Documentation
¶
Overview ¶
Package secrets provides secret detection and redaction using gitleaks.
All contextd output passes through scrubbing to prevent secret leakage via gRPC interceptor and direct API. Preserves metrics (rule IDs, counts) while redacting sensitive content.
See CLAUDE.md for scrubbing rules and integration patterns.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// Enabled controls whether scrubbing is active (default: true)
Enabled bool `koanf:"enabled"`
// Rules defines the detection rules
Rules []Rule `koanf:"rules"`
// RedactionString is the replacement for detected secrets (default: "[REDACTED]")
RedactionString string `koanf:"redaction_string"`
// AllowList contains patterns to skip during scrubbing
AllowList []string `koanf:"allow_list"`
// contains filtered or unexported fields
}
Config configures the scrubber.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig returns a configuration with standard secret detection rules.
type Finding ¶
type Finding struct {
// RuleID identifies which rule matched
RuleID string `json:"rule_id"`
// Description explains what was found
Description string `json:"description"`
// Severity indicates the importance
Severity string `json:"severity"`
// StartIndex is the start position in original content
StartIndex int `json:"start_index"`
// EndIndex is the end position in original content
EndIndex int `json:"end_index"`
// Line is the line number (1-indexed)
Line int `json:"line,omitempty"`
}
Finding represents a detected secret.
type NoopScrubber ¶
type NoopScrubber struct{}
NoopScrubber is a scrubber that does nothing (for testing or disabled mode).
func (*NoopScrubber) Check ¶
func (n *NoopScrubber) Check(content string) *Result
Check returns content unchanged.
func (*NoopScrubber) Scrub ¶
func (n *NoopScrubber) Scrub(content string) *Result
Scrub returns content unchanged.
func (*NoopScrubber) ScrubBytes ¶
func (n *NoopScrubber) ScrubBytes(content []byte) *Result
ScrubBytes returns content unchanged.
type Result ¶
type Result struct {
// Original is the original input content
Original string `json:"-"`
// Scrubbed is the content with secrets redacted
Scrubbed string `json:"scrubbed"`
// Findings contains the detected secrets (without actual values)
Findings []Finding `json:"findings,omitempty"`
// Duration is how long scrubbing took
Duration time.Duration `json:"duration"`
// TotalFindings is the count of secrets found
TotalFindings int `json:"total_findings"`
// ByRule maps rule IDs to finding counts
ByRule map[string]int `json:"by_rule,omitempty"`
}
Result contains the scrubbing result.
func (*Result) FindingsBySeverity ¶
FindingsBySeverity returns findings filtered by severity.
func (*Result) HasFindings ¶
HasFindings returns true if any secrets were found.
type Rule ¶
type Rule struct {
// ID is the unique identifier for this rule
ID string `koanf:"id"`
// Description explains what this rule detects
Description string `koanf:"description"`
// Pattern is the regex pattern to match secrets
Pattern string `koanf:"pattern"`
// Keywords are optional keywords that must be present for the rule to apply
Keywords []string `koanf:"keywords"`
// Severity indicates the importance (high, medium, low)
Severity string `koanf:"severity"`
// Entropy is the minimum entropy threshold (0 to disable)
Entropy float64 `koanf:"entropy"`
}
Rule defines a secret detection rule.
func DefaultRules ¶
func DefaultRules() []Rule
DefaultRules returns the default set of secret detection rules. Based on common secret patterns from gitleaks and industry standards.
type Scrubber ¶
type Scrubber interface {
// Scrub redacts secrets from the content.
Scrub(content string) *Result
// ScrubBytes redacts secrets from byte content.
ScrubBytes(content []byte) *Result
// Check detects secrets without redacting.
Check(content string) *Result
// IsEnabled returns whether scrubbing is enabled.
IsEnabled() bool
}
Scrubber detects and redacts secrets from content.
Source Files