Merge pull request #1111 from GitGuardian/amascia/nhi-793/nhi-ggshield-v2

chore(nhi): add vault related fields and modify sca…

Author: amascia-gg

changelog.d/20250702_102942_achille.mascia_nhi_ggshield_v2.md

@@ -0,0 +1,3 @@
+### Added
+
+- Added an additional section in ggshield's outputs to return vault related fields if the account setting is enabled.

ggshield/verticals/secret/output/schemas.py

@@ -23,6 +23,10 @@ class FlattenedPolicyBreak(BaseSchema):
     known_secret = fields.Bool(required=True, dump_default=False)
     ignore_reason = fields.Nested(IgnoreReasonSchema, dump_default=None)
     secret_vaulted = fields.Bool(required=True, dump_default=False)
+    vault_type = fields.String(required=False, allow_none=True)
+    vault_name = fields.String(required=False, allow_none=True)
+    vault_path = fields.String(required=False, allow_none=True)
+    vault_path_count = fields.Integer(required=False, allow_none=True)
 
 
 class JSONResultSchema(BaseSchema):

ggshield/verticals/secret/output/secret_json_output_handler.py

@@ -143,6 +143,14 @@ def serialized_secret(
 
         if secrets[0].is_vaulted:
             flattened_dict["secret_vaulted"] = secrets[0].is_vaulted
+
+        # Add vault information if available
+        if secrets[0].vault_path is not None:
+            flattened_dict["vault_type"] = secrets[0].vault_type
+            flattened_dict["vault_name"] = secrets[0].vault_name
+            flattened_dict["vault_path"] = secrets[0].vault_path
+            flattened_dict["vault_path_count"] = secrets[0].vault_path_count
+
         for secret in secrets:
             flattened_dict["occurrences"].extend(self.serialize_secret_matches(secret))
 

ggshield/verticals/secret/output/secret_sarif_output_handler.py

@@ -6,7 +6,7 @@
 
 from ggshield import __version__ as ggshield_version
 from ggshield.core.match_span import MatchSpan
-from ggshield.core.text_utils import format_bool
+from ggshield.core.text_utils import pluralize
 
 from ..extended_match import ExtendedMatch
 from ..secret_scan_collection import Result, Secret, SecretScanCollection
@@ -84,7 +84,19 @@ def _create_sarif_result_dict(
         markdown_message = f"Secret detected: [{secret.detector_display_name}]({secret.documentation_url})"
     else:
         markdown_message = f"Secret detected: {secret.detector_display_name}"
-    markdown_message += f"\nSecret in Secrets Manager: {format_bool(secret.is_vaulted)}"
+
+    if secret.is_vaulted:
+        if secret.vault_path_count is None:
+            markdown_message += "\nSecret found in vault: Yes"
+        else:
+            vault_count_text = f"({secret.vault_path_count} {pluralize('location', secret.vault_path_count)})"
+            markdown_message += f"\nSecret found in vault: Yes {vault_count_text}"
+            markdown_message += f"\nVault Type: {secret.vault_type}"
+            markdown_message += f"\nVault Name: {secret.vault_name}"
+            markdown_message += f"\nSecret Path: {secret.vault_path}"
+    else:
+        markdown_message += "\nSecret found in vault: No"
+
     markdown_message += f"\nMatches:\n{matches_li}"
 
     # Create dict

ggshield/verticals/secret/output/secret_text_output_handler.py

@@ -302,13 +302,30 @@ def secret_header(
     number_occurrences = format_text(str(len(secrets)), STYLE["occurrence_count"])
     ignore_sha = format_text(ignore_sha, STYLE["ignore_sha"])
 
+    # Build vault status message
+    vault_status_msg = ""
+    vault_details_msg = ""
+
+    if secret.is_vaulted:
+        if secret.vault_path_count is None:
+            vault_status_msg = f"\n{indent}Secret found in vault: Yes"
+        else:
+            vault_count_text = f"({secret.vault_path_count} {pluralize('location', secret.vault_path_count)})"
+            vault_status_msg = (
+                f"\n{indent}Secret found in vault: Yes {vault_count_text}"
+            )
+            vault_details_msg += f"\n{indent}├─ Vault Type: {secret.vault_type}"
+            vault_details_msg += f"\n{indent}├─ Vault Name: {secret.vault_name}"
+            vault_details_msg += f"\n{indent}└─ Secret Path: {secret.vault_path}"
+    else:
+        vault_status_msg = f"\n{indent}Secret found in vault: No"
+
     message = f"""
 {start_line} Secret detected: {secret_type}{validity_msg}
 {indent}Occurrences: {number_occurrences}
 {indent}Known by GitGuardian dashboard: {format_bool(known_secret)}
 {indent}Incident URL: {secret.incident_url if known_secret and secret.incident_url else "N/A"}
-{indent}Secret SHA: {ignore_sha}
-{indent}Secret in Secrets Manager: {format_bool(secret.is_vaulted)}
+{indent}Secret SHA: {ignore_sha}{vault_status_msg}{vault_details_msg}
 """
     if secret.documentation_url is not None:
         message += f"{indent}Detector documentation: {secret.documentation_url}\n"

ggshield/verticals/secret/secret_scan_collection.py

@@ -94,6 +94,10 @@ class Secret:
     ignore_reason: Optional[IgnoreReason]
     diff_kind: Optional[DiffKind]
     is_vaulted: bool
+    vault_type: Optional[str]
+    vault_name: Optional[str]
+    vault_path: Optional[str]
+    vault_path_count: Optional[int]
 
     @property
     def policy(self) -> str:
@@ -201,6 +205,10 @@ def from_scan_result(
                 ignore_reason=ignore_reason,
                 diff_kind=policy_break.diff_kind,
                 is_vaulted=policy_break.is_vaulted,
+                vault_type=getattr(policy_break, "vault_type", None),
+                vault_name=getattr(policy_break, "vault_name", None),
+                vault_path=getattr(policy_break, "vault_path", None),
+                vault_path_count=getattr(policy_break, "vault_path_count", None),
             )
             for policy_break, ignore_reason in to_keep
         ]

pdm.lock

@@ -41,7 +41,7 @@ dependencies = [
     "marshmallow~=3.18.0",
     "marshmallow-dataclass~=8.5.8",
     "oauthlib~=3.2.1",
-    "pygitguardian @ git+https://github.com/GitGuardian/py-gitguardian.git",
+    "pygitguardian @ git+https://github.com/GitGuardian/py-gitguardian.git@007c1098d4e17bf71087453b431beafbaf425825",
     "pyjwt~=2.6.0",
     "python-dotenv~=0.21.0",
     "pyyaml~=6.0.1",

pyproject.toml

@@ -70,6 +70,10 @@ class Meta:
     is_vaulted = False
     exclude_reason = None
     diff_kind = None
+    vault_type = None
+    vault_name = None
+    vault_path = None
+    vault_path_count = None
     content = factory.Faker("text")
     nb_matches = factory.fuzzy.FuzzyInteger(1, 2)
 
@@ -111,3 +115,7 @@ class Meta:
     ignore_reason = None
     diff_kind = None
     is_vaulted = False
+    vault_type = None
+    vault_name = None
+    vault_path = None
+    vault_path_count = None