feat(nhi): add secret is_vaulted info in ggshield output

Author: amascia-gg

changelog.d/20250507_145529_achille.mascia_add_nhi_option.md

@@ -0,0 +1,42 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+For top level release notes, leave all the headers commented out.
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+
+### Added
+
+- Added a new section in ggshield's outputs (text and json) to notify if a secret is in one of the accounts' secrets managers.
+
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category.
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->

ggshield/verticals/secret/output/schemas.py

@@ -22,6 +22,7 @@ class FlattenedPolicyBreak(BaseSchema):
     incident_details = fields.Nested(SecretIncidentSchema)
     known_secret = fields.Bool(required=True, dump_default=False)
     ignore_reason = fields.Nested(IgnoreReasonSchema, dump_default=None)
+    secret_vaulted = fields.Bool(required=True, dump_default=False)
 
 
 class JSONResultSchema(BaseSchema):

ggshield/verticals/secret/output/secret_json_output_handler.py

@@ -141,6 +141,8 @@ def serialized_secret(
                 secrets[0].ignore_reason
             )
 
+        if secrets[0].is_vaulted:
+            flattened_dict["secret_vaulted"] = secrets[0].is_vaulted
         for secret in secrets:
             flattened_dict["occurrences"].extend(self.serialize_secret_matches(secret))
 

ggshield/verticals/secret/output/secret_text_output_handler.py

@@ -305,8 +305,9 @@ def secret_header(
 {start_line} Secret detected: {secret_type}{validity_msg}
 {indent}Occurrences: {number_occurrences}
 {indent}Known by GitGuardian dashboard: {"YES" if known_secret else "NO"}
-{indent}Incident URL: {secrets[0].incident_url if known_secret and secret.incident_url else "N/A"}
+{indent}Incident URL: {secret.incident_url if known_secret and secret.incident_url else "N/A"}
 {indent}Secret SHA: {ignore_sha}
+{indent}Secret in Secrets Manager: {secret.is_vaulted}
 """
     if secret.documentation_url is not None:
         message += f"{indent}Detector documentation: {secret.documentation_url}\n"

ggshield/verticals/secret/secret_scan_collection.py

@@ -93,6 +93,7 @@ class Secret:
     matches: List[ExtendedMatch]
     ignore_reason: Optional[IgnoreReason]
     diff_kind: Optional[DiffKind]
+    is_vaulted: bool
 
     @property
     def policy(self) -> str:
@@ -199,6 +200,7 @@ def from_scan_result(
                 ],
                 ignore_reason=ignore_reason,
                 diff_kind=policy_break.diff_kind,
+                is_vaulted=policy_break.is_vaulted,
             )
             for policy_break, ignore_reason in to_keep
         ]

tests/factories.py

@@ -67,6 +67,7 @@ class Meta:
     known_secret = False
     incident_url = None
     is_excluded = False
+    is_vaulted = False
     exclude_reason = None
     diff_kind = None
     content = factory.Faker("text")

tests/unit/verticals/secret/output/test_json_output.py

@@ -652,3 +652,35 @@ def test_ignore_reason(ignore_reason, expected_output):
 
     parsed_incidents = json.loads(output)["entities_with_incidents"][0]["incidents"]
     assert parsed_incidents[0]["ignore_reason"] == expected_output
+
+
+@pytest.mark.parametrize(
+    "is_vaulted",
+    (True, False),
+)
+def test_vaulted_secret(is_vaulted: bool):
+    """
+    GIVEN an result
+    WHEN it is passed to the json output handler
+    THEN the vaulted_secret field is as expected
+    """
+
+    secret_config = SecretConfig()
+    scannable = ScannableFactory()
+    policy_break = PolicyBreakFactory(content=scannable.content, is_vaulted=is_vaulted)
+    result = Result.from_scan_result(
+        scannable, ScanResultFactory(policy_breaks=[policy_break]), secret_config
+    )
+
+    output_handler = SecretJSONOutputHandler(secret_config=secret_config, verbose=False)
+
+    output = output_handler._process_scan_impl(
+        SecretScanCollection(
+            id="scan",
+            type="scan",
+            results=Results(results=[result], errors=[]),
+        )
+    )
+
+    parsed_incidents = json.loads(output)["entities_with_incidents"][0]["incidents"]
+    assert parsed_incidents[0]["vaulted_secret"] == is_vaulted

tests/unit/verticals/secret/output/test_text_output.py

@@ -264,3 +264,37 @@ def test_ignore_reason(ignore_reason):
     else:
         assert "Ignored:" in output
         assert ignore_reason.to_human_readable() in output
+
+
+@pytest.mark.parametrize(
+    "is_vaulted",
+    (True, False),
+)
+def test_vaulted_secret(is_vaulted: bool):
+    """
+    GIVEN a secret
+    WHEN it is passed to the text output handler
+    THEN the vaulted_secret field is displayed as expected
+    """
+
+    secret_config = SecretConfig()
+    scannable = ScannableFactory()
+    policy_break = PolicyBreakFactory(content=scannable.content, is_vaulted=is_vaulted)
+    result = Result.from_scan_result(
+        scannable, ScanResultFactory(policy_breaks=[policy_break]), secret_config
+    )
+
+    output_handler = SecretTextOutputHandler(secret_config=secret_config, verbose=False)
+
+    output = output_handler._process_scan_impl(
+        SecretScanCollection(
+            id="scan",
+            type="scan",
+            results=Results(results=[result], errors=[]),
+        )
+    )
+
+    if is_vaulted:
+        assert "Secret in Secrets Manager: True" in output
+    else:
+        assert "Secret in Secrets Manager: False" in output