Merge pull request #1147 from GitGuardian/kevinwestphal/handle-invalid-symlink

6d7a · web-flow · commit a4076b92fb9b · 2025-11-13T11:15:47.000+01:00
Handle Invalid Symlinks During Scans
diff --git a/changelog.d/20251113_095159_kevin.westphal_handle_invalid_symlink.md b/changelog.d/20251113_095159_kevin.westphal_handle_invalid_symlink.md
@@ -0,0 +1,42 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+For top level release notes, leave all the headers commented out.
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+<!--
+### Added
+
+- A bullet item for the Added category.
+
+-->
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+
+### Fixed
+
+- Skip invalid symlinks with warning during scans.
+<!--
+
+### Security
+
+- A bullet item for the Security category.
+
+-->
diff --git a/ggshield/verticals/secret/secret_scanner.py b/ggshield/verticals/secret/secret_scanner.py
@@ -161,6 +161,9 @@ def _start_scans(
             except NonSeekableFileError:
                 scanner_ui.on_skipped(scannable, "file cannot be seeked")
                 continue
+            except FileNotFoundError:
+                scanner_ui.on_skipped(scannable, "file not found")
+                continue
 
             if content:
                 if (
diff --git a/tests/functional/conftest.py b/tests/functional/conftest.py
@@ -107,7 +107,6 @@ def _start_no_quota_gitguardian_api(host: str, port: int):
 
 
 @pytest.fixture
-@pytest.mark.allow_hosts(["localhost"])
 def slow_gitguardian_api() -> Generator[str, None, None]:
     host, port = "localhost", 8123
     server_process = Process(target=_start_slow_gitguardian_api, args=(host, port))
@@ -120,7 +119,6 @@ def slow_gitguardian_api() -> Generator[str, None, None]:
 
 
 @pytest.fixture
-@pytest.mark.allow_hosts(["localhost"])
 def no_quota_gitguardian_api() -> Generator[str, None, None]:
     host, port = "localhost", 8124
     server_process = Process(target=_start_no_quota_gitguardian_api, args=(host, port))
diff --git a/tests/unit/verticals/secret/test_secret_scanner.py b/tests/unit/verticals/secret/test_secret_scanner.py
@@ -134,6 +134,7 @@ def test_scan_patch(client, cache, name: str, input_patch: str, expected: Expect
         "EMPTY",
         "TOO_BIG",
         "BINARY",
+        "FILE_NOT_FOUND",
     ],
 )
 def test_scanner_skips_unscannable_files(client, fs, cache, unscannable_type: str):
@@ -151,6 +152,8 @@ def test_scanner_skips_unscannable_files(client, fs, cache, unscannable_type: st
         mock.is_longer_than.return_value = True
     elif unscannable_type == "BINARY":
         mock.is_longer_than.side_effect = DecodeError
+    elif unscannable_type == "FILE_NOT_FOUND":
+        mock.is_longer_than.side_effect = FileNotFoundError
 
     scanner_ui = Mock(spec=ScannerUI)
 
