Documentation
¶
Overview ¶
Package secrets: filename-based sensitive path detection.
This is a companion to content-based SecretDetector. While SecretDetector scans the *contents* of text for credential patterns (API keys, tokens), IsSensitiveFilename() inspects the file *name* and path to determine whether a file is likely to contain secrets and should therefore be protected from redaction, summarization, or agent editing.
GrayCode native path-based sensitive file detection. scripts/compress.py (is_sensitive_path). Ported to native Go.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsSensitiveBasename ¶
IsSensitiveBasename is a convenience wrapper that operates on a bare filename (no directory). Useful when the caller already has the basename and no path context.
func MaskSecret ¶
MaskSecret masks a secret value for safe display.
Types ¶
type Category ¶
type Category int
Category is the broad class of sensitivity that triggered a match.
const ( // CatNone means the path is not sensitive. CatNone Category = iota // CatExactBasename: matches a known dangerous basename exactly // (e.g. ".env", "id_rsa", "credentials.json"). CatExactBasename // CatSensitiveDirectory: contains a sensitive directory component // (e.g. ".ssh/", ".aws/", ".gnupg/", ".kube/"). CatSensitiveDirectory // CatNameToken: filename contains a sensitivity keyword // (e.g. "secret", "credential", "password", "apikey"). CatNameToken )
type FilenameMatch ¶
type FilenameMatch struct {
Path string // the input path
Category Category // which rule matched
Reason string // human-readable reason
Pattern string // which regex pattern matched
}
FilenameMatch is the result of a successful IsSensitiveFilename call.
func IsSensitiveFilename ¶
func IsSensitiveFilename(path string) (bool, FilenameMatch)
IsSensitiveFilename reports whether path is likely to contain secrets, based on the basename, directory components, and name tokens.
It returns (false, zero) if the path is empty, contains only whitespace, or matches none of the three detection layers. The first match wins; the function is short-circuited in order of strictness (basename → directory → token), so a precise match is preferred over a fuzzy one.
All matching is case-insensitive.
type SecretDetector ¶
type SecretDetector struct {
// contains filtered or unexported fields
}
SecretDetector detects and redacts secrets from text using compiled regex patterns.
func DefaultDetector ¶
func DefaultDetector() *SecretDetector
DefaultDetector returns the singleton SecretDetector instance with all built-in patterns.
func NewDetector ¶
func NewDetector() *SecretDetector
NewDetector creates a SecretDetector with all built-in patterns compiled and ready.
func (*SecretDetector) DetectAndRedactWithEntropy ¶
func (sd *SecretDetector) DetectAndRedactWithEntropy(text string, entropyThreshold float64) string
DetectAndRedactWithEntropy detects secrets using both pattern matching and entropy analysis.
func (*SecretDetector) DetectSecrets ¶
func (sd *SecretDetector) DetectSecrets(text string) []SecretMatch
DetectSecrets finds all secrets in the given text.
func (*SecretDetector) RedactSecrets ¶
func (sd *SecretDetector) RedactSecrets(text string) string
RedactSecrets replaces detected secrets with [REDACTED] markers.