feat(scan): Ignore secret which are not introduced

Walz · Walz · commit f838e67462d2 · 2024-11-29T15:53:28.000+01:00
diff --git a/ggshield/verticals/secret/secret_scan_collection.py b/ggshield/verticals/secret/secret_scan_collection.py
@@ -28,6 +28,7 @@ class IgnoreReason(Enum):
     IGNORED_MATCH = "ignored_match"
     IGNORED_DETECTOR = "ignored_detector"
     KNOWN_SECRET = "known_secret"
+    NOT_INTRODUCED = "not_introduced"
 
 
 class Result:
diff --git a/ggshield/verticals/secret/secret_scanner.py b/ggshield/verticals/secret/secret_scanner.py
@@ -7,7 +7,13 @@
 from typing import Dict, Iterable, List, Optional, Union
 
 from pygitguardian import GGClient
-from pygitguardian.models import APITokensResponse, Detail, MultiScanResult, TokenScope
+from pygitguardian.models import (
+    APITokensResponse,
+    Detail,
+    DiffKind,
+    MultiScanResult,
+    TokenScope,
+)
 
 from ggshield.core import ui
 from ggshield.core.cache import Cache
@@ -220,6 +226,11 @@ def _collect_results(
                 )
                 if not scan_result.has_policy_breaks:
                     continue
+                result.apply_ignore_function(
+                    IgnoreReason.NOT_INTRODUCED,
+                    lambda policy_break: policy_break.diff_kind
+                    in {DiffKind.DELETION, DiffKind.CONTEXT},
+                )
                 result.apply_ignore_function(
                     IgnoreReason.IGNORED_MATCH,
                     lambda policy_break: is_in_ignored_matches(
