Bug Description

The ignore_paths configuration in ash.yaml under global_settings is not being
used by the detect-secrets scanner. Files listed in ignore_paths are still being
scanned and reported as findings.

Steps to Reproduce

1. Create an ash.yaml configuration with ignore_paths:

global_settings:
  ignore_paths:
    - path: ".cruft.json"
      reason: "Template metadata file"

2. Run ASH scan
3. Observe that .cruft.json is still scanned and findings are reported

Expected Behavior

Files listed in global_settings.ignore_paths should be excluded from scanning by
all scanners.

Actual Behavior

The detect-secrets scanner ignores the global_ignore_paths parameter and scans
all files returned by scan_set(), which only respects .gitignore and .ignore
files.

Root Cause

In
automated_security_helper/plugin_modules/ash_builtin/scanners/detect_secrets_scanner.py
at lines 277-285, the scanner calls scan_set() without passing the
global_ignore_paths:

python
scannable = [
str(item)
for item in (
...
else scan_set(
source=self.context.source_dir,
output=self.context.output_dir,
)
)
...
]

The global_ignore_paths parameter is received by the scan() method but never
used.

Environment

• ASH Version: 3.1.2
• Scanner: detect-secrets