Address review comments

Author: sushantmimani

docs/source/features.rst

@@ -280,14 +280,16 @@ digests. To avoid these false positives, enable ``exclude-entropy-patterns``. Ex
 apply to any strings flagged by entropy checks. This option is not available on the command line,
 and must be specified in your config file.
 
-For example, if ``docs/README.md`` contains a git SHA, this would be flagged by entropy.
+For example, if ``docs/README.md`` contains a git SHA and `.github/workflows/*.yml` containes pinned git SHAs
+this would be flagged by entropy.
 To exclude this, add an entry to ``exclude-entropy-patterns`` in the config file.
 
 .. code-block:: toml
 
     [tool.tartufo]
     exclude-entropy-patterns = [
         {path-pattern = 'docs/.*\.md$', pattern = '^[a-zA-Z0-9]$', reason = 'exclude all git SHAs in the docs'},
+        {path-pattern = '\.github/workflows/.*\.yml', pattern = 'uses: .*@[a-zA-Z0-9]{40}', reason = 'GitHub Actions'}
     ]
 
 Thanks to the magic of TOML, you could also split these out into their own tables

tartufo/config.py

@@ -19,11 +19,12 @@
 import tomlkit
 
 from tartufo import types, util
-from tartufo.types import ConfigException, Rule
+from tartufo.types import ConfigException, Rule, MatchType, Scope
 
 OptionTypes = Union[str, int, bool, None, TextIO, Tuple[TextIO, ...]]
 
 DEFAULT_PATTERN_FILE = pathlib.Path(__file__).parent / "data" / "default_regexes.json"
+EMPTY_PATTERN = re.compile("")
 
 
 def load_config_from_path(
@@ -218,16 +219,16 @@ def load_rules_from_file(rules_file: TextIO) -> Dict[str, Rule]:
                 pattern=re.compile(rule_definition["pattern"]),
                 path_pattern=re.compile(path_pattern)
                 if path_pattern
-                else re.compile(""),
-                re_match_type="match",
+                else EMPTY_PATTERN,
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             )
         except AttributeError:
             rule = Rule(
                 name=rule_name,
                 pattern=re.compile(rule_definition),
                 path_pattern=None,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             )
         rules[rule_name] = rule
@@ -262,8 +263,8 @@ def compile_rules(patterns: Iterable[Union[str, Dict[str, str]]]) -> List[Rule]:
                     name=pattern.get("reason", None),  # type: ignore[union-attr]
                     pattern=re.compile(pattern["pattern"]),  # type: ignore[index]
                     path_pattern=re.compile(pattern.get("path-pattern", "")),  # type: ignore[union-attr]
-                    re_match_type=pattern.get("match-type", "search"),  # type: ignore[union-attr]
-                    re_match_scope=pattern.get("scope", "line"),  # type: ignore[union-attr]
+                    re_match_type=pattern.get("match-type", MatchType.Search),  # type: ignore[union-attr]
+                    re_match_scope=pattern.get("scope", Scope.Line),  # type: ignore[union-attr]
                 )
                 for pattern in patterns
             }

tartufo/scanner.py

@@ -28,7 +28,13 @@
 import pygit2
 
 from tartufo import config, types, util
-from tartufo.types import BranchNotFoundException, Rule, TartufoException
+from tartufo.types import (
+    BranchNotFoundException,
+    Rule,
+    TartufoException,
+    MatchType,
+    Scope,
+)
 
 BASE64_REGEX = re.compile(r"[A-Z0-9+/_-]+={,2}", re.IGNORECASE)
 HEX_REGEX = re.compile(r"[0-9A-F]+", re.IGNORECASE)
@@ -356,16 +362,16 @@ def rule_matches(rule: Rule, string: str, line: str, path: str) -> bool:
         :return: True if string and path matched, False otherwise.
         """
         match = False
-        if rule.re_match_scope == "word":
+        if rule.re_match_scope == Scope.Word:
             scope = string
         else:
             scope = line
-        if rule.re_match_type == "match":
+        if rule.re_match_type == MatchType.Match:
             if rule.pattern:
                 match = rule.pattern.match(scope) is not None
             if rule.path_pattern:
                 match = match and rule.path_pattern.match(path) is not None
-        elif rule.re_match_type == "search":
+        elif rule.re_match_type == MatchType.Search:
             if rule.pattern:
                 match = rule.pattern.search(scope) is not None
             if rule.path_pattern:

tartufo/types.py

@@ -1,7 +1,7 @@
 # pylint: disable=too-many-instance-attributes
 import enum
 from dataclasses import dataclass
-from typing import Any, Dict, Optional, TextIO, Tuple, Pattern
+from typing import Any, Dict, Optional, TextIO, Tuple, Pattern, Union
 
 
 @dataclass
@@ -72,31 +72,31 @@ class Chunk:
     metadata: Dict[str, Any]
 
 
+class MatchType(enum.Enum):
+    Match = "match"  # pylint: disable=invalid-name
+    Search = "search"  # pylint: disable=invalid-name
+
+
+class Scope(enum.Enum):
+    Word = "word"  # pylint: disable=invalid-name
+    Line = "line"  # pylint: disable=invalid-name
+
+
 @dataclass
 class Rule:
     __slots__ = ("name", "pattern", "path_pattern", "re_match_type", "re_match_scope")
     name: Optional[str]
     pattern: Pattern
     path_pattern: Optional[Pattern]
-    re_match_type: str
-    re_match_scope: Optional[str]
+    re_match_type: Union[str, MatchType]
+    re_match_scope: Optional[Union[str, Scope]]
 
     def __hash__(self) -> int:
         if self.path_pattern:
             return hash(f"{self.pattern.pattern}::{self.path_pattern.pattern}")
         return hash(self.pattern.pattern)
 
 
-class MatchType(enum.Enum):
-    Match = "match"  # pylint: disable=invalid-name
-    Search = "search"  # pylint: disable=invalid-name
-
-
-class Scope(enum.Enum):
-    Word = "word"  # pylint: disable=invalid-name
-    Line = "line"  # pylint: disable=invalid-name
-
-
 class LogLevel(enum.IntEnum):
     ERROR = 0
     WARNING = 1

tests/test_base_scanner.py

@@ -5,7 +5,7 @@
 
 from tartufo import scanner, types
 from tartufo.scanner import Issue
-from tartufo.types import GlobalOptions, Rule
+from tartufo.types import GlobalOptions, Rule, MatchType
 
 from tests.helpers import generate_options
 
@@ -308,21 +308,21 @@ def test_all_regex_rules_are_checked(self):
                 name=None,
                 pattern=rule_1,
                 path_pattern=None,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             ),
             "bar": Rule(
                 name=None,
                 pattern=rule_2,
                 path_pattern=rule_2_path,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             ),
             "not-found": Rule(
                 name=None,
                 pattern=rule_3,
                 path_pattern=rule_3_path,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             ),
         }
@@ -345,7 +345,7 @@ def test_issue_is_not_created_if_signature_is_excluded(
                 name=None,
                 pattern=re.compile("foo"),
                 path_pattern=None,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             )
         }
@@ -365,7 +365,7 @@ def test_issue_is_returned_if_signature_is_not_excluded(
                 name=None,
                 pattern=re.compile("foo"),
                 path_pattern=None,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             )
         }

tests/test_config.py

@@ -9,7 +9,7 @@
 from click.testing import CliRunner
 
 from tartufo import config, types
-from tartufo.types import Rule
+from tartufo.types import Rule, MatchType, Scope
 
 from tests import helpers
 
@@ -23,14 +23,14 @@ def test_configure_regexes_rules_files_without_defaults(self):
                 name="RSA private key 2",
                 pattern=re.compile("-----BEGIN EC PRIVATE KEY-----"),
                 path_pattern=None,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             ),
             "Complex Rule": Rule(
                 name="Complex Rule",
                 pattern=re.compile("complex-rule"),
                 path_pattern=re.compile("/tmp/[a-z0-9A-Z]+\\.(py|js|json)"),
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             ),
         }
@@ -54,14 +54,14 @@ def test_configure_regexes_rules_files_with_defaults(self):
             name="RSA private key 2",
             pattern=re.compile("-----BEGIN EC PRIVATE KEY-----"),
             path_pattern=None,
-            re_match_type="match",
+            re_match_type=MatchType.Match,
             re_match_scope=None,
         )
         expected_regexes["Complex Rule"] = Rule(
             name="Complex Rule",
             pattern=re.compile("complex-rule"),
             path_pattern=re.compile("/tmp/[a-z0-9A-Z]+\\.(py|js|json)"),
-            re_match_type="match",
+            re_match_type=MatchType.Match,
             re_match_scope=None,
         )
 
@@ -144,14 +144,14 @@ def test_configure_regexes_includes_rules_from_rules_repo(self):
                 name="RSA private key 2",
                 pattern=re.compile("-----BEGIN EC PRIVATE KEY-----"),
                 path_pattern=None,
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             ),
             "Complex Rule": Rule(
                 name="Complex Rule",
                 pattern=re.compile("complex-rule"),
                 path_pattern=re.compile("/tmp/[a-z0-9A-Z]+\\.(py|js|json)"),
-                re_match_type="match",
+                re_match_type=MatchType.Match,
                 re_match_scope=None,
             ),
         }
@@ -320,22 +320,22 @@ def test_path_is_used(self):
                         None,
                         re.compile(r"^[a-zA-Z0-9]{26}$"),
                         re.compile(r"src/.*"),
-                        re_match_type="search",
-                        re_match_scope="line",
+                        re_match_type=MatchType.Search,
+                        re_match_scope=Scope.Line,
                     ),
                     Rule(
                         None,
                         re.compile(r"^[a-zA-Z0-9]test$"),
                         re.compile(r""),
-                        re_match_type="search",
-                        re_match_scope="line",
+                        re_match_type=MatchType.Search,
+                        re_match_scope=Scope.Line,
                     ),
                     Rule(
                         None,
                         re.compile(r"^[a-zA-Z0-9]{26}::test$"),
                         re.compile(r"src/.*"),
-                        re_match_type="search",
-                        re_match_scope="line",
+                        re_match_type=MatchType.Search,
+                        re_match_scope=Scope.Line,
                     ),
                 }
             ),
@@ -354,8 +354,8 @@ def test_match_can_contain_delimiter(self):
                     None,
                     re.compile(r"^[a-zA-Z0-9]::test$"),
                     re.compile(r""),
-                    re_match_type="search",
-                    re_match_scope="line",
+                    re_match_type=MatchType.Search,
+                    re_match_scope=Scope.Line,
                 )
             ],
         )