Merge pull request #41 from GitGuardian/jgriffe/prevent-scanning-gitignored-files

Prevent scanning gitignored files

Author: gg-jonathangriffe

src/extension.ts

@@ -1,88 +1,39 @@
 import {
+  cleanUpFileDiagnostics,
+  createDiagnosticCollection,
   ggshieldApiKey,
   ggshieldAuthStatus,
-  ggshieldScanFile,
   ignoreLastFound,
   ignoreSecret,
   loginGGShield,
   logoutGGShield,
+  scanFile,
   showAPIQuota,
 } from "./lib/ggshield-api";
 import {
   getConfiguration,
-  GGShieldConfiguration,
   setApiKey,
 } from "./lib/ggshield-configuration";
-import { parseGGShieldResults } from "./lib/ggshield-results-parser";
 import {
-  Diagnostic,
-  DiagnosticCollection,
   ExtensionContext,
   Uri,
   commands,
   languages,
   window,
   workspace,
-  StatusBarItem,
-  StatusBarAlignment,
   WebviewView,
 } from "vscode";
 import { GGShieldResolver } from "./lib/ggshield-resolver";
 import { getCurrentFile, isGitInstalled } from "./utils";
 import { GitGuardianWebviewProvider } from "./ggshield-webview/gitguardian-webview-view";
-import { StatusBarStatus, updateStatusBarItem } from "./gitguardian-interface/gitguardian-status-bar";
+import { createStatusBarItem, StatusBarStatus, updateStatusBarItem } from "./gitguardian-interface/gitguardian-status-bar";
 import {
   generateSecretName,
   GitGuardianSecretHoverProvider,
 } from "./gitguardian-interface/gitguardian-hover-provider";
 import { GitGuardianQuotaWebviewProvider } from "./ggshield-webview/gitguardian-quota-webview";
 import { GitGuardianRemediationMessageWebviewProvider } from "./ggshield-webview/gitguardian-remediation-message-view";
 
-/**
- * Extension diagnostic collection
- */
-let diagnosticCollection: DiagnosticCollection;
-let statusBar: StatusBarItem;
-
-/**
- * Scan a file using ggshield
- *
- * - retrieve configuration
- * - scan file using ggshield CLI application
- * - parse ggshield results
- * - set diagnostics collection so the incdients are visible to the user
- *
- * @param filePath path to file
- * @param fileUri file uri
- */
-async function scanFile(
-  this: any,
-  filePath: string,
-  fileUri: Uri,
-  configuration: GGShieldConfiguration
-): Promise<void> {
-  const results = ggshieldScanFile(filePath, configuration);
-  if (!results) {
-    updateStatusBarItem(StatusBarStatus.ready, statusBar);
-    return;
-  }
-  let incidentsDiagnostics: Diagnostic[] = parseGGShieldResults(results);
-  if (incidentsDiagnostics.length !== 0) {
-    updateStatusBarItem(StatusBarStatus.secretFound, statusBar);
-  } else {
-    updateStatusBarItem(StatusBarStatus.noSecretFound, statusBar);
-  }
-  diagnosticCollection.set(fileUri, incidentsDiagnostics);
-}
-
-/**
- * Clean up file diagnostics
- *
- * @param fileUri file uri
- */
-function cleanUpFileDiagnostics(fileUri: Uri): void {
-  diagnosticCollection.delete(fileUri);
-}
 
 function registerOpenViewsCommands(
   context: ExtensionContext,
@@ -162,13 +113,11 @@ export function activate(context: ExtensionContext) {
   );
   context.subscriptions.push(ggshieldViewProvider, ggshieldRemediationMessageViewProvider, ggshieldQuotaViewProvider);
 
-  statusBar = window.createStatusBarItem(StatusBarAlignment.Left, 0);
-  updateStatusBarItem(StatusBarStatus.initialization, statusBar);
+  createStatusBarItem(context);
 
   //generic commands to open correct view on status bar click
   registerOpenViewsCommands(context, outputChannel);
   registerQuotaViewCommands(ggshieldQuotaViewProvider);
-  context.subscriptions.push(statusBar);
 
   context.subscriptions.push(
     languages.registerHoverProvider("*", new GitGuardianSecretHoverProvider())
@@ -180,14 +129,14 @@ export function activate(context: ExtensionContext) {
       // Check if ggshield is authenticated
       ggshieldAuthStatus(configuration, context);
       if (context.globalState.get("isAuthenticated", false)) {
-        updateStatusBarItem(StatusBarStatus.ready, statusBar);
+        updateStatusBarItem(StatusBarStatus.ready);
         setApiKey(configuration, ggshieldApiKey(configuration));
         ggshieldViewProvider.refresh();
         ggshieldRemediationMessageViewProvider.refresh();
         ggshieldQuotaViewProvider.refresh();
 
       } else {
-        updateStatusBarItem(StatusBarStatus.unauthenticated, statusBar);
+        updateStatusBarItem(StatusBarStatus.unauthenticated);
       }
     })
     .then(async () => {
@@ -203,9 +152,7 @@ export function activate(context: ExtensionContext) {
     .then(() => {
       // Start scanning documents on activation events
       // (i.e. when a new document is opened or when the document is saved)
-      diagnosticCollection = languages.createDiagnosticCollection("ggshield");
-
-      context.subscriptions.push(diagnosticCollection);
+      createDiagnosticCollection(context);
       context.subscriptions.push(
         workspace.onDidSaveTextDocument((textDocument) => {
           // Check if the document is inside the workspace
@@ -249,7 +196,7 @@ export function activate(context: ExtensionContext) {
             scanFile(
               currentFile,
               Uri.file(currentFile),
-              ggshieldResolver.configuration
+              ggshieldResolver.configuration,
             );
           }
         ),
@@ -262,10 +209,10 @@ export function activate(context: ExtensionContext) {
             context
           ).then(() => {
             if (context.globalState.get("isAuthenticated", false)) {
-              updateStatusBarItem(StatusBarStatus.ready, statusBar);
+              updateStatusBarItem(StatusBarStatus.ready);
               setApiKey(configuration, ggshieldApiKey(configuration));
             } else {
-              updateStatusBarItem(StatusBarStatus.unauthenticated, statusBar);
+              updateStatusBarItem(StatusBarStatus.unauthenticated);
             }
             ggshieldViewProvider.refresh();
             ggshieldRemediationMessageViewProvider.refresh();
@@ -276,7 +223,7 @@ export function activate(context: ExtensionContext) {
         }),
         commands.registerCommand("gitguardian.logout", async () => {
           logoutGGShield(ggshieldResolver.configuration, context);
-          updateStatusBarItem(StatusBarStatus.unauthenticated, statusBar);
+          updateStatusBarItem(StatusBarStatus.unauthenticated);
           setApiKey(configuration, undefined);
           ggshieldViewProvider.refresh();
           ggshieldRemediationMessageViewProvider.refresh();
@@ -286,13 +233,8 @@ export function activate(context: ExtensionContext) {
     })
     .catch((error) => {
       outputChannel.appendLine(`Error: ${error.message}`);
-      updateStatusBarItem(StatusBarStatus.error, statusBar);
+      updateStatusBarItem(StatusBarStatus.error);
     });
 }
 
-export function deactivate() {
-  if (diagnosticCollection) {
-    diagnosticCollection.dispose();
-    statusBar.dispose();
-  }
-}
+export function deactivate() {}

src/gitguardian-interface/gitguardian-status-bar.ts

@@ -1,4 +1,8 @@
-import { StatusBarItem, ThemeColor } from "vscode";
+import { ExtensionContext, StatusBarAlignment, StatusBarItem, ThemeColor, window } from "vscode";
+
+
+let statusBarItem: StatusBarItem;
+
 
 export interface StatusBarConfig {
   text: string;
@@ -14,9 +18,16 @@ export enum StatusBarStatus {
   secretFound = "Secret found",
   noSecretFound = "No secret found",
   error = "Error",
+  ignoredFile = "Ignored file",
+}
+
+export function createStatusBarItem(context: ExtensionContext): void {
+  statusBarItem = window.createStatusBarItem(StatusBarAlignment.Left, 0);
+  updateStatusBarItem(StatusBarStatus.initialization);
+  context.subscriptions.push(statusBarItem);
 }
 
-export function getStatusBarConfig(status: StatusBarStatus): StatusBarConfig {
+function getStatusBarConfig(status: StatusBarStatus): StatusBarConfig {
   switch (status) {
     case StatusBarStatus.initialization:
       return {
@@ -57,14 +68,18 @@ export function getStatusBarConfig(status: StatusBarStatus): StatusBarConfig {
         color: "statusBarItem.errorBackground",
         command: "gitguardian.showOutput",
       };
+    case StatusBarStatus.ignoredFile:
+      return {
+        text: "GitGuardian - Ignored file",
+        color: "statusBarItem.warningBackground",
+      };
     default:
       return { text: "", color: "statusBar.foreground" };
   }
 }
 
 export function updateStatusBarItem(
   status: StatusBarStatus,
-  statusBarItem: StatusBarItem
 ): void {
   const config = getStatusBarConfig(status);
   statusBarItem.text = config.text;

src/lib/ggshield-api.ts

@@ -3,14 +3,20 @@ import {
   SpawnOptionsWithoutStdio,
   spawn,
 } from "child_process";
-import { window, WebviewView, ExtensionContext, commands } from "vscode";
+import { window, WebviewView, DiagnosticCollection, commands, ExtensionContext, languages, Uri, Diagnostic } from "vscode";
 import axios from 'axios';
 import { GGShieldConfiguration } from "./ggshield-configuration";
 import { GGShieldScanResults } from "./api-types";
 import * as os from "os";
-import { apiToDashboard, dasboardToApi } from "../utils";
+import { apiToDashboard, dasboardToApi, isFileGitignored } from "../utils";
 import { runGGShieldCommand } from "./run-ggshield";
+import { StatusBarStatus, updateStatusBarItem } from "../gitguardian-interface/gitguardian-status-bar";
+import { parseGGShieldResults } from "./ggshield-results-parser";
 
+/**
+ * Extension diagnostic collection
+ */
+export let diagnosticCollection: DiagnosticCollection;
 
 /**
  * Display API quota
@@ -115,19 +121,42 @@ export function ignoreSecret(
   }
 }
 
+export function createDiagnosticCollection(context: ExtensionContext): void {
+  diagnosticCollection = languages.createDiagnosticCollection("ggshield");
+  context.subscriptions.push(diagnosticCollection);
+}
+
+/**
+ * Clean up file diagnostics
+ *
+ * @param fileUri file uri
+ */
+export function cleanUpFileDiagnostics(fileUri: Uri): void {
+  diagnosticCollection.delete(fileUri);
+}
+
+
 /**
- * Scan a file using ggshield CLI application
+ * Scan a file using ggshield
  *
- * Show error messages on failure
+ * - retrieve configuration
+ * - scan file using ggshield CLI application
+ * - parse ggshield results
+ * - set diagnostics collection so the incdients are visible to the user
  *
  * @param filePath path to file
- * @param configuration ggshield configuration
- * @returns results or undefined if there was an error
+ * @param fileUri file uri
  */
-export function ggshieldScanFile(
+export async function scanFile(
+  this: any,
   filePath: string,
+  fileUri: Uri,
   configuration: GGShieldConfiguration
-): GGShieldScanResults | undefined {
+): Promise<void> {
+  if (isFileGitignored(filePath)) {
+    updateStatusBarItem(StatusBarStatus.ignoredFile);
+    return;
+  }
   const proc = runGGShieldCommand(configuration, [
     "secret",
     "scan",
@@ -155,9 +184,22 @@ export function ggshieldScanFile(
     return undefined;
   }
 
-  return JSON.parse(proc.stdout);
+  const results = JSON.parse(proc.stdout);
+  if (!results) {
+    updateStatusBarItem(StatusBarStatus.ready);
+    return;
+  }
+  let incidentsDiagnostics: Diagnostic[] = parseGGShieldResults(results);
+  if (incidentsDiagnostics.length !== 0) {
+    updateStatusBarItem(StatusBarStatus.secretFound);
+  } else {
+    updateStatusBarItem(StatusBarStatus.noSecretFound);
+  }
+  
+  diagnosticCollection.set(fileUri, incidentsDiagnostics);
 }
 
+
 export async function loginGGShield(
   configuration: GGShieldConfiguration,
   outputChannel: any,

src/test/constants.ts

@@ -0,0 +1,41 @@
+export const scanResultsNoIncident =
+  '{"id": "test.py", "type": "path_scan", "total_incidents": 0, "total_occurrences": 0}';
+
+export const scanResultsWithIncident = `{
+    "id":"test.py",
+    "type":"path_scan",
+    "entities_with_incidents":[
+       {
+          "mode":"FILE",
+          "filename":"test.py",
+          "incidents":[
+             {
+                "policy":"Secrets detection",
+                "occurrences":[
+                   {
+                      "match":"DDACC73DdB04********************************************057c78317C39",
+                      "type":"apikey",
+                      "line_start":4,
+                      "line_end":4,
+                      "index_start":11,
+                      "index_end":79,
+                      "pre_line_start":4,
+                      "pre_line_end":4
+                   }
+                ],
+                "type":"Generic High Entropy Secret",
+                "validity":"no_checker",
+                "ignore_sha":"38353eb1a2aac5b24f39ed67912234d4b4a2e23976d504a88b28137ed2b9185e",
+                "total_occurrences":1,
+                "incident_url":"",
+                "known_secret":false
+             }
+          ],
+          "total_incidents":1,
+          "total_occurrences":1
+       }
+    ],
+    "total_incidents":1,
+    "total_occurrences":1,
+    "secrets_engine_version":"2.96.0"
+    }`;