horusecCliFilesOrPathsToIgnore apparently being ignored in vscode extension and CI
lays147 opened this issue · comments
What happened: I have configured the horusecCliFilesOrPathsToIgnore option to ignore some folders and files.
How to reproduce it (as minimally and precisely as possible):
NodeJS project with a package-lock.json with pgpass installed.
Horusec-config:
{
"horusecCliCertInsecureSkipVerify": false,
"horusecCliFilesOrPathsToIgnore": [
"*tmp*",
"**/.vscode/**",
"docker-compose.yml",
".env.sample",
"package-lock.json",
"**/.dist/**",
"**/.coverage/**",
"**/.coverage-e2e/**"
],
"horusecCliReturnErrorIfFoundVulnerability": false,
"horusecCliRiskAcceptHashes": null,
"horusecCliSeveritiesToIgnore": [
"INFO"
],
"horusecCliShowVulnerabilitiesTypes": [
"Vulnerability"
],
"horusecCliTimeoutInSecondsAnalysis": 600,
"horusecCliTimeoutInSecondsRequest": 300,
"horusecCliFalsePositiveHashes": [
]
}
Expected result: package-lock.json is ignored on the scan
Actual result: package-lock.json is scanned by horusec
Column: 11
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /runner/_work/FeeRavManagerAPI/FeeRavManagerAPI/package-lock.json
Code: "pgpass": "1.x"
RuleID: HS-LEAKS-26
Type: Vulnerability
ReferenceHash: dce09eb1eb793933fbfe57a3088b23d04e9a760c5d8fbddf6f1e9a95e222f71e
Details: (1/1) * Possible vulnerability detected: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Also using the VsCode addon with the above horusec-config the folders like dist
are still being scanned.
Anything else we need to know?:
Environment:
- Horusec version (use
horusec version
):
In the CI I use the config from de docs:curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh
- Operating System: In the CI Ubuntu, my machine: Arch Linux
- Others: VsCode: v2.2.8
Same thing here with horusecCliJsonOutputFilepath
. It's being completely ignored by the plugin-launched docker process.
Environment:
- Horusec version: v2.8.0 (RPM version)
- OS: Fedora 38 64-bit
- VSCODE version: 1.82.3
- Docker version: 24.0.6