You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* feat: add ferret-scan community plugin for sensitive data detection
Adds a new community scanner plugin that integrates ferret-scan for
detecting sensitive data (PII, credentials, secrets) in source code
and documents.
Features:
- Wraps ferret-scan CLI with SARIF output for ASH integration
- Supports configurable confidence levels and check filtering
- Bundled profiles: quick, debug, ci, security-audit, comprehensive
- Version compatibility validation (>=1.0.0, <2.0.0)
- Graceful handling of empty directories and missing dependencies
Includes:
- Plugin module with scanner, config, and documentation
- 64 unit tests with full coverage
- Test data fixtures
- Community plugin registration in .ash_community_plugins.yaml
- CI workflow updates for ferret-scan installation
- Hugo documentation page for the plugin
* remived ferret from .ash.yaml
* updated dev readme
* fixed logging options for plugin so as not to be confused with ash options. updated test data. updated docs.
* suppressed false positives triggered by test data
* fixed windows path separator issue in ferret-scan test
* fixed false positive suppression. fixed ferret-scan config to catch only high confidence matches
* updated documentation to reflect ferret-scan testing changes
* changed test var to prevent triggering false positive
* added a test/validation/hygeine script to improve build success
* replaced false positives in docs
* suppressed false positives in docs
* communit plugins suppression did not work. Re-adding to ash.yaml
* communit plugins suppression did not work. Re-adding to ash.yaml
* fix: remove PyYAML dependency from validate_ferret_plugin.py
Replace yaml.safe_load with stdlib-only line parser for reading
suppressions from .ash_community_plugins.yaml. PyYAML is not
available in the CI test environment where the validation script
runs via subprocess (not uv run).
Fixes TestFerretPluginValidation::test_validate_ferret_plugin_passes
failing on all CI platforms with ModuleNotFoundError: No module named
'yaml'.
* fix: eliminate SECRET-SECRET-KEYWORD trigger from DEVELOPMENT.md line 501
Split API_KEY from the assignment operator in the documentation example
so the keyword + '=' pattern no longer triggers the SECRET-SECRET-KEYWORD
rule. Removed the now-unnecessary suppression entry from the community
plugins config.
* Revert "fix: eliminate SECRET-SECRET-KEYWORD trigger from DEVELOPMENT.md line 501"
This reverts commit 802d496.
* fix: add ferret-scan suppressions to both .ash.yaml and community plugins config
All ferret-related suppressions (DEVELOPMENT.md SECRET-SECRET-KEYWORD,
ferret_scanner.py B404/B603/B607, generate_test_docx.py B311/HEX,
conftest.py SECRET-SECRET-KEYWORD) now appear in both config files
with line numbers for precision.
* docs: update suppression guidance to reflect both config files
Suppressions must be in both .ash.yaml and .ash_community_plugins.yaml.
* fix: eliminate SECRET-SECRET-KEYWORD trigger from DEVELOPMENT.md:501
GitHub code scanning does not honor SARIF suppressions field — alerts
appear regardless. Split API_KEY from assignment operator into separate
inline code spans to break the detection pattern while keeping the
documentation readable. Suppressions remain in both configs as defense
in depth for ASH's own suppression system.
* Bump version to 3.2.0
---------
Co-authored-by: Nikhil Prabhakar <>
Co-authored-by: Rafael Pereyra <31078199+rafaelpereyra@users.noreply.github.com>
0 commit comments