Baseline path should be normalized #912
Description
I don't understand how I can use the template that other issues seem to be using. I'll try to follow it manually.
- I'm submitting a bug report
- What is the current behavior?
detect-secrets-hook does not scan for secrets in the provided baseline file. But this only works if the baseline path is provided in a certain way. E.g.git ls-files -z | xargs -0 detect-secrets-hook --json --baseline secrets.baselineworks as expected. Butgit ls-files -z | xargs -0 detect-secrets-hook --json --baseline ./secrets.baselinewill report secret findings in thesecrets.baselinefile itself, i.e.:
{
"version": "1.5.0",
"plugins_used": [..],
"filters_used": [..],
"results": {
"secrets.baseline": [
{
"type": "Hex High Entropy String",
"filename": "secrets.baseline",
"hashed_secret": "7f1d53f684cf5b3fa755e815eb7648df53d04965",
"is_verified": false,
"line_number": 130
}]
}- If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.
As outlined above:
- Create a baseline for a repo with findings.
detect-secrets scan > secrets.baseline - Stage the baseline.
git add secrets.baseline - Run the hook on that repo, passing the baseline with
./as path prefix.git ls-files -z | xargs -0 detect-secrets-hook --json --baseline ./secrets.baseline
- What is the expected behavior?
The provided baseline file is not scanned, irrespective of how its path is referenced when callingdetect-secrets-hook. That is the path to the baseline file should be normalized internally.
-
What is the motivation / use case for changing the behavior?
The current behavior is clearly a bug. -
Please tell us about your environment:
detect-secrets Version: 1.5.0
OS Version: Fedora 40 and Python Version: 3.10
and
OS Version: macOS ?? and Python Version ?? (detect-secrets 1.5.0 Installed via brew)