drop Python 3.7 and update dependencies

.github/workflows/pr.yml

@@ -2,7 +2,11 @@ name: pr
 
 on: pull_request
 
-permissions: read-all
+permissions:
+  contents: read
+
+env:
+  MIN_PYTHON_VERSION: "3.8"
 
 jobs:
   lint:
@@ -16,7 +20,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4
         with:
-          python-version: 3.7
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - name: Install dependencies
         run: |
           pip install --upgrade pip
@@ -30,7 +34,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        python: ['3.7', '3.8', '3.9', '3.10', '3.11', '3.12']
+        python: ['3.8', '3.9', '3.10', '3.11', '3.12']
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
     - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v3
@@ -41,11 +45,5 @@ jobs:
       run: |
         pip install --upgrade pip
         pip install -r requirements-dev.txt
-    - name: Sets env var for release
-      if: ${{ matrix.os == 'macos-latest' && matrix.python == '3.7' }}
-      run: |
-        # NO_PROXY is needed to call requests API within a forked process
-        # when using macOS and python version 3.7
-        echo "NO_PROXY='*'" >> "$GITHUB_ENV"
     - name: Run tests
       run: pytest --strict-markers -W ignore::UserWarning tests

.github/workflows/release.yml

@@ -13,14 +13,18 @@ on:
       - '.pre-commit-config.yaml'
       - 'requirements-dev.txt'
 
-permissions: read-all
+permissions:
+  contents: read
+
+env:
+  MIN_PYTHON_VERSION: "3.8"
 
 jobs:
   tests:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python: ['3.7', '3.8', '3.9', '3.10', '3.11', '3.12']
+        python: ['3.8', '3.9', '3.10', '3.11', '3.12']
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
     - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v3
@@ -31,12 +35,6 @@ jobs:
       run: |
         pip install --upgrade pip
         pip install -r requirements-dev.txt
-    - name: Sets env var for release
-      if: ${{ matrix.os == 'macos-latest' && matrix.python == '3.7' }}
-      run: |
-        # NO_PROXY is needed to call requests API within a forked process
-        # when using macOS and python version 3.7
-        echo "NO_PROXY='*'" >> "$GITHUB_ENV"
     - name: Run tests
       run: pytest --strict-markers -W ignore::UserWarning tests
 
@@ -55,10 +53,10 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
         with:
           token: ${{ secrets.PAT_TOKEN }}
-      - name: Set up Python 3.7
+      - name: Set up Python
         uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v3
         with:
-          python-version: 3.7
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - name: bump version
         id: version
         env:
@@ -95,8 +93,6 @@ jobs:
     needs: bump-version
     runs-on: [self-hosted, public, linux, x64]
     environment: release
-    env:
-      PYTHON_VERSION: "3.7"
     steps:
       - name: Checkout checkov
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
@@ -105,14 +101,14 @@ jobs:
           repository: bridgecrewio/checkov
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4
         with:
-          python-version: ${{ env.PYTHON_VERSION }}
+          python-version: ${{ env.MIN_PYTHON_VERSION }}
       - name: Prepare PR
         run: |
           # install needed tools
           python -m pip install --no-cache-dir --upgrade pipenv "pipenv-setup[black]" "vistir<0.7.0"
 
           # update Pipfile
-          pipenv --python ${{ env.PYTHON_VERSION }}
+          pipenv --python ${{ env.MIN_PYTHON_VERSION }}
           pipenv install bc-detect-secrets==${{ needs.bump-version.outputs.version }}
           pipenv lock
 

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
     -   id: check-builtin-literals
         args: ['--no-allow-dict-kwargs']
@@ -12,27 +12,22 @@ repos:
     -   id: end-of-file-fixer
     -   id: name-tests-test
     -   id: trailing-whitespace
--   repo: https://github.com/PyCQA/flake8
-    rev: 6.0.0
+-   repo: https://github.com/charliermarsh/ruff-pre-commit
+    rev: v0.1.6
     hooks:
-    -   id: flake8
-        language_version: python3.8
+      - id: ruff
 -   repo: https://github.com/asottile/reorder_python_imports
-    rev: v3.9.0
+    rev: v3.12.0
     hooks:
     -   id: reorder-python-imports
         language_version: python3
         exclude: bumpity.py$
 -   repo: https://github.com/asottile/add-trailing-comma
-    rev: v2.4.0
+    rev: v3.1.0
     hooks:
     -   id: add-trailing-comma
--   repo: https://github.com/pre-commit/mirrors-autopep8
-    rev: v2.0.1
-    hooks:
-    -   id: autopep8
 -   repo: https://github.com/rhysd/actionlint
-    rev: v1.6.23
+    rev: v1.6.26
     hooks:
     -   id: actionlint-docker
         # SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects.

README.md

@@ -1,5 +1,6 @@
 [![Build Status](https://github.com/bridgecrewio/detect-secrets/actions/workflows/release.yml/badge.svg)](https://github.com/bridgecrewio/detect-secrets/actions/workflows/release.yml?query=branch%3Amaster++)
-[![PyPI version](https://badge.fury.io/py/bc-detect-secrets.svg)](https://badge.fury.io/py/bc-detect-secrets)
+[![PyPI](https://img.shields.io/pypi/v/bc-detect-secrets)](https://pypi.org/project/bc-detect-secrets/)
+[![Python Version](https://img.shields.io/pypi/pyversions/bc-detect-secrets)](#)
 
 # detect-secrets
 

detect_secrets/__version__.py

@@ -1 +1 @@
-VERSION = '1.4.30'
+VERSION = '1.5.0'

detect_secrets/audit/analytics.py

@@ -14,7 +14,7 @@
 
 def calculate_statistics_for_baseline(
     filename: str,
-    **kwargs: Any,
+    **kwargs: Any,  # noqa: ARG001
 ) -> 'StatisticsAggregator':
     """
     :raises: InvalidBaselineError

detect_secrets/audit/common.py

@@ -28,7 +28,7 @@ def get_baseline_from_file(filename: str) -> SecretsCollection:
     try:
         # TODO: Should we upgrade this?
         return baseline.load(baseline.load_from_file(filename), filename)
-    except (IOError, json.decoder.JSONDecodeError):
+    except (OSError, json.decoder.JSONDecodeError):
         io.print_error('Not a valid baseline file!')
         raise InvalidBaselineError
     except KeyError:
@@ -157,7 +157,7 @@ def lines(self) -> List[str]:
 
         with self.open_file() as f:
             lines = get_transformed_file(f, use_eager_transformers=self.use_eager_transformers)
-            self._lines = self.raw_lines if not lines else lines
+            self._lines = lines if lines else self.raw_lines
 
         return self._lines
 

detect_secrets/audit/compare.py

@@ -77,10 +77,10 @@ def _compare_baselines(
         if `left_secret` is None, then it's a newly added secret;
         if `right_secret` is None, then it's a deleted secret
     """
-    class LeftSecret(Exception):
+    class LeftSecret(Exception):  # noqa: N818
         pass
 
-    class RightSecret(Exception):
+    class RightSecret(Exception):  # noqa: N818
         pass
 
     left_secrets = [secret for _, secret in old_baseline]
@@ -173,7 +173,7 @@ def _display_difference_to_user(
     new_baseline, new_config = new_data
 
     iterator = BidirectionalIterator(list(_compare_baselines(old_baseline, new_baseline)))
-    for filename, left_secret, right_secret in iterator:
+    for _, left_secret, right_secret in iterator:
         io.clear_screen()
 
         secret = left_secret if left_secret else right_secret

detect_secrets/audit/io.py

@@ -23,7 +23,7 @@ def clear_screen() -> None:     # pragma: no cover
     command = 'clear'
     if platform.system() == 'Windows':
         command = 'cls'
-    os.system(command)
+    os.system(command)  # noqa: S605
 
 
 def print_context(context: SecretContext) -> None:
@@ -96,7 +96,7 @@ def get_user_decision(
     user_input = None
     while user_input not in prompter.valid_input:
         if user_input:
-            print('Invalid input.')     # type: ignore # Statement unreachable? Come on mypy...
+            print('Invalid input.')
 
         user_input = input(str(prompter))
         if user_input:

detect_secrets/audit/report.py

@@ -19,7 +19,7 @@ class SecretClassToPrint(Enum):
     FALSE_POSITIVE = 2
 
     @staticmethod
-    def from_class(secret_class: VerifiedResult) -> 'SecretClassToPrint':
+    def from_class(secret_class: VerifiedResult) -> SecretClassToPrint:
         if secret_class in [VerifiedResult.UNVERIFIED, VerifiedResult.VERIFIED_TRUE]:
             return SecretClassToPrint.REAL_SECRET
         else:
@@ -29,7 +29,7 @@ def from_class(secret_class: VerifiedResult) -> 'SecretClassToPrint':
 def generate_report(
     baseline_file: str,
     class_to_print: SecretClassToPrint | None = None,
-    line_getter_factory: Callable[[str], 'LineGetter'] = open_file,
+    line_getter_factory: Callable[[str], LineGetter] = open_file,
 ) -> Dict[str, List[Dict[str, Any]]]:
 
     secrets: Dict[Tuple[str, str], Any] = {}

detect_secrets/constants.py

@@ -13,7 +13,7 @@ class VerifiedResult(Enum):
     VERIFIED_TRUE = 3
 
     @staticmethod
-    def from_secret(secret: PotentialSecret) -> 'VerifiedResult':
+    def from_secret(secret: PotentialSecret) -> VerifiedResult:
         if secret.is_secret is None:
             return VerifiedResult.UNVERIFIED
         elif secret.is_secret:

detect_secrets/core/baseline.py

@@ -60,7 +60,7 @@ def load_from_file(filename: str) -> Dict[str, Any]:
     try:
         with open(filename) as f:
             return cast(Dict[str, Any], json.loads(f.read()))
-    except (FileNotFoundError, IOError, json.decoder.JSONDecodeError) as e:
+    except (FileNotFoundError, OSError, json.decoder.JSONDecodeError) as e:
         raise UnableToReadBaselineError from e
 
 
@@ -79,7 +79,7 @@ def format_for_output(secrets: SecretsCollection, is_slim_mode: bool = False) ->
     else:
         # NOTE: This has a nice little side effect of keeping it ordered by line number,
         # even though we don't output it.
-        for filename, secret_list in cast(
+        for _, secret_list in cast(
             Dict[str, List[Dict[str, Any]]],
             output['results'],
         ).items():

detect_secrets/core/plugins/__init__.py

@@ -1,2 +1 @@
 from . import initialize    # noqa: F401
-from .util import Plugin    # noqa: F401

detect_secrets/core/plugins/initialize.py

@@ -1,23 +1,27 @@
+from __future__ import annotations
+
 from typing import Any
+from typing import cast
 from typing import Dict
 from typing import Iterable
 from typing import List
-from typing import Type
+from typing import TYPE_CHECKING
 
-from ...plugins.base import BasePlugin
 from ...settings import get_settings
 from ..log import log
 from .util import get_mapping_from_secret_type_to_class
 from .util import get_plugins_from_file
-from .util import Plugin
+
+if TYPE_CHECKING:
+    from detect_secrets.plugins.base import BasePlugin
 
 
 def from_secret_type(secret_type: str) -> BasePlugin:
     """
     :raises: TypeError
     """
     try:
-        plugin_type = get_mapping_from_secret_type_to_class()[secret_type]
+        plugin_type: type[BasePlugin] = get_mapping_from_secret_type_to_class()[secret_type]
     except KeyError:
         raise TypeError
 
@@ -51,19 +55,20 @@ def from_plugin_classname(classname: str) -> BasePlugin:
         raise
 
 
-def from_file(filename: str) -> Iterable[Type[Plugin]]:
+def from_file(filename: str) -> Iterable[type[BasePlugin]]:
     """
     :raises: FileNotFoundError
     :raises: InvalidFile
     """
-    output: List[Type[Plugin]] = []
-    plugin_class: Type[Plugin]
+    output: List[type[BasePlugin]] = []
+    plugin_class: type[BasePlugin]
+    secret_type_classes = get_mapping_from_secret_type_to_class()
     for plugin_class in get_plugins_from_file(filename):
-        secret_type = plugin_class.secret_type  # type: ignore
-        if secret_type in get_mapping_from_secret_type_to_class():
+        secret_type = cast('str', plugin_class.secret_type)
+        if secret_type in secret_type_classes:
             log.info(f'Duplicate plugin detected: {plugin_class.__name__}. Skipping...')
 
-        get_mapping_from_secret_type_to_class()[secret_type] = plugin_class
+        secret_type_classes[secret_type] = plugin_class
         output.append(plugin_class)
 
     return output