feat(scan): prevent scanning gitignored files

gg-jonathangriffe · gg-jonathangriffe · commit ffd99d014076 · 2024-10-28T17:55:47.000+01:00
diff --git a/src/gitguardian-interface/gitguardian-status-bar.ts b/src/gitguardian-interface/gitguardian-status-bar.ts
@@ -18,6 +18,7 @@ export enum StatusBarStatus {
   secretFound = "Secret found",
   noSecretFound = "No secret found",
   error = "Error",
+  ignoredFile = "Ignored file",
 }
 
 export function createStatusBarItem(context: ExtensionContext): void {
@@ -67,6 +68,11 @@ function getStatusBarConfig(status: StatusBarStatus): StatusBarConfig {
         color: "statusBarItem.errorBackground",
         command: "gitguardian.showOutput",
       };
+    case StatusBarStatus.ignoredFile:
+      return {
+        text: "GitGuardian - Ignored file",
+        color: "statusBarItem.warningBackground",
+      };
     default:
       return { text: "", color: "statusBar.foreground" };
   }
diff --git a/src/lib/ggshield-api.ts b/src/lib/ggshield-api.ts
@@ -8,15 +8,15 @@ import axios from 'axios';
 import { GGShieldConfiguration } from "./ggshield-configuration";
 import { GGShieldScanResults } from "./api-types";
 import * as os from "os";
-import { apiToDashboard, dasboardToApi } from "../utils";
+import { apiToDashboard, dasboardToApi, isFileGitignored } from "../utils";
 import { runGGShieldCommand } from "./run-ggshield";
 import { StatusBarStatus, updateStatusBarItem } from "../gitguardian-interface/gitguardian-status-bar";
 import { parseGGShieldResults } from "./ggshield-results-parser";
 
 /**
  * Extension diagnostic collection
  */
-let diagnosticCollection: DiagnosticCollection;
+export let diagnosticCollection: DiagnosticCollection;
 
 /**
  * Display API quota
@@ -153,6 +153,10 @@ export async function scanFile(
   fileUri: Uri,
   configuration: GGShieldConfiguration
 ): Promise<void> {
+  if (isFileGitignored(filePath)) {
+    updateStatusBarItem(StatusBarStatus.ignoredFile);
+    return;
+  }
   const proc = runGGShieldCommand(configuration, [
     "secret",
     "scan",
diff --git a/src/test/constants.ts b/src/test/constants.ts
@@ -0,0 +1,41 @@
+export const scanResultsNoIncident =
+  '{"id": "test.py", "type": "path_scan", "total_incidents": 0, "total_occurrences": 0}';
+
+export const scanResultsWithIncident = `{
+    "id":"test.py",
+    "type":"path_scan",
+    "entities_with_incidents":[
+       {
+          "mode":"FILE",
+          "filename":"test.py",
+          "incidents":[
+             {
+                "policy":"Secrets detection",
+                "occurrences":[
+                   {
+                      "match":"DDACC73DdB04********************************************057c78317C39",
+                      "type":"apikey",
+                      "line_start":4,
+                      "line_end":4,
+                      "index_start":11,
+                      "index_end":79,
+                      "pre_line_start":4,
+                      "pre_line_end":4
+                   }
+                ],
+                "type":"Generic High Entropy Secret",
+                "validity":"no_checker",
+                "ignore_sha":"38353eb1a2aac5b24f39ed67912234d4b4a2e23976d504a88b28137ed2b9185e",
+                "total_occurrences":1,
+                "incident_url":"",
+                "known_secret":false
+             }
+          ],
+          "total_incidents":1,
+          "total_occurrences":1
+       }
+    ],
+    "total_incidents":1,
+    "total_occurrences":1,
+    "secrets_engine_version":"2.96.0"
+    }`;
diff --git a/src/test/suite/lib/ggshield-api.test.ts b/src/test/suite/lib/ggshield-api.test.ts
@@ -0,0 +1,93 @@
+import { GGShieldConfiguration } from "../../../lib/ggshield-configuration";
+import * as statusBar from "../../../gitguardian-interface/gitguardian-status-bar";
+import * as simple from "simple-mock";
+import { diagnosticCollection, scanFile } from "../../../lib/ggshield-api";
+import * as runGGShield from "../../../lib/run-ggshield";
+import path = require("path");
+import { Uri, window } from "vscode";
+import assert = require("assert");
+import {
+  scanResultsNoIncident,
+  scanResultsWithIncident,
+} from "../../constants";
+
+suite("scanFile", () => {
+  let updateStatusBarMock: simple.Stub<Function>;
+  let runGGShieldCommandMock: simple.Stub<Function>;
+
+  setup(() => {
+    updateStatusBarMock = simple.mock(statusBar, "updateStatusBarItem");
+    runGGShieldCommandMock = simple.mock(runGGShield, "runGGShieldCommand");
+  });
+
+  teardown(() => {
+    simple.restore();
+  });
+
+  test("successfully scans a file with no incidents", async () => {
+    runGGShieldCommandMock.returnWith({
+      status: 0,
+      stdout: scanResultsNoIncident,
+      stderr: "",
+    });
+
+    await scanFile("test.py", Uri.file("test.py"), {} as GGShieldConfiguration);
+
+    // The status bar displays "No Secret Found"
+    assert.strictEqual(updateStatusBarMock.callCount, 1);
+    assert.strictEqual(
+      updateStatusBarMock.lastCall.args[0],
+      statusBar.StatusBarStatus.noSecretFound
+    );
+  });
+
+  test("successfully scans a file with incidents", async () => {
+    runGGShieldCommandMock.returnWith({
+      status: 0,
+      stdout: scanResultsWithIncident,
+      stderr: "",
+    });
+
+    await scanFile("test.py", Uri.file("test.py"), {} as GGShieldConfiguration);
+
+    // The status bar displays "Secret Found"
+    assert.strictEqual(updateStatusBarMock.callCount, 1);
+    assert.strictEqual(
+      updateStatusBarMock.lastCall.args[0],
+      statusBar.StatusBarStatus.secretFound
+    );
+
+    // The diagnostic collection contains the incident
+    assert.strictEqual(
+      diagnosticCollection.get(Uri.file("test.py"))?.length,
+      1
+    );
+  });
+
+  test("skips the file if it is ignored", async () => {
+    const filePath = "out/test.py";
+    await scanFile(filePath, Uri.file(filePath), {} as GGShieldConfiguration);
+
+    // The status bar displays "Ignored File"
+    assert.strictEqual(updateStatusBarMock.callCount, 1);
+    assert.strictEqual(
+      updateStatusBarMock.lastCall.args[0],
+      statusBar.StatusBarStatus.ignoredFile
+    );
+  });
+
+  test("displays an error message if the scan command fails", async () => {
+    const errorMessageMock = simple.mock(window, "showErrorMessage");
+    runGGShieldCommandMock.returnWith({
+      status: 1,
+      stdout: "",
+      stderr: "Error",
+    });
+
+    await scanFile("test.py", Uri.file("test.py"), {} as GGShieldConfiguration);
+
+    // The error message is displayed
+    assert.strictEqual(errorMessageMock.callCount, 1);
+    assert.strictEqual(errorMessageMock.lastCall.args[0], "ggshield: Error\n");
+  });
+});
diff --git a/src/utils.ts b/src/utils.ts
@@ -18,6 +18,12 @@ export async function isGitInstalled(): Promise<boolean> {
   });
 }
 
+// Since git is required to use ggshield, we know that it is installed
+export function isFileGitignored(filePath: string): boolean {
+  let proc = spawnSync("git", ["check-ignore", filePath]);
+  return proc.status === 0;
+}
+
 export function getCurrentFile(): string {
   const activeEditor = vscode.window.activeTextEditor;
   if (activeEditor) {
@@ -28,7 +34,9 @@ export function getCurrentFile(): string {
 }
 
 export function dasboardToApi(dashboardUrl: string): string {
-  const domainMatch = gitGuardianDomains.some((domain) => dashboardUrl.includes(domain));
+  const domainMatch = gitGuardianDomains.some((domain) =>
+    dashboardUrl.includes(domain)
+  );
   if (domainMatch) {
     return dashboardUrl.replace(reDashboard, reApi);
   } else {
@@ -37,7 +45,9 @@ export function dasboardToApi(dashboardUrl: string): string {
 }
 
 export function apiToDashboard(apiUrl: string): string {
-  const domainMatch = gitGuardianDomains.some((domain) => apiUrl.includes(domain));
+  const domainMatch = gitGuardianDomains.some((domain) =>
+    apiUrl.includes(domain)
+  );
   if (domainMatch) {
     return apiUrl.replace(reApi, reDashboard);
   } else {
