Add --exclude-values arg to detect-aws-credentials

Adds an argument to pass a regex which will exclude any values that match it to not count as a failure. The rationale behind this are test variables, such as those used with LocalStack (in some cases literally `TEST`) are counted as a failure. Adding this parameter will allow bypassing the check for those values only instead of excluding the files from the hook running where _real_ credentials could potentially leak.
2026-04-05 11:36:54 +00:00 · 2023-01-12 11:44:14 -05:00 · 2023-01-12 11:44:14 -05:00 · 0a1e725b63
commit 0a1e725b63
parent 507fb40267
2 changed files with 46 additions and 1 deletions
--- a/tests/detect_aws_credentials_test.py
+++ b/tests/detect_aws_credentials_test.py
@ -4,6 +4,7 @@ from unittest.mock import patch

 import pytest

+from pre_commit_hooks.detect_aws_credentials import filter_keys
 from pre_commit_hooks.detect_aws_credentials import get_aws_cred_files_from_env
 from pre_commit_hooks.detect_aws_credentials import get_aws_secrets_from_env
 from pre_commit_hooks.detect_aws_credentials import get_aws_secrets_from_file
@ -101,6 +102,18 @@ def test_get_aws_secrets_from_file(filename, expected_keys):
    assert keys == expected_keys


+@pytest.mark.parametrize(
+    ('keys', 'exclude', 'expected_ret'),
+    (
+        ({'foo', 'bar'}, '^$', {'foo', 'bar'}),
+        ({'foo', 'bar', 'baz'}, '^bar$', {'foo', 'baz'}),
+        ({'foo', 'bar', 'baz'}, '^ba', {'foo'}),
+    ),
+)
+def test_filter_keys(keys, exclude, expected_ret):
+    assert filter_keys(keys, exclude) == expected_ret
+
+
@pytest.mark.parametrize(
    ('filename', 'expected_retval'),
    (
@ -123,6 +136,26 @@ def test_detect_aws_credentials(filename, expected_retval):
    assert ret == expected_retval


+@pytest.mark.parametrize(
+    ('filename', 'exclude', 'expected_retval'),
+    (
+        ('aws_config_with_secret.ini', '.*rpg.*', 0),
+        ('aws_config_with_multiple_sections.ini', '.*rpg.*', 1),
+    ),
+)
+def test_detect_aws_credentials_with_exclude(
+        filename, exclude, expected_retval,
+):
+    ret = main((
+        get_resource_path(filename),
+        '--exclude-values',
+        exclude,
+        '--credentials-file',
+        'testing/resources/aws_config_with_multiple_sections.ini',
+    ))
+    assert ret == expected_retval
+
+
 def test_allows_arbitrarily_encoded_files(tmpdir):
    src_ini = tmpdir.join('src.ini')
    src_ini.write(