Documentation
¶
Overview ¶
Package scan implements the secret detection engine used by the envault pre-commit hook and the `envault scan` CLI command. It provides pattern-based rules and a Shannon-entropy heuristic for finding plaintext credentials in unified diffs and tracked file trees.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadIgnorePatterns ¶
LoadIgnorePatterns reads .envaultignore from repoRoot and returns the glob patterns. Returns nil (not an error) when the file does not exist.
func SeverityAtLeast ¶
SeverityAtLeast reports whether s is at or above min in the severity order.
Types ¶
type Match ¶
type Match struct {
File string
Line int // 0 for file-level matches
RuleID string
Description string
Severity Severity
Snippet string // truncated matched content or file path
}
Match is a single detection result.
type Rule ¶
type Rule struct {
ID string
Description string
Pattern *regexp.Regexp
Severity Severity
FileLevel bool // match file name rather than line content
}
Rule is a single secret-detection rule.
type Severity ¶
type Severity string
Severity represents the urgency of a detected finding.
func ParseSeverity ¶
ParseSeverity converts a string to Severity; unknown values default to High.