adeptex
diff --git a/‎.dockerignore
+1-1 b/‎.dockerignore
+1-1
diff --git a/‎.github/workflows/build.yml
+3 b/‎.github/workflows/build.yml
+3
diff --git a/‎Dockerfile
+10-13 b/‎Dockerfile
+10-13
diff --git a/‎Makefile
+4-3 b/‎Makefile
+4-3
diff --git a/‎README.md
+23-10 b/‎README.md
+23-10
diff --git a/‎RELEASE_NOTES.md
+14-183 b/‎RELEASE_NOTES.md
+14-183
diff --git a/‎setup.py
+2-1 b/‎setup.py
+2-1
@@ -61,7 +61,7 @@ __pycache__/
 .Python
 build/
 develop-eggs/
-dist/
+# dist/
 downloads/
 eggs/
 .eggs/
 
@@ -49,3 +49,6 @@ jobs:
 
       - name: coverage
         run: make coverage
+
+      - name: package
+        run: python3 -m build
@@ -1,17 +1,14 @@
-FROM python:3.8.1-slim-buster
+FROM python:3.9-slim
 
-USER root
-ENV HOME="/opt/whispers"
-RUN useradd --home-dir $HOME --shell /bin/false user
-
-WORKDIR $HOME
-COPY . $HOME/
 RUN apt update \
-    && apt install -y build-essential python3-lxml python3-yaml \
-    && apt clean \
-    && make install \
-    && chown -R user:user $HOME \
-    && whispers -v
+    && apt install -y make python3-lxml python3-yaml \
+    && apt clean
+
+WORKDIR /src
+
+COPY dist/*.tar.gz .
+
+RUN pip3 install *.tar.gz \
+    && rm -rf *.tar.gz
 
-USER user
 ENTRYPOINT [ "whispers" ]
@@ -33,9 +33,10 @@ coverage:
 test: 
 	make lint coverage
 
-docker:
+build-image:
+	python3 -m build
 	docker build -t=whispers --rm=true . 
-	docker rmi -f $$(docker images --filter "dangling=true" -q --no-trunc)
+	# docker rmi -f $$(docker images --filter "dangling=true" -q --no-trunc)
 
 freeze:
 	CUSTOM_COMPILE_COMMAND="make freeze" \
@@ -65,4 +66,4 @@ publish:
 test-pip:
 	python3 -m pip install --index-url https://test.pypi.org/simple/ --no-deps whispers
 
-.PHONY: install install-dev isort-lint black-lint flake8-lint format lint unit coverage test publish
+.PHONY: install install-dev isort-lint black-lint flake8-lint format lint unit coverage test publish build-image
@@ -54,19 +54,22 @@ whispers
 
 # More information about Whispers
 whispers --info
+
+# Show installed version
+whispers --version
 ```
 
 ```bash
-# Simplest usage with JSON output
+# Simplest usage
 whispers dir/or/file
 
-# Simplest usage with human-readable output
-whispers -H dir/or/file
+# Write JSON results to a file instead of the screen
+whispers dir/or/file -o /tmp/secrets.json
 
-# Write results to a file instead of the screen
-whispers -o /tmp/secrets.json dir/or/file
+# Pipe JSON results downstream
+whispers dir/or/file | jq '.[].value'
 
-# Advanced usage:
+# Custom usage:
 #   - only check 'keys' rule group
 #   - with BLOCKER or CRITICAL severity
 #   - everywhere in target/dir except for .log & .raw files (regex)
@@ -75,12 +78,12 @@ whispers -g keys -s BLOCKER,CRITICAL -F '.*\.(log|raw)' target/dir
 
 ```bash
 # Configuration file template
-whispers --print_config > config.yml
+whispers --init > config.yml
 
 # Provide custom configuration file
 whispers --config config.yml dir/or/file
 
-# Return this system code on success
+# Return custom system code on success
 whispers --exitcode 7 dir/or/file
 ```
 
@@ -129,6 +132,16 @@ for secret in whispers.secrets(args):
 ```
 
 
+## Docker
+
+```bash
+docker run \
+  --volume $(pwd)/tests/fixtures:/src \
+  --volume $(pwd)/tests/configs/integration.yml:/config.yml \
+  ghcr.io/adeptex/whispers --config /config.yml .
+```
+
+
 ## Config
 
 There are several configuration options available in Whispers. It’s possible to include and exclude results based on file path, keys, values, individual or grouped rules, and severity levels. There is a [default configuration file](https://github.com/adeptex/whispers/blob/master/whispers/config.yml) that will be used if you don't specify a custom one.
@@ -204,7 +217,7 @@ exclude:
 The fastest way to tweak detection in a repeatable way (ie: remove false positives and unwanted results) is to copy the default [config.yml](https://github.com/adeptex/whispers/blob/master/whispers/config.yml) into a new file, adapt it, and pass it as an argument to Whispers, for example: 
 
 ```sh
-whispers --print_config > custom.yml
+whispers --init > custom.yml
 # edit custom.yml as needed
 whispers -c custom.yml target
 ```
@@ -293,7 +306,7 @@ class PluginName:
 
 ## Development
 
-```
+```bash
 git clone https://github.com/adeptex/whispers
 cd whispers
 make install-dev
 
@@ -1,202 +1,33 @@
-# Whispers 2.0.0 release notes
-
-## :dizzy: Licensing changes :dizzy:
-
-Version 1 was developed and open sourced by [Artёm Tsvetkov](https://github.com/adeptex) at [Skyscanner](https://github.com/Skyscanner/whispers) under [Apache License 2.0](https://github.com/Skyscanner/whispers/blob/master/LICENSE), which states that `licensed works, modifications, and larger works may be distributed under different terms and without source code.`
-
-Version 2 is an independent continuation of my work, which is now released under [GNU General Public License v3.0](https://github.com/adeptex/whispers/blob/master/LICENSE) that is `intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users.`
-
+# Whispers 2.1.0 release notes
 
 ## :x: Breaking changes :x:
 
-### :x: Integration :x:
-In version 1, Python integration required multiple imports and a correctly-formatted list of values ([ref](https://github.com/Skyscanner/whispers#python)).
-
-In version 2, the integration is simplified to a single import and a string of CLI arguments. The following example illustrates current Python integration:
-
-```py
-import whispers
-
-args = (
-  "-c whispers/config.yml "
-  "-r apikey,aws-secret,password "
-  "-s BLOCKER,CRITICAL,MAJOR "
-  "tests/fixtures"
-)
-
-for secret in whispers.secrets(args):
-  print(f"[{secret.file}:{secret.line}] {secret.key} = {secret.value}")
-```
-
-### :x: File exclusion globs are now regex :x:
-In version 1, the configuration file expected file exclusion specification to be a list of globs. Whispers would then resolve included globs, resolve excluded globs, and finally subtract the two lists to get applicable scope. The entire target directory tree would be traversed twice to compute applicable files (highly resource-intensive operation!)
-
-In version 2, file exclusions are specified as regex. Instead of resolving globs, Whispers now uses the generator directly. Every file path received from the glob generator is now checked against the file exclusion regex to determine whether the file should be excluded on-the-fly.
-
-This highly improves performance for cases where the target directory contains a large number of files. In version 2 the tree is traversed file by file, individually checking if the file path matches a pre-compiled exclusion regex. This decreases CPU, RAM and time needed to scan directories of potentially unlimited trees and depths.
-
-
-### :x: Rule names and severity levels :x:
-Rule names and severity levels were adapted to make usage more intuitive, and results more useful. The following is the exhaustive list of default rules included in version 2:
-
-| Group                | Rule ID              | Severity            |
-|----------------------|----------------------|---------------------|
-| files                | file-known           | MINOR               |
-| infra                | dockercfg            | CRITICAL            |
-| infra                | htpasswd             | MAJOR               |
-| infra                | npmrc                | CRITICAL            |
-| infra                | pip                  | CRITICAL            |
-| infra                | pypirc               | CRITICAL            |
-| keys                 | apikey               | MAJOR               |
-| keys                 | apikey-known         | CRITICAL            |
-| keys                 | aws-id               | BLOCKER             |
-| keys                 | aws-secret           | BLOCKER             |
-| keys                 | aws-token            | BLOCKER             |
-| keys                 | privatekey           | CRITICAL            |
-| misc                 | comment              | INFO                |
-| misc                 | creditcard           | MINOR               |
-| misc                 | secret               | MINOR               |
-| misc                 | webhook              | MINOR               |
-| passwords            | password             | CRITICAL            |
-| passwords            | uri                  | CRITICAL            |
-| python               | cors                 | MINOR               |
-| python               | system               | MINOR               |
-
-Make sure to review and adapt your integration accordingly.
-
-
-### :x: Rule specification format changes :x:
-In version 1 the rules were defined as a dictionary with rule ID as the key and rule config as the value. This created awkward parsing practices and unintuitive code. For example:
-```yaml
-npmrc: 
-  description: Hardcoded .npmrc authToken
-  message: .npmrc authToken
-  severity: CRITICAL
-  key:
-    regex: ^npm authToken$
-    ignorecase: False
-```
-
-In version 2 the rules are defined as a list of dictionaries. The rule ID now has its own `id` key inside the rule config definition. For example:
-```yaml
-- id: npmrc
-  group: infra
-  description: Hardcoded .npmrc authToken
-  message: .npmrc authToken
-  severity: CRITICAL
-  key:
-    regex: ^npm authToken$
-    ignorecase: False
-```
-
-If you have any custom rule definitions, you will have to adjust them for migrating to version 2. 
-
-There is an additional new `groups` parameter that can be used to group rules. 
-
-
-### :x: Rule naming :x:
+### :x: Arguments :x:
 
-Some rules IDs were changed to gain a consitent naming format, please [refer to rules](whispers/rules).
+Several arguments have been modified and/or adapted to improve usability.
 
+- Human readable output is shown in logs (2.1), `-H` and `--human` (2.0) are removed.
 
-### :x: Output file format :x:
-In version 1 the output file was written in YAML with awkward indexing, which made results unusable.
+- Version can be shown with `--version` (2.1), `-v` (2.0) is removed.
 
-In version 2 the same JSON output as `stdout` is written to the output file, making it easier to parse.
+- Extended help can be shown with `--info` (2.1), `-i` (2.0) is removed.
 
+- Debug mode can be enabled with `--debug` (2.1), `-d` (2.0) is removed.
 
-### :x: Log file :x:
-In version 1, `whispers.log` is always created in the same directory from which Whispers was executed. The log file remains after execution.
+- Logs can be redirected to a file with `--log log.txt` (2.1), constant `/tmp/whispers.log` (2.0) is removed.
 
-In version 2, the log file will not be created by default, unless explicitly enabled with an argument: `whispers --log src`. The log is only useful for reviewing exceptions and bugs, not for common usage. In addition, the log will now be written to `/tmp/whispers.log` (Posix) or `%TEMP%\whispers.log` (Windows) so that it does not interfere with analysis or permissions.
+- Configuration template can be created with `--init` (2.1), `--print_config` (2.0) is removed.
 
-Together, `--log` and `--debug` can be used to investigate exceptions and bugs. Please [submit a bug report](issues/new) if you find something unexpected!
 
+### :x: Logging :x:
 
-### :x: Removed support for dynamic languages :x:
-In version 1 the following language files were parsed as text and checked for common variable declaration and assignment patterns:
-* JavaScript
-* Java
-* Go
-* PHP
+**Version 2.0:** Opt-in logging for tracing execution flow, useful only for debugging. Results printed to `stdout` using `print()` as a JSON dict, one result per line. Enabling logging required adding the `--log` argument.
 
-It is not possible to parse these languages as Abstract Syntax Trees (ASTs) in Python. The initial attempt was to detect "low hanging fruit" by parsing the files as text instead. This lead to poor functional coverage, as well as a potentially false sense of security.
-
-In version 2 the support for these dynamic languages is dropped. This allowed bringing unit test coverage up to 100%, and in this way ensuring result reliability and true security coverage. It is recommended to rely on AST-based parsing for dynamic languages for getting reliable results. Check out [Semgrep](https://github.com/returntocorp/semgrep)!
-
-Python3 remains fully supported in Whispers 2.
-
-
-### :x: Replace Levenshtein with Jaro-Winkler :x:
-In version 1, [python-Levenshtein](https://github.com/ztane/python-Levenshtein) was used for key-value similarity comparisons (`similar` config parameter). This library is written in Cython and requires additional dependencies for installing. This made it not easily compatible with Windows systems, because additional Visual Studio dependencies needed to be present before installing Whispers.
-
-In version 2, [Jaro-Winkler](https://en.wikipedia.org/wiki/Jaro%E2%80%93Winkler_distance) algorithm is used for similarity comparisons, using the [jellyfish](https://github.com/jamesturk/jellyfish) library, for improved approximate and phonetic string matching. As an additional effect, this change allows installing Whispers on Windows through `pip` without Visual Studio dependencies.
-
-This change should have no effect and behave in a consistent manner. If you have rules that specifically rely on `similar` for key-value comparisons, these may need to be manually tuned.
-
-
-## :hammer_and_wrench: Improvements :hammer_and_wrench:
-
-### :hammer_and_wrench: Improved support for Windows and MacOS :hammer_and_wrench:
-
-Whispers now runs on Linux, MacOS, and Windows. Install it from PyPI like so: `pip3 install whispers`.
-
-### :hammer_and_wrench: Secrets detection :hammer_and_wrench:
-
-- Added support for Gradle and Maven credentials
-- Improved private key detection
-- Added known API key formats ([GitGuardian](https://docs.gitguardian.com/secrets-detection/detectors/))
-- Added knwon file extensions ([tell_me_your_secrets](https://github.com/valayDave/tell-me-your-secrets/blob/master/tell_me_your_secrets/config.yml))
-
-
-### :hammer_and_wrench: Include and Exclude by Rule and Severity :hammer_and_wrench:
-Individual and grouped rules and severity levels to be included or excluded can now be directly specified with CLI args:
-
-Exclude known files from results: `whispers -R known-file`
-Exclude miscellaneous results: `whispers -G misc`
-Exclude MAJOR and MINOR severity level results: `whispers -S MAJOR,MINOR`
-
-It is also possible to specify included and excluded rules and severity levels via config.yml. Custom rules can be added directly to the list using the following format:
-```yaml
-exclude:
-  files:
-    - \.npmrc
-    - .*coded.*
-    - \.git/.*
-  keys:
-    - SECRET_VALUE_KEY
-  values:
-    - SECRET_VALUE_PLACEHOLDER
-  rules:
-    - password
-    - uri
-    - id: starks
-      message: Whispers from the North
-      severity: CRITICAL
-      value:
-        regex: (Aria|Ned) Stark
-        ignorecase: True
-  groups:
-    - misc
-
-exclude:
-  severity:
-    - MINOR
-
-```
-
-If you don't specify any rules, all built-in rules will be used be default. If you do, only those that you specify will be applicable. For a full list of available rules check `whispers --info`.
-
-If you don't specify any severity, all built-in severity levels will be used be default - BLOCKER, CRITICAL, MAJOR, MINOR, INFO. 
-If you do, only those that you specify will be applicable.
+**Version 2.1:** Logging is used to alert identified secrets during execution with `WARNING` level. Results are written to `stdout` as a JSON list at the end. This improves results parseability as a JSON list, while maintaining live results display that was previously achieved by printing secrets as JSON one per line.
 
 
 ## :white_check_mark: New features :white_check_mark:
 
-**No new features** were introduced in this release. Whispers 2 still does the same thing as 1, only better and faster. 
-
-The primary objective of the present release was to optimize version 1 logic in order to make it easier to read, understand, and work with in general. This refactoring, along with the aforementioned breaking changes, have shown to increase scanning speed up to 7-10 times (depending on conditions). In addition, it allowed achieving 100% unit test coverage. 
-
-Other focus areas of version 2 were improving usability, like being able to easily filter results in and out from CLI; not writing a log file by default; dropping support for untestable dynamic code scanning; and making code more Pythonic by using built-in features and dataclass models.
+### :white_check_mark: Results as JSON list :white_check_mark:
 
-Complete list of arguments, rules, and severity levels can be found in `whispers --info`, along with documentation in [README.md](https://github.com/adeptex/whispers/blob/master/README.md).
+To improve integration and downstream processing, Whispers now outputs results as a JSON list of dictionaries with all detected secrets together (2.1), instead of one JSON dictionary per line (2.0). This list is directly loadable and parsable as JSON.
@@ -14,6 +14,7 @@
     "autoflake~=1.4",
     "autopep8~=1.5",
     "black~=19.10b0",
+    "build~=0.8",
     "coverage~=4.5",
     "coverage-badge~=1.0",
     "flake8~=3.9",
@@ -50,5 +51,5 @@ def get_readme():
     setup_requires=["pytest-runner"],
     tests_require=dev_requires,
     extras_require={"dev": dev_requires},
-    entry_points={"console_scripts": ["whispers=whispers.main:cli"]},
+    entry_points={"console_scripts": ["whispers=whispers.main:main"]},
 )