/secret/output/secret_text_output_handler.py

@@ -305,8 +305,9 @@ def secret_header(
 {start_line} Secret detected: {secret_type}{validity_msg}
 {indent}Occurrences: {number_occurrences}
 {indent}Known by GitGuardian dashboard: {"YES" if known_secret else "NO"}
-{indent}Incident URL: {secrets[0].incident_url if known_secret and secret.incident_url else "N/A"}
+{indent}Incident URL: {secret.incident_url if known_secret and secret.incident_url else "N/A"}
 {indent}Secret SHA: {ignore_sha}
+{indent}Secret in Secrets Manager: {secret.is_vaulted}
 """
     if secret.documentation_url is not None:
         message += f"{indent}Detector documentation: {secret.documentation_url}\n"

ggshield/verticals/secret/secret_scan_collection.py

@@ -93,6 +93,7 @@ class Secret:
     matches: List[ExtendedMatch]
     ignore_reason: Optional[IgnoreReason]
     diff_kind: Optional[DiffKind]
+    is_vaulted: bool
 
     @property
     def policy(self) -> str:
@@ -199,6 +200,7 @@ def from_scan_result(
                 ],
                 ignore_reason=ignore_reason,
                 diff_kind=policy_break.diff_kind,
+                is_vaulted=policy_break.is_vaulted,
             )
             for policy_break, ignore_reason in to_keep
         ]

pdm.lock

@@ -41,7 +41,7 @@ dependencies = [
     "marshmallow~=3.18.0",
     "marshmallow-dataclass~=8.5.8",
     "oauthlib~=3.2.1",
-    "pygitguardian~=1.21.0",
+    "pygitguardian @ git+https://github.com/GitGuardian/py-gitguardian.git@2f6da32f01c6e2dc5eaf4eccf9104a846ea7ca70",
     "pyjwt~=2.6.0",
     "python-dotenv~=0.21.0",
     "pyyaml~=6.0.1",

pyproject.toml

@@ -67,6 +67,7 @@ class Meta:
     known_secret = False
     incident_url = None
     is_excluded = False
+    is_vaulted = False
     exclude_reason = None
     diff_kind = None
     content = factory.Faker("text")
@@ -109,3 +110,4 @@ class Meta:
     matches = []
     ignore_reason = None
     diff_kind = None
+    is_vaulted = False