Skip to content

fix(secret): ignore .dist-info directories during secret scanning#8646

Merged
DmitriyLewen merged 2 commits intoaquasecurity:mainfrom
ATIC-Yugandhar:fix-Issue-8212
Apr 7, 2025
Merged

fix(secret): ignore .dist-info directories during secret scanning#8646
DmitriyLewen merged 2 commits intoaquasecurity:mainfrom
ATIC-Yugandhar:fix-Issue-8212

Conversation

@ATIC-Yugandhar
Copy link
Copy Markdown
Contributor

@ATIC-Yugandhar ATIC-Yugandhar commented Mar 31, 2025
edited
Loading

Description

According to Python packaging standards, .dist-info directories contain only metadata files such as version, license, and entry points. These directories are typically placed alongside installed packages in site-packages.

Since Trivy's secret scanner does not need to scan these metadata files, doing so can lead to false positives. Therefore, we can safely exclude .dist-info directories using a built-in allow rule.

Reference:

"Each project installed from a distribution must, in addition to files, install a .dist-info directory located alongside importable modules and packages (commonly, the site-packages directory)."

Changes

  • Added a new built-in allow rule to exclude .dist-info/ directories from secret scanning
  • The rule follows the existing MustCompile pattern used for other excluded paths

Related Links

Fixes

Fixes #8212

Checklist

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 31, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@ATIC-Yugandhar ATIC-Yugandhar marked this pull request as ready for review March 31, 2025 11:08
DmitriyLewen
DmitriyLewen approved these changes Apr 1, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ATIC-Yugandhar Thanks for your work!
LGTM

@DmitriyLewen DmitriyLewen enabled auto-merge April 1, 2025 05:14
@DmitriyLewen DmitriyLewen added this pull request to the merge queue Apr 7, 2025
Merged via the queue into aquasecurity:main with commit a032ad6 Apr 7, 2025
12 checks passed
@aqua-bot aqua-bot mentioned this pull request Apr 7, 2025
Merged
@aqua-bot aqua-bot mentioned this pull request Dec 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(secret): ignore .dist-info directory for Python projects

3 participants

@ATIC-Yugandhar @CLAassistant @DmitriyLewen