Merge pull request #1060 from GitGuardian/agateau/prepare-release

Prepare release

Author: agateau-gg

scripts/release

@@ -203,24 +203,27 @@ def run_tests() -> None:
     if "GITGUARDIAN_API_KEY" not in os.environ:
         fail("Environment variable $GITGUARDIAN_API_KEY is not set")
 
-    # If CASSETTES_DIR does not exist, tests fail, so recreate it
-    log_progress("Removing cassettes")
-    shutil.rmtree(CASSETTES_DIR)
-    CASSETTES_DIR.mkdir()
-
-    # Start the hashicorp Vault server for HMSL tests
-    start_hashicorp_vault_server()
-
-    log_progress("Running unit tests")
-    check_run(["pytest", "tests/unit"], cwd=ROOT_DIR)
-
-    log_progress("Running functional tests")
-    check_run(["pytest", "tests/functional"], cwd=ROOT_DIR)
-
-    log_progress("Restoring cassettes")
-    check_run(["git", "restore", CASSETTES_DIR], cwd=ROOT_DIR)
-
-    stop_hashicorp_vault_server()
+    try:
+        # If CASSETTES_DIR does not exist, tests fail, so recreate it
+        log_progress("Removing cassettes")
+        shutil.rmtree(CASSETTES_DIR)
+        CASSETTES_DIR.mkdir()
+
+        # Start the hashicorp Vault server for HMSL tests
+        log_progress("Starting Hashicorp server for HMSL tests")
+        start_hashicorp_vault_server()
+
+        log_progress("Running unit tests")
+        check_run(["pytest", "tests/unit"], cwd=ROOT_DIR)
+
+        log_progress("Running functional tests")
+        check_run(["pytest", "tests/functional"], cwd=ROOT_DIR)
+    finally:
+        log_progress("Restoring cassettes")
+        check_run(["git", "restore", CASSETTES_DIR], cwd=ROOT_DIR)
+
+        log_progress("Stopping Hashicorp server")
+        stop_hashicorp_vault_server()
 
 
 def replace_once_in_file(path: Path, src: str, dst: str, flags: int = 0) -> None:

tests/unit/cassettes/test_docker_scan_archive-False.yaml

@@ -0,0 +1,161 @@
+interactions:
+  - request:
+      body: null
+      headers:
+        Accept:
+          - '*/*'
+        Accept-Encoding:
+          - gzip, deflate
+        Connection:
+          - keep-alive
+        User-Agent:
+          - pygitguardian/1.20.0 (Linux;py3.11.8) ggshield
+      method: GET
+      uri: https://api.gitguardian.com/v1/metadata
+    response:
+      body:
+        string:
+          '{"version":"v2.158.0","preferences":{"marketplaces__aws_product_url":"http://aws.amazon.com/marketplace/pp/prodview-mrmulzykamba6","on_premise__restrict_signup":true,"on_premise__is_email_server_configured":true,"on_premise__default_sso_config_api_id":null,"on_premise__default_sso_config_force_sso":null,"onboarding__segmentation_v1_enabled":true,"general__maximum_payload_size":26214400,"general__mutual_tls_mode":"disabled","general__signup_enabled":true},"secret_scan_preferences":{"maximum_documents_per_scan":20,"maximum_document_size":1048576},"remediation_messages":{"pre_commit":">
+          How to remediate\n\n  Since the secret was detected before the commit was
+          made:\n  1. replace the secret with its reference (e.g. environment variable).\n  2.
+          commit again.\n\n> [To apply with caution] If you want to bypass ggshield
+          (false positive or other reason), run:\n  - if you use the pre-commit framework:\n\n    SKIP=ggshield
+          git commit -m \"<your message\"","pre_push":"> How to remediate\n\n  Since
+          the secret was detected before the push BUT after the commit, you need to:\n  1.
+          rewrite the git history making sure to replace the secret with its reference
+          (e.g. environment variable).\n  2. push again.\n\n  To prevent having to rewrite
+          git history in the future, setup ggshield as a pre-commit hook:\n    https://docs.gitguardian.com/ggshield-docs/integrations/git-hooks/pre-commit\n\n>
+          [Apply with caution] If you want to bypass ggshield (false positive or other
+          reason), run:\n  - if you use the pre-commit framework:\n\n    SKIP=ggshield-push
+          git push","pre_receive":"> How to remediate\n\n  A pre-receive hook set server
+          side prevented you from pushing secrets.\n\n  Since the secret was detected
+          during the push BUT after the commit, you need to:\n  1. rewrite the git history
+          making sure to replace the secret with its reference (e.g. environment variable).\n  2.
+          push again.\n\n  To prevent having to rewrite git history in the future, setup
+          ggshield as a pre-commit hook:\n    https://docs.gitguardian.com/ggshield-docs/integrations/git-hooks/pre-commit\n\n>
+          [Apply with caution] If you want to bypass ggshield (false positive or other
+          reason), run:\n\n    git push -o breakglass"}}'
+      headers:
+        access-control-expose-headers:
+          - X-App-Version
+        allow:
+          - GET, HEAD, OPTIONS
+        content-length:
+          - '2194'
+        content-type:
+          - application/json
+        cross-origin-opener-policy:
+          - same-origin
+        date:
+          - Thu, 27 Feb 2025 15:34:58 GMT
+        referrer-policy:
+          - strict-origin-when-cross-origin
+        server:
+          - istio-envoy
+        strict-transport-security:
+          - max-age=31536000; includeSubDomains
+        transfer-encoding:
+          - chunked
+        vary:
+          - Accept-Encoding,Cookie
+        x-app-version:
+          - v2.158.0
+        x-content-type-options:
+          - nosniff
+          - nosniff
+        x-envoy-upstream-service-time:
+          - '41'
+        x-frame-options:
+          - DENY
+          - SAMEORIGIN
+        x-secrets-engine-version:
+          - 2.133.0
+        x-xss-protection:
+          - 1; mode=block
+      status:
+        code: 200
+        message: OK
+  - request:
+      body:
+        '[{"filename": "file_secret", "document": "commit 9537b6343a81f88d471e93f20ffb2e2665bbab00\nAuthor:
+        GitGuardian Owl <[email protected]>\nDate:   Thu Aug 18 18:20:21 2022 +0200\n\nA
+        message\n\n:000000 100644 0000000 e965047 A\u001atest\u001a\u001adiff --git
+        a/test b/test\nnew file mode 100644\nindex 0000000..b80e3df\n--- /dev/null\n+++
+        b/test\n@@ -0,0 +2 @@\n+# gg token\n+apikey = \"8a784aab7090f6a4ba3b9f7a6594e2e727007a26590b58ed314e4b9ed4536479sRZlRup3xvtMVfiHWAanbe712Jtc3nY8veZux5raL1bhpaxiv0rfyhFoAIMZUCh2Njyk7gRVsSQFPrEphSJnxa16SIdWKb03sRft770LUTTYTAy3IM18A7Su4HjiHlGA9ihLj9ou3luadfRAATlKH6kAZwTw289Kq9uip67zxyWkUJdh6PTeFpMgCh3AhHcZ21VeZHlu12345\";\n"}]'
+      headers:
+        Accept:
+          - '*/*'
+        Accept-Encoding:
+          - gzip, deflate
+        Connection:
+          - keep-alive
+        Content-Length:
+          - '659'
+        Content-Type:
+          - application/json
+        GGShield-Command-Id:
+          - 0f674b05-3a26-45ea-8a1c-1229fc77b1bc
+        GGShield-Command-Path:
+          - cli secret scan docker-archive
+        GGShield-OS-Name:
+          - ubuntu
+        GGShield-OS-Version:
+          - '22.04'
+        GGShield-Python-Version:
+          - 3.11.8
+        GGShield-Version:
+          - 1.36.0
+        User-Agent:
+          - pygitguardian/1.20.0 (Linux;py3.11.8) ggshield
+        mode:
+          - docker
+        scan_options:
+          - '{"show_secrets": false, "ignored_detectors_count": 0, "ignored_matches_count":
+            0, "ignored_paths_count": 14, "ignore_known_secrets": false, "with_incident_details":
+            false, "has_prereceive_remediation_message": false, "all_secrets": false}'
+      method: POST
+      uri: https://api.gitguardian.com/v1/multiscan?all_secrets=True
+    response:
+      body:
+        string:
+          '[{"policy_break_count":1,"policies":["Secrets detection"],"policy_breaks":[{"type":"GitGuardian
+          Development Secret","policy":"Secrets detection","matches":[{"type":"apikey","match":"8a784aab7090f6a4ba3b9f7a6594e2e727007a26590b58ed314e4b9ed4536479sRZlRup3xvtMVfiHWAanbe712Jtc3nY8veZux5raL1bhpaxiv0rfyhFoAIMZUCh2Njyk7gRVsSQFPrEphSJnxa16SIdWKb03sRft770LUTTYTAy3IM18A7Su4HjiHlGA9ihLj9ou3luadfRAATlKH6kAZwTw289Kq9uip67zxyWkUJdh6PTeFpMgCh3AhHcZ21VeZHlu12345","index_start":311,"index_end":579,"line_start":14,"line_end":14}],"is_excluded":false,"exclude_reason":null,"incident_url":"https://dashboard.gitguardian.com/workspace/8/incidents/8137386","known_secret":true,"validity":"no_checker","diff_kind":null}],"is_diff":false}]'
+      headers:
+        access-control-expose-headers:
+          - X-App-Version
+        allow:
+          - POST, OPTIONS
+        content-length:
+          - '722'
+        content-type:
+          - application/json
+        cross-origin-opener-policy:
+          - same-origin
+        date:
+          - Thu, 27 Feb 2025 15:34:59 GMT
+        referrer-policy:
+          - strict-origin-when-cross-origin
+        server:
+          - istio-envoy
+        strict-transport-security:
+          - max-age=31536000; includeSubDomains
+        vary:
+          - Cookie
+        x-app-version:
+          - v2.158.0
+        x-content-type-options:
+          - nosniff
+          - nosniff
+        x-envoy-upstream-service-time:
+          - '442'
+        x-frame-options:
+          - DENY
+          - SAMEORIGIN
+        x-secrets-engine-version:
+          - 2.133.0
+        x-xss-protection:
+          - 1; mode=block
+      status:
+        code: 200
+        message: OK
+version: 1

tests/unit/cassettes/test_docker_scan_archive-True.yaml

@@ -0,0 +1,78 @@
+interactions:
+  - request:
+      body: null
+      headers:
+        Accept:
+          - '*/*'
+        Accept-Encoding:
+          - gzip, deflate
+        Connection:
+          - keep-alive
+        User-Agent:
+          - pygitguardian/1.20.0 (Linux;py3.11.8) ggshield
+      method: GET
+      uri: https://api.gitguardian.com/v1/metadata
+    response:
+      body:
+        string:
+          '{"version":"v2.158.0","preferences":{"marketplaces__aws_product_url":"http://aws.amazon.com/marketplace/pp/prodview-mrmulzykamba6","on_premise__restrict_signup":true,"on_premise__is_email_server_configured":true,"on_premise__default_sso_config_api_id":null,"on_premise__default_sso_config_force_sso":null,"onboarding__segmentation_v1_enabled":true,"general__maximum_payload_size":26214400,"general__mutual_tls_mode":"disabled","general__signup_enabled":true},"secret_scan_preferences":{"maximum_documents_per_scan":20,"maximum_document_size":1048576},"remediation_messages":{"pre_commit":">
+          How to remediate\n\n  Since the secret was detected before the commit was
+          made:\n  1. replace the secret with its reference (e.g. environment variable).\n  2.
+          commit again.\n\n> [To apply with caution] If you want to bypass ggshield
+          (false positive or other reason), run:\n  - if you use the pre-commit framework:\n\n    SKIP=ggshield
+          git commit -m \"<your message\"","pre_push":"> How to remediate\n\n  Since
+          the secret was detected before the push BUT after the commit, you need to:\n  1.
+          rewrite the git history making sure to replace the secret with its reference
+          (e.g. environment variable).\n  2. push again.\n\n  To prevent having to rewrite
+          git history in the future, setup ggshield as a pre-commit hook:\n    https://docs.gitguardian.com/ggshield-docs/integrations/git-hooks/pre-commit\n\n>
+          [Apply with caution] If you want to bypass ggshield (false positive or other
+          reason), run:\n  - if you use the pre-commit framework:\n\n    SKIP=ggshield-push
+          git push","pre_receive":"> How to remediate\n\n  A pre-receive hook set server
+          side prevented you from pushing secrets.\n\n  Since the secret was detected
+          during the push BUT after the commit, you need to:\n  1. rewrite the git history
+          making sure to replace the secret with its reference (e.g. environment variable).\n  2.
+          push again.\n\n  To prevent having to rewrite git history in the future, setup
+          ggshield as a pre-commit hook:\n    https://docs.gitguardian.com/ggshield-docs/integrations/git-hooks/pre-commit\n\n>
+          [Apply with caution] If you want to bypass ggshield (false positive or other
+          reason), run:\n\n    git push -o breakglass"}}'
+      headers:
+        access-control-expose-headers:
+          - X-App-Version
+        allow:
+          - GET, HEAD, OPTIONS
+        content-length:
+          - '2194'
+        content-type:
+          - application/json
+        cross-origin-opener-policy:
+          - same-origin
+        date:
+          - Thu, 27 Feb 2025 15:34:57 GMT
+        referrer-policy:
+          - strict-origin-when-cross-origin
+        server:
+          - istio-envoy
+        strict-transport-security:
+          - max-age=31536000; includeSubDomains
+        transfer-encoding:
+          - chunked
+        vary:
+          - Accept-Encoding,Cookie
+        x-app-version:
+          - v2.158.0
+        x-content-type-options:
+          - nosniff
+          - nosniff
+        x-envoy-upstream-service-time:
+          - '43'
+        x-frame-options:
+          - DENY
+          - SAMEORIGIN
+        x-secrets-engine-version:
+          - 2.133.0
+        x-xss-protection:
+          - 1; mode=block
+      status:
+        code: 200
+        message: OK
+version: 1

tests/unit/cassettes/test_hmsl_api_status.yaml

@@ -1,4 +1,62 @@
 interactions:
+  - request:
+      body: '{"audience": "https://api.hasmysecretleaked.com", "audience_type": "hmsl"}'
+      headers:
+        Accept:
+          - '*/*'
+        Accept-Encoding:
+          - gzip, deflate
+        Connection:
+          - keep-alive
+        Content-Length:
+          - '74'
+        Content-Type:
+          - application/json
+        User-Agent:
+          - pygitguardian/1.20.0 (Linux;py3.11.8) ggshield
+      method: POST
+      uri: https://api.gitguardian.com/v1/auth/jwt
+    response:
+      body:
+        string: '{"token": "<REDACTED>"}'
+      headers:
+        access-control-expose-headers:
+          - X-App-Version
+        allow:
+          - POST, OPTIONS
+        content-length:
+          - '741'
+        content-type:
+          - application/json
+        cross-origin-opener-policy:
+          - same-origin
+        date:
+          - Thu, 27 Feb 2025 17:20:28 GMT
+        referrer-policy:
+          - strict-origin-when-cross-origin
+        server:
+          - istio-envoy
+        strict-transport-security:
+          - max-age=31536000; includeSubDomains
+        vary:
+          - Cookie
+        x-app-version:
+          - v2.158.0
+        x-content-type-options:
+          - nosniff
+          - nosniff
+        x-envoy-upstream-service-time:
+          - '68'
+        x-frame-options:
+          - DENY
+          - SAMEORIGIN
+        x-secrets-engine-version:
+          - 2.133.0
+        x-xss-protection:
+          - 1; mode=block
+      status:
+        code: 200
+        message: OK
   - request:
       body: null
       headers:
@@ -11,7 +69,7 @@ interactions:
         GGShield-HMSL-Command-Name:
           - cli_hmsl_api-status
         User-Agent:
-          - GGShield 1.21.0
+          - GGShield 1.36.0
       method: GET
       uri: https://api.hasmysecretleaked.com/healthz
     response:
@@ -23,13 +81,13 @@ interactions:
         content-type:
           - application/json
         date:
-          - Tue, 28 Nov 2023 09:00:15 GMT
+          - Thu, 27 Feb 2025 17:20:28 GMT
         server:
           - istio-envoy
         x-app-version:
-          - 1.9.0
+          - 1.12.11
         x-envoy-upstream-service-time:
-          - '6'
+          - '4'
       status:
         code: 200
         message: OK