From 4d3469dcf69f9b44a2160ed89053dd6c0692eb7d Mon Sep 17 00:00:00 2001
From: Savvas Kyriacou <savvasky@uk.ibm.com>
Date: Mon, 3 Jun 2024 11:11:39 +0100
Subject: [PATCH] added test files to detect-secrets and audited the secrets

Signed-off-by: Savvas Kyriacou <savvasky@uk.ibm.com>
---
 .secrets.baseline |  4 ++--
 build-locally.sh  | 10 +++++++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index 82286da5..bc173c72 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": ".*/src/test/.*|^.secrets.baseline$",
+    "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-05-31T12:57:28Z",
+  "generated_at": "2024-06-03T10:11:05Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/build-locally.sh b/build-locally.sh
index 1e4cf9d2..27f67a0c 100755
--- a/build-locally.sh
+++ b/build-locally.sh
@@ -210,7 +210,7 @@ function displayCouchDbCodeCoverage {
 function check_secrets {
     h2 "updating secrets baseline"
     cd ${BASEDIR}
-    detect-secrets scan --exclude-files '.*/src/test/.*' --update .secrets.baseline
+    detect-secrets scan --update .secrets.baseline
     rc=$? 
     check_exit_code $rc "Failed to run detect-secrets. Please check it is installed properly" 
     success "updated secrets file"
@@ -219,6 +219,14 @@ function check_secrets {
     detect-secrets audit .secrets.baseline
     rc=$? 
     check_exit_code $rc "Failed to audit detect-secrets."
+    
+    #Check all secrets have been audited
+    secrets=$(grep -c hashed_secret .secrets.baseline)
+    audits=$(grep -c is_secret .secrets.baseline)
+    if [[ "$secrets" != "$audits" ]]; then 
+        error "Not all secrets found have been audited"
+        exit 1  
+    fi
     success "secrets audit complete"
 }