Scan results cache secrets inside the app

Description

As mentioned in the design considerations

If user uses the Security app to find a secret that was accidentally committed and then fixes the error by rewriting history, the secret should be gone entirely. We shouldn’t cache a copy of the offending secret in our own data structures, otherwise the secret would still be available to an attacker via our scan reports.

Unfortunately, we're currently caching the matched secrets inside InvalidLine.getLine This is used when displaying the failures in the "Security Scan" page.

Instead of displaying the actual found secrets, we should just have a link to the corresponding filename and line number at the right commit sha1. The current UI has links to the files, but it uses the branch name instead of the actual commit hash – we should use the actual commit.
E.g.
http://localhost:7990/bitbucket/projects/PROJECT_1/repos/test-project-repo/browse/id_rsa.3?at=89c4f81498c9c564144168e0778a5daa8a4040f5#1

Environment

None

Assignee

Andrey Levchenko

Reporter

George V @Mohami

Labels

None

Github URL

None

Sprint

None

Priority

Medium
Configure