feat(secret_ignore): Add default behavior to ignore secrets using hash

GitGuardian · Sep 12, 2024 · 7498c93 · 7498c93
1 parent 5a57931
commit 7498c93
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 11 deletions.
diff --git a/changelog.d/20240912_120216_salome.voltz_add_ignore_hash_cmd.md b/changelog.d/20240912_120216_salome.voltz_add_ignore_hash_cmd.md
@@ -0,0 +1,3 @@
+### Added
+
+- Default behavior for `ggshield secret ignore` command to allow ignoring secrets using their hash with optional `--name` argument.
diff --git a/ggshield/cmd/secret/ignore.py b/ggshield/cmd/secret/ignore.py
@@ -7,41 +7,69 @@
 from ggshield.core.cache import Cache
 from ggshield.core.config import Config
 from ggshield.core.text_utils import pluralize
+from ggshield.core.types import IgnoredMatch
 
 
 @click.command()
+@click.argument(
+    "hash",
+    nargs=1,
+    type=str,
+    required=False,
+    metavar="HASH",
+)
 @click.option(
     "--last-found",
     is_flag=True,
     help="Ignore secrets found in the last `ggshield secret scan` run.",
 )
+@click.option(
+    "--name",
+    type=str,
+    help="Name of the secret to ignore.",
+)
 @add_common_options()
 @click.pass_context
 def ignore_cmd(
     ctx: click.Context,
+    hash: str,
+    name: str,
     last_found: bool,
     **kwargs: Any,
 ) -> None:
     """
     Ignore some secrets.
 
-    The `secret ignore` command instructs ggshield to ignore secrets it finds during a scan.
+    The `secret ignore` command instructs ggshield to ignore secrets.
 
-    This command needs to be used with an option to determine which secrets it should ignore.
-    For now, it only handles the `--last-found` option, which ignores all secrets found during the last scan.
+    Option `--name` allows to specify the name of the secret to ignore.
+
+    Option `--last-found` ignores all secrets found during the last scan.
 
     The command adds the ignored secrets to the `secrets.ignored-matches` section of your local
     configuration file. If no local configuration file is found, a `.gitguardian.yaml` file is created.
     """
+
+    ctx_obj = ContextObj.get(ctx)
+    config = ctx_obj.config
+    path = config.config_path
+
     if last_found:
-        ctx_obj = ContextObj.get(ctx)
-        config = ctx_obj.config
+        if hash or name:
+            raise click.UsageError(
+                "Option `--last-found` cannot be used with `HASH` or `--name`."
+            )
         nb = ignore_last_found(config, ctx_obj.cache)
-        path = config.config_path
-        secrets_word = pluralize("secret", nb)
-        click.echo(
-            f"Added {nb} {secrets_word} to the `secret.ignored-matches` section of {path}."
-        )
+    else:
+        match = IgnoredMatch(name=name if name else "", match=hash)
+        config.add_ignored_match(match)
+        nb = 1
+
+    config.save()
+    secrets_word = pluralize("secret", nb)
+    click.echo(
+        f"Added {nb} {secrets_word} to the secret.ignored-matches section of {path}."
+    )
 
 
 def ignore_last_found(config: Config, cache: Cache) -> int:
@@ -52,5 +80,4 @@ def ignore_last_found(config: Config, cache: Cache) -> int:
     """
     for secret in cache.last_found_secrets:
         config.add_ignored_match(secret)
-    config.save()
     return len(cache.last_found_secrets)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		### Added

		- Default behavior for `ggshield secret ignore` command to allow ignoring secrets using their hash with optional `--name` argument.