Skip to content

CHANGELOG.md

Latest commit

 

History

History
702 lines (451 loc) · 23 KB

CHANGELOG.md

File metadata and controls

702 lines (451 loc) · 23 KB

What's New

Thanks to all our contributors, users, and the many people that make detect-secrets possible! ❤️

If you love detect-secrets, please star our project on GitHub to show your support! ⭐

v0.13.1

March 26th, 2020

🎉 New Features

✨ Usability

  • Support for DETECT_SECRETS_SECURITY_TEAM environment variable to customize the pre-commit hook error message (#283, thanks @0atman)

🐛 Bugfixes

  • Adhoc HighEntropyString scanning supports multiple words (#287)

v0.13.0

October 28th, 2019

📰 News

  • Rationale for the minor version bump:
    • Some accuracy changes that might change baselines significantly
    • @OiCMudkips' first release increases spookiness
    • It being almost Halloweeen increases spookiness

🎉 New Features

✨ Usability

  • Make it easier to add new plugins to detect-secrets (#248)

🔭 Accuracy

  • Exclude NOPASSWD from the keyword detector (#247, thanks @security-architecture)
  • Ignore lines with id in them in the high-entropy plugins (#245)
  • Ignore UUIDs detected by the base64 plugin (#245)

🐛 Bugfixes

  • Fix the signal metric in the audit results view (#251)

v0.12.7

September 23rd, 2019

🎉 New Features

🔭 Accuracy

  • Added a --word-list option for filtering secrets with words in them (#241, do pip install detect-secrets[word_list] to use this feature)

🐛 Bugfixes

v0.12.6

September 16th, 2019

🎉 New Features

🔭 Accuracy

  • Added handling of binary secrets in YAML files (#223)
  • Added various accuracy improvements to the KeywordDetector plugin (#229)

🐛 Bugfixes

  • Fixed a bug in the audit functionality where we crashed when the highlighter failed (#228)
  • Fixed a bug in the audit functionality where there was no (b)ack audit functionality when a secret was not found (#215, thanks @dgzlopes)
  • Fixed a bug where we were not excluding SVG files (#219)

🐍 Miscellaneous

  • Added a unique exit code to identify baseline changes (#214, thanks @lirantal)
  • Updated and ran our pre-commit hooks (#221, thanks @killuazhu)

v0.12.5

July 23rd, 2019

🎉 New Features

  • Added webhook detection to our SlackDetector plugin (#195, thanks @adrianbn)
  • Added support for scanning multiple files (#188, thanks @dgzlopes)
  • Added support for scanning multiple repositories (#193)
  • Added verification for AWS access keys and Slack tokens (#194)
  • Added an audit --display-results feature to aid plugin development (#205)

🔭 Accuracy

  • Improved our Artifactory regex (#195, thanks @adrianbn)
  • Improved sequential string detection to catch the Base64 character set (#207)
  • Moved our sequential string detection so it is used by all plugins (#196)

🎭 Performance

v0.12.4

May 22nd, 2019

📰 News

  • whitelist/blacklist have been replaced with allowlist/denylist (#178, thanks @richo). This includes using # pragma: allowlist secret now for inline allowlisting. # pragma: whitelist secret compatibility will be removed in a later major version bump.

🎉 New Features

🐍 Miscellaneous

  • Improved documentation of regex based detector's in the README (#177, thanks @dgzlopes)

v0.12.3

May 13th, 2019

🎉 New Features

  • Added an ArtifactoryDetector plugin (#157 and #163, thanks @justineyster)
  • Added support for Golang string assignments in the KeywordDetector plugin (#162, thanks @baboateng)
  • Added support for XML inline whitelisting comments (#152, thanks @killuazhu)
  • Added support for text after inline whitelisting comments (#168, thanks @dgzlopes)

🐛 Bugfixes

  • Fixed a bug where filetype detection failed due to an inconsistent configparser import (#155, thanks @Namburgesas)

🐍 Miscellaneous

  • Greatly improved the readability of regular expressions in the KeywordDetector plugin, and the maintainability of the corresponding test (#160 and #161, thanks @baboateng)
  • Added a contribution guide (#166, thanks @zioalex)
  • Documented all of our inline whitelisting directives (#165 and #172, thanks @dgzlopes)

v0.12.2

March 21st, 2019

🐛 Bugfixes

  • Fixed a bug where the improved performance for high-entropy strings (#144) did not work on Python 2 (#147)

v0.12.1

March 21st, 2019

🎉 New Features

🔭 Accuracy

  • For the KeywordDetector plugin: made quotes required for secrets in .cls and .java files, and skipped {{secrets like this}} in YAML files (#133/#145)

🎭 Performance

  • Improved performance when scanning for high-entropy strings (#144, thanks @killuazhu)

🐛 Bugfixes

  • Fixed an uncaught UnicodeEncodeError exception in our ini file parser, when using Python 2 (#143)

🐍 Miscellaneous

  • Fixed the example pre-commit configuration in the README (#135, thanks @nymous) (#138, thanks @neunkasulle)
  • Refactored some audit code into CodeSnippet and CodeSnippetHighlighter classes (#137)

v0.12.0

February 11th, 2019

🎉 New Features

  • Added a SlackDetector plugin (#122, thanks @killuazhu)
  • Added a --use-all-plugins argument to --update that adds all plugins to the baseline (#124, thanks @killuazhu)
  • Added --exclude-files and --exclude-lines arguments to scan (#127)

💥 Breaking Changes

  • Removed the --exclude CLI scan argument (#127)

🔭 Accuracy

  • Reduced false-positives by excluding more characters (!$&\';) in the BasicAuthDetector regex (#126, #123, thanks @killuazhu)
  • Added more to the FALSE_POSITIVES dict for the KeywordDetector plugin, including password (#118)

🐛 Bugfixes

  • Fixed a bug where --update was adding all plugins to the baseline, instead of respecting the plugins used in the baseline (#124, thanks @killuazhu)
  • Fixed an uncaught UnicodeEncodeError exception when scanning non-ini files (e.g. markdown) containing unicode, when using Python 2 (#128, thanks @killuazhu)
  • Fixed a bug where non-ini files (e.g. markdown) containing unicode caused a UnicodeEncodeError exception in the audit functionality, when using Python 2 (#129, thanks @killuazhu)
  • Fixed a bug where non-posix end of line characters caused a "Secret not found on line...." error in the audit functionality (#120, thanks @killuazhu)
  • Fixed a bug where scan_diff, called by detect-secrets-server, was ignoring inline pragma: whitelist secret comments (#127)

🐍 Miscellaneous

v0.11.4

January 7th, 2019

🐛 Bugfixes

  • Fixed a TypeError bug introduced in #111 (#116)

v0.11.3

January 4th, 2019

🐛 Bugfixes

  • Fixed a bug where we were adding an extra-newline in detect-secrets scan output (#111)

🐍 Miscellaneous

  • Reorganized the code, mainly creating a common/ directory (#113)

v0.11.2

January 4th, 2019

🔭 Accuracy

v0.11.1

January 4th, 2019

🎉 New Features

  • Turned the KeywordDetector plugin back on, with new regexes and accuracy improvements (#86)
  • Added an AWSAccessKeyDetector plugin (#100)
  • Added the ability to scan .ini types files that don't have a header (#106)

🔭 Accuracy

  • Add blacklisting of PGP private key headers in PrivateKeyDetector plugin (#104)
  • Reduced false-positives by improving BasicAuthDetector plugin regex (#98)

🐛 Bugfixes

  • Fixed a bug where we were not showing removed lines in the audit functionality (#98)

🐍 Miscellaneous

  • Added whitelist directive regexes to match against inline comment syntaxes in more languages (#105)
  • Refactored various detectors to use RegexBasedDetector (#103)
  • Refactored the BashColor singleton into the colorize function (#109)
  • Small improvements to existing file parsers (#107)
  • Refactored the BasePlugin to use the WHITELIST_REGEX (#99)
  • Removed unidiff from standard dependencies (#101)

v0.11.0

November 26th, 2018

🎉 New Features

  • Made the pre-commit hook automatically update the baseline (#96)
  • Added the audit --diff functionality (#95)

🎨 Display Changes

  • Added display of secret type in audit functionality (#94)

v0.10.5

October 30th, 2018

🎨 Display Changes

  • Added a "Please git add the baseline" message (#89)
  • Improved the "Unable to open baseline file" message (#91)

🐛 Bugfixes

  • Update scan --update results to only propagate is_secret of new secrets (#90)

0.10.4

October 23rd, 2018

💥 Breaking Changes

  • Disabled KeywordDetector plugin temporarily (#89)

🎨 Display Changes

  • Ordered baseline hashes, for better diffs (#84)
  • Added a "Please git add the baseline" message (#89)
  • Improved error messages for pre-commit hook (#85)

🐛 Bugfixes

  • Fixed a couple bugs in the audit functionality, one for small files and the other case-sensitivity in the KeywordDetector plugin (#83, thanks @jkozera)

0.10.3

October 4th, 2018

🎉 New Features

  • Added a KeywordDetector plugin, that was horrible and regretful (#76)

🐛 Bugfixes

  • Fixed a bug in scan --update where we would append the baseline exclude regex to itself (#78)
  • Fixed the regular expression in the BasicAuthDetector plugin so that it didn't run forever (#80)
  • Removed trailing whitespace from scan output (#78)

🐍 Miscellaneous

  • Added command line hints and baseline clarification in the README (#81, thanks @JoshuaRLi)

0.10.2

September 12th, 2018

🎉 New Features

  • Added a (b)ack option to 'Is this a valid secret?' (#72, thanks @cleborys)
  • Added a BasicAuthDetector plugin (#74)
  • Added CLI functionality to check strings in an adhoc manner (#73)

🐛 Bugfixes

  • Added a check to only load json from stdin if it exists (#69, thanks @guykisel)

🐍 Miscellaneous

0.10.1

August 1st, 2018

🐛 Bugfixes

  • Fixed a bug where we didn't skip sequential strings when we should have (#67)

0.10.0

August 1st, 2018

🎉 New Features

  • Scan --all-files option (#57)
  • YAML inline whitelisting support (#50)

💥 Breaking Changes

  • Changed --audit and --scan to audit and scan (#51)
  • Changed scan --import <baseline> to scan --update <baseline> (#58)

🔭 Accuracy

  • Reduced false-positives caused by sequential strings, e.g. ABCDEF (#64)

🐛 Bugfixes

  • Fixed a bug where the pre-commit code would remove the is_secret attribute from audited baselines (#65)
  • Fixed an audit bug where we would crash if a file in the baseline did not exist (#56)
  • Improved the audit functionality to handle short files better (#48)

0.9.1

June 28th, 2018

🐛 Bugfixes

  • Fixed numbering system with interactive audit
  • Fixed "leapfrog" edge case for audit functionality (#47)

0.9.0

June 27th, 2018

🎉 New Features

  • Added ability to migrate baselines from an older version to a newer version
  • Added functionality to audit baseline, to distinguish difference between false and true positives in the baseline file (#44)
  • Upgraded PrivateKeyPlugin: more search parameters, more lines searched, and secret hash created using payload (rather than the entire line content)

💥 Breaking Changes

  • Differentiate between Base64HighEntropyStrings and HexHighEntropyStrings through secret_type (#26)
  • Got rid of SensitivityValues as a means to store plugin configs

🔭 Accuracy

  • Improved the heuristic for HexHighEntropyStrings, reducing the false positive rates for large numbers identified in code

🐛 Bugfixes

  • Baseline always outputs in sorted order now, to prevent unnecessary diffs (#25)
  • Escape exclude regex statements before compilation (#39)
  • Fixed case where details of plugins used were not included in the baseline, when the pre-commit hook updated it (#40)

🐍 Miscellaneous

  • Simplified logging by removing CustomLog (#46)

Before 0.9.0

🎉 New Features

  • Allow scanning of non-git files (#18)

🔭 Accuracy

  • Improved scanning of INI config files with HighEntropyString (#13 and #17)
  • Improved scanning of YAML files with HighEntropyString (#16)

🐛 Bugfixes

  • Fixed PrivateKeyDetector plugin analyze results' representation (#15)

Special thanks to our awesome contributors! 👏