Merge pull request #1010 from GitGuardian/samuel/spi-526-implement-deletion-commit-identification-in-ggshield

agateau-gg · web-flow · commit ee56436f7ccf · 2024-12-03T14:33:09.000+01:00
feat(output): Only fail secret scans when the secret is introduced
diff --git a/changelog.d/20241129_155452_samuel.guillaume_spi_526_implement_deletion_commit_identification_in_ggshield.md b/changelog.d/20241129_155452_samuel.guillaume_spi_526_implement_deletion_commit_identification_in_ggshield.md
@@ -0,0 +1,41 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+<!--
+### Added
+
+- A bullet item for the Added category.
+
+-->
+
+### Changed
+
+- When scanning commits, ggshield will ignore by default secrets which are removed or contextual to the patch.
+
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category.
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->
diff --git a/ggshield/verticals/secret/secret_scan_collection.py b/ggshield/verticals/secret/secret_scan_collection.py
@@ -28,6 +28,7 @@ class IgnoreReason(Enum):
     IGNORED_MATCH = "ignored_match"
     IGNORED_DETECTOR = "ignored_detector"
     KNOWN_SECRET = "known_secret"
+    NOT_INTRODUCED = "not_introduced"
 
 
 class Result:
diff --git a/ggshield/verticals/secret/secret_scanner.py b/ggshield/verticals/secret/secret_scanner.py
@@ -7,7 +7,13 @@
 from typing import Dict, Iterable, List, Optional, Union
 
 from pygitguardian import GGClient
-from pygitguardian.models import APITokensResponse, Detail, MultiScanResult, TokenScope
+from pygitguardian.models import (
+    APITokensResponse,
+    Detail,
+    DiffKind,
+    MultiScanResult,
+    TokenScope,
+)
 
 from ggshield.core import ui
 from ggshield.core.cache import Cache
@@ -220,6 +226,11 @@ def _collect_results(
                 )
                 if not scan_result.has_policy_breaks:
                     continue
+                result.apply_ignore_function(
+                    IgnoreReason.NOT_INTRODUCED,
+                    lambda policy_break: policy_break.diff_kind
+                    in {DiffKind.DELETION, DiffKind.CONTEXT},
+                )
                 result.apply_ignore_function(
                     IgnoreReason.IGNORED_MATCH,
                     lambda policy_break: is_in_ignored_matches(
