Merge pull request #1166 from GitGuardian/feat/display-warning-if-cache-unignored

6d7a · web-flow · commit c1035090874b · 2026-01-13T20:02:28.000+01:00
feat(cache): automatically add .cache_ggshield to .gitignore
diff --git a/changelog.d/20260108_120953_kevin.westphal_display_warning_if_cache_unignored.md b/changelog.d/20260108_120953_kevin.westphal_display_warning_if_cache_unignored.md
@@ -0,0 +1,42 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+For top level release notes, leave all the headers commented out.
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+
+### Added
+
+- Display a warning if .cache_ggshield is not ignored in a git repository.
+
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category.
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->
diff --git a/ggshield/core/cache.py b/ggshield/core/cache.py
@@ -6,6 +6,7 @@
 from ggshield.core.constants import CACHE_PATH
 from ggshield.core.errors import UnexpectedError
 from ggshield.core.types import IgnoredMatch
+from ggshield.utils.git_shell import gitignore, is_gitignored
 
 
 SECRETS_CACHE_KEY = "last_found_secrets"
@@ -19,6 +20,9 @@ def __init__(self) -> None:
         self.load_cache()
 
     def load_cache(self) -> None:
+        if self.cache_path.is_file() and is_gitignored(self.cache_path) is False:
+            gitignore(self.cache_path)
+
         if not self.cache_path.is_file() or self.cache_path.stat().st_size == 0:
             return
 
diff --git a/ggshield/utils/git_shell.py b/ggshield/utils/git_shell.py
@@ -487,3 +487,41 @@ def get_default_branch(wd: Optional[Union[str, Path]] = None) -> str:
         return git(["config", "init.defaultBranch"], cwd=wd).strip()
 
     return default_branch
+
+
+def is_gitignored(path: Path) -> Optional[bool]:
+    """
+    Returns True if the path is ignored by git, False if it is not,
+        or None if git is not available or the directory is not a git repository.
+    :param path: path to the file or directory to check
+    """
+    working_dir = Path.cwd()
+    if not is_git_available() or not is_git_dir(working_dir):
+        return None
+    else:
+        res = git(["check-ignore", "--", path.as_posix()], cwd=working_dir, check=False)
+        return res == path.as_posix()
+
+
+def gitignore(path: Path):
+    """
+    Tries to add a path to the gitignore file.
+    :param path: path to the file or directory to add to .gitignore
+    """
+    working_dir = Path.cwd()
+
+    if not is_git_available() or not is_git_dir(working_dir):
+        return
+
+    repo_root = _git_rev_parse(option="--show-toplevel", wd=working_dir)
+    if repo_root is not None:
+        try:
+            with open(Path(repo_root) / ".gitignore", "a") as f:
+                f.write("\n# Added by ggshield\n")
+                f.write(path.as_posix() + "\n")
+        except OSError:
+            logger.debug(
+                "Failed to add %s to .gitignore in %s",
+                path,
+                working_dir,
+            )
diff --git a/tests/unit/core/test_cache.py b/tests/unit/core/test_cache.py
@@ -1,12 +1,16 @@
 import json
 import os
+from pathlib import Path
 
 import pytest
 import yaml
 
 from ggshield.core.cache import Cache
 from ggshield.core.config import Config
 from ggshield.core.types import IgnoredMatch
+from ggshield.utils.git_shell import is_gitignored
+from ggshield.utils.os import cd
+from tests.repository import Repository
 
 
 @pytest.mark.usefixtures("isolated_fs")
@@ -86,3 +90,21 @@ def test_max_commits_for_hook_setting(self):
 
         config = Config()
         assert config.user_config.max_commits_for_hook == 75
+
+
+def test_auto_ignore_cache_file(tmp_path):
+    """
+    GIVEN a cache file in a git repository
+    WHEN it is not ignored by git
+    THEN the cache file is automatically added to the gitignore file
+    """
+    Repository.create(tmp_path)
+
+    with open(tmp_path / ".cache_ggshield", "w") as file:
+        json.dump({"last_found_secrets": [{"name": "", "match": "XXX"}]}, file)
+
+    with cd(str(tmp_path)):
+        assert not is_gitignored(Path(".cache_ggshield"))
+
+        Cache()
+        assert is_gitignored(Path(".cache_ggshield"))
diff --git a/tests/unit/utils/test_git_shell.py b/tests/unit/utils/test_git_shell.py
@@ -1,3 +1,4 @@
+import logging
 import os
 import platform
 import subprocess
@@ -24,8 +25,10 @@
     get_staged_filepaths,
     git,
     git_ls_unstaged,
+    gitignore,
     is_git_available,
     is_git_dir,
+    is_gitignored,
     is_valid_git_commit_ref,
     simplify_git_url,
 )
@@ -680,3 +683,87 @@ def test_git_command_includes_longpaths_on_windows(mock_run):
         assert (
             not longpaths_included
         ), f"core.longpaths=true found in command: {command}"
+
+
+def test_check_if_path_is_gitignored(tmp_path):
+    # GIVEN a repository
+    repo = Repository.create(tmp_path)
+    repo.create_commit()
+
+    # WHEN checking if the path is ignored
+    with cd(str(repo.path)):
+        not_ignored = is_gitignored(Path("*.pyc"))
+        with open(repo.path / ".gitignore", "w") as f:
+            f.write("*.pyc")
+        ignored = is_gitignored(Path("*.pyc"))
+
+    # THEN the correct value is returned
+    assert ignored
+    assert not_ignored is False
+
+
+def test_check_if_path_is_gitignored_no_repo(tmp_path):
+    # GIVEN a directory that is not a git repository
+    # WHEN checking if the path is ignored
+    with cd(str(tmp_path)):
+        no_git = is_gitignored(Path("*.pyc"))
+
+    # THEN None is returned
+    assert no_git is None
+
+
+def test_gitignore(tmp_path):
+    # GIVEN a repository
+    repo = Repository.create(tmp_path)
+    repo.create_commit()
+
+    # WHEN adding a path to the gitignore
+    with cd(str(repo.path)):
+        gitignore(Path("*.pyc"))
+
+    # THEN the path is added to the gitignore file
+    gitignore_content = (repo.path / ".gitignore").read_text()
+    assert "\n*.pyc\n" in gitignore_content
+
+
+def test_gitignore_with_existing_gitignore(tmp_path):
+    # GIVEN a repository with an existing gitignore file
+    repo = Repository.create(tmp_path)
+    repo.create_commit()
+    with open(tmp_path / ".gitignore", "w") as f:
+        f.write("node_modules/")
+
+    # WHEN adding a path to the gitignore
+    with cd(str(repo.path)):
+        gitignore(Path("*.pyc"))
+
+    # THEN the path is added to the gitignore file
+    gitignore_content = (repo.path / ".gitignore").read_text()
+    assert "\n*.pyc\n" in gitignore_content
+
+
+def test_gitignore_in_non_git_directory(tmp_path):
+    # GIVEN a non-git directory
+    # WHEN adding a path to the gitignore
+    with cd(str(tmp_path)):
+        gitignore(Path("*.pyc"))
+
+    # THEN the path is not added to the gitignore file
+    assert not (tmp_path / ".gitignore").exists()
+
+
+def test_gitignore_write_error(caplog, tmp_path):
+    # GIVEN a repository with a gitignore file that cannot be written
+    repo = Repository.create(tmp_path)
+    repo.create_commit()
+    with open(tmp_path / ".gitignore", "w") as f:
+        f.write("node_modules/")
+    (tmp_path / ".gitignore").chmod(0o000)
+
+    with caplog.at_level(logging.DEBUG):
+        # WHEN adding a path to the gitignore
+        with cd(str(repo.path)):
+            gitignore(Path("*.pyc"))
+
+        # THEN the error is logged
+        assert "Failed to add *.pyc to .gitignore in" in caplog.text
