secrets

package
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 25, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package secrets: filename-based sensitive path detection.

This is a companion to content-based SecretDetector. While SecretDetector scans the *contents* of text for credential patterns (API keys, tokens), IsSensitiveFilename() inspects the file *name* and path to determine whether a file is likely to contain secrets and should therefore be protected from redaction, summarization, or agent editing.

GrayCode native path-based sensitive file detection. scripts/compress.py (is_sensitive_path). Ported to native Go.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsSensitiveBasename

func IsSensitiveBasename(name string) bool

IsSensitiveBasename is a convenience wrapper that operates on a bare filename (no directory). Useful when the caller already has the basename and no path context.

func MaskSecret

func MaskSecret(value, secretType string) string

MaskSecret masks a secret value for safe display.

Types

type Category

type Category int

Category is the broad class of sensitivity that triggered a match.

const (
	// CatNone means the path is not sensitive.
	CatNone Category = iota
	// CatExactBasename: matches a known dangerous basename exactly
	// (e.g. ".env", "id_rsa", "credentials.json").
	CatExactBasename
	// CatSensitiveDirectory: contains a sensitive directory component
	// (e.g. ".ssh/", ".aws/", ".gnupg/", ".kube/").
	CatSensitiveDirectory
	// CatNameToken: filename contains a sensitivity keyword
	// (e.g. "secret", "credential", "password", "apikey").
	CatNameToken
)

func (Category) String

func (c Category) String() string

String returns a human-readable category name.

type FilenameMatch

type FilenameMatch struct {
	Path     string   // the input path
	Category Category // which rule matched
	Reason   string   // human-readable reason
	Pattern  string   // which regex pattern matched
}

FilenameMatch is the result of a successful IsSensitiveFilename call.

func IsSensitiveFilename

func IsSensitiveFilename(path string) (bool, FilenameMatch)

IsSensitiveFilename reports whether path is likely to contain secrets, based on the basename, directory components, and name tokens.

It returns (false, zero) if the path is empty, contains only whitespace, or matches none of the three detection layers. The first match wins; the function is short-circuited in order of strictness (basename → directory → token), so a precise match is preferred over a fuzzy one.

All matching is case-insensitive.

type SecretDetector

type SecretDetector struct {
	// contains filtered or unexported fields
}

SecretDetector detects and redacts secrets from text using compiled regex patterns.

func DefaultDetector

func DefaultDetector() *SecretDetector

DefaultDetector returns the singleton SecretDetector instance with all built-in patterns.

func NewDetector

func NewDetector() *SecretDetector

NewDetector creates a SecretDetector with all built-in patterns compiled and ready.

func (*SecretDetector) DetectAndRedactWithEntropy

func (sd *SecretDetector) DetectAndRedactWithEntropy(text string, entropyThreshold float64) string

DetectAndRedactWithEntropy detects secrets using both pattern matching and entropy analysis.

func (*SecretDetector) DetectSecrets

func (sd *SecretDetector) DetectSecrets(text string) []SecretMatch

DetectSecrets finds all secrets in the given text.

func (*SecretDetector) RedactSecrets

func (sd *SecretDetector) RedactSecrets(text string) string

RedactSecrets replaces detected secrets with [REDACTED] markers.

type SecretMatch

type SecretMatch struct {
	Type     string
	Value    string
	Masked   string
	StartPos int
	EndPos   int
}

SecretMatch represents a detected secret within text.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL