Incorrect Line in Yaml for false positive

[oerp-odoo]

My yaml file starts with this content:

---
version: "3.9"

x-common-variables: &common-variables
  POSTGRES_DB: postgres
  POSTGRES_USER: odoo
  POSTGRES_PORT: 5432
  POSTGRES_PASSWORD: odoo

services:
  odoo:

detect-secrets throws:

ERROR: Potential secrets about to be committed to git repo!

Secret Type: Secret Keyword
Location:    src/myproject/docker-compose.yml:11

Saying potential secret is on line 11, but its actually on line 8. I found similar issue here: #503

P.S. Using v1.4.0.

[clonejo]

For one of my yaml files, scan even gives line numbers that are higher than the total number of lines. When running audit, the secret is be displayed in cleartext, but it then crashes when trying to find and highlight the code snippet with the secret (#634).

[pyhedgehog]

Got same behaviour -- line 220 out of 148. I think it's incorrect parser behaviour -- it count lines after references (*here -> &here) substitution.

[jpdakran]

Hi @oerp-odoo. Thank you for report this. Can you please let me know what commands you are running. I tried to reproduce this on my machine and this is my output.

Is it reproducible if you just use those lines in a new file? Ignoring the remainder of the file? I am trying to gauge if there is a parsing issue later in the file that I cannot see.

Fiile test.yaml:

---
version: "3.9"

x-common-variables: &common-variables
  POSTGRES_DB: postgres
  POSTGRES_USER: odoo
  POSTGRES_PORT: 5432
  POSTGRES_PASSWORD: odoo

services:
  odoo:

Scan: detect-secrets -v scan test.yaml --disable-filter detect_secrets.filters.gibberish.should_exclude_secret
Output:

  "results": {
    "test.yaml": [
      {
        "type": "Secret Keyword",
        "filename": "test.yaml",
        "hashed_secret": "2269658f8a074e5c0fbaffd33897bef741e62d8a",
        "is_verified": false,
        "line_number": 8
      }
    ]
  },

Hook: detect-secrets-hook -v test.yaml --disable-filter detect_secrets.filters.gibberish.should_exclude_secret
Output:

[scan]	INFO	Checking file: test.yaml
ERROR: Potential secrets about to be committed to git repo!

Secret Type: Secret Keyword
Location:    test.yaml:8

Possible mitigations:
  - For information about putting your secrets in a safer place, please ask in
    #security
  - Mark false positives with an inline `pragma: allowlist secret`
    comment

If a secret has already been committed, visit
https://help.github.com/articles/removing-sensitive-data-from-a-repository

[oerp-odoo]

Hi @jpdakran
I am using pre-commit hook, like:

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args:
          - --baseline=.secrets.baseline

It happened when I initially added new yml file.

[jpdakran]

@oerp-odoo Understood. I just verified that there is an issue with anchor (&), aliases (*) and overrides <<. Can you verify that your file has these attributes?

[oerp-odoo]

@jpdakran yes, it does use that. As you can see in my original post, I have x-common-variables: &common-variables. And then use it as <<: *common-variables or as environment: *common-variables.