Revert "fix(secrets): remove dups logic (#6655)"

This reverts commit 8513073.
bridgecrewio · Aug 15, 2024 · e976402 · e976402
1 parent 311834f
commit e976402
Showing 1 changed file with 16 additions and 18 deletions.
diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py
@@ -77,6 +77,7 @@
 
 CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()}
 
+
 MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000'))  # 5 MB is default limit
 
 
@@ -137,7 +138,7 @@ def run(
         customer_run_config = bc_integration.customer_run_config_response
         plugins_index = 0
         work_dir_obj = None
-        secret_suppressions_ids: list[str] = []
+        secret_suppressions_id: list[str] = []
         work_path = str(os.getenv('WORKDIR')) if os.getenv('WORKDIR') else None
         if work_path is None:
             work_dir_obj = tempfile.TemporaryDirectory()
@@ -147,10 +148,8 @@ def run(
             policies_list = customer_run_config.get('secretsPolicies', [])
             suppressions = customer_run_config.get('suppressions', [])
             if suppressions:
-                secret_suppressions_ids = [
-                    suppression['policyId'] for suppression in suppressions
-                    if suppression['suppressionType'] == 'SecretsPolicy' or suppression['suppressionType'] == 'Policy'
-                ]
+                secret_suppressions_id = [suppression['policyId']
+                                          for suppression in suppressions if suppression['suppressionType'] == 'SecretsPolicy']
             if policies_list:
                 runnable_plugins: dict[str, str] = get_runnable_plugins(policies_list)
                 logging.info(f"Found {len(runnable_plugins)} runnable plugins")
@@ -241,26 +240,29 @@ def run(
                 # secret history
                 added_commit_hash, removed_commit_hash, code_line, added_by, removed_date, added_date = '', '', '', '', '', ''
                 if runner_filter.enable_git_history_secret_scan:
-                    enriched_potential_secret = git_history_scanner. \
+                    enriched_potential_secret = git_history_scanner.\
                         history_store.get_added_and_removed_commit_hash(key, secret, root_folder)
                     added_commit_hash = enriched_potential_secret.get('added_commit_hash') or ''
                     removed_commit_hash = enriched_potential_secret.get('removed_commit_hash') or ''
                     code_line = enriched_potential_secret.get('code_line') or ''
                     added_by = enriched_potential_secret.get('added_by') or ''
                     removed_date = enriched_potential_secret.get('removed_date') or ''
                     added_date = enriched_potential_secret.get('added_date') or ''
-                # run over secret key
-                if isinstance(secret.secret_value, str) and secret.secret_value:
-                    stripped = secret.secret_value.strip(',"')
-                    if stripped != secret.secret_value:
-                        secret_key = f'{key}_{secret.line_number}_{PotentialSecret.hash_secret(stripped)}'
-                if secret.secret_value and is_potential_uuid(
-                        secret.secret_value) and secret.check_id not in secrets_in_uuid_form:
+                    # run over secret key
+                    if isinstance(secret.secret_value, str) and secret.secret_value:
+                        stripped = secret.secret_value.strip(',"')
+                        if stripped != secret.secret_value:
+                            secret_key = f'{key}_{secret.line_number}_{PotentialSecret.hash_secret(stripped)}'
+                if secret.secret_value and is_potential_uuid(secret.secret_value) and secret.check_id not in secrets_in_uuid_form:
                     logging.info(
                         f"Removing secret due to UUID filtering: {PotentialSecret.hash_secret(secret.secret_value)}")
                     continue
+                if secret_key in secret_records.keys():
+                    is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id)
+                    if not is_prioritise:
+                        continue
                 bc_check_id = metadata_integration.get_bc_id(check_id)
-                if bc_check_id in secret_suppressions_ids:
+                if bc_check_id in secret_suppressions_id:
                     logging.debug(f'Secret was filtered - check {check_id} was suppressed')
                     continue
                 severity = metadata_integration.get_severity(check_id)
@@ -269,10 +271,6 @@ def run(
                     logging.debug(
                         f'Check was suppress - should_run_check. check_id {check_id}')
                     continue
-                if secret_key in secret_records.keys():
-                    is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id)
-                    if not is_prioritise:
-                        continue
                 result: _CheckResult = {'result': CheckResult.FAILED}
                 try:
                     if runner_filter.enable_git_history_secret_scan and code_line is not None: