stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

warnings fixes, tests fixes, sprints completions

Browse Source
This commit is contained in:
Codex Assistant
2026-01-08 08:38:27 +02:00
parent 75611a505f
commit 0b5d786ddb
125 changed files with 14610 additions and 368 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
offline/rules/secrets/bundles/2026.01/secrets.ruleset.manifest.json Normal file
View File

@@ -0,0 +1,54 @@
{
"schemaVersion": "1.0",
"id": "stellaops-secrets",
"version": "2026.01",
"createdAt": "2026-01-04T00:00:00Z",
"description": "StellaOps Secret Detection Rules - Default Bundle",
"rules": [
{"id": "stellaops.secrets.aws-access-key", "version": "1.0.0", "category": "cloud", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.aws-secret-key", "version": "1.0.0", "category": "cloud", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.azure-storage-key", "version": "1.0.0", "category": "cloud", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.database-connection-string", "version": "1.0.0", "category": "database", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.datadog-api-key", "version": "1.0.0", "category": "api-keys", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.discord-bot-token", "version": "1.0.0", "category": "api-keys", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.docker-hub-token", "version": "1.0.0", "category": "registry", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.gcp-service-account", "version": "1.0.0", "category": "cloud", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.generic-api-key", "version": "1.0.0", "category": "api-keys", "severity": "medium", "enabled": true},
{"id": "stellaops.secrets.generic-password", "version": "1.0.0", "category": "credentials", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.github-app-token", "version": "1.0.0", "category": "scm", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.github-pat", "version": "1.0.0", "category": "scm", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.gitlab-pat", "version": "1.0.0", "category": "scm", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.heroku-api-key", "version": "1.0.0", "category": "platform", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.jwt-secret", "version": "1.0.0", "category": "crypto", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.mailchimp-api-key", "version": "1.0.0", "category": "api-keys", "severity": "medium", "enabled": true},
{"id": "stellaops.secrets.npm-token", "version": "1.0.0", "category": "registry", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.nuget-api-key", "version": "1.0.0", "category": "registry", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.private-key-ec", "version": "1.0.0", "category": "crypto", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.private-key-generic", "version": "1.0.0", "category": "crypto", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.private-key-openssh", "version": "1.0.0", "category": "crypto", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.private-key-rsa", "version": "1.0.0", "category": "crypto", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.pypi-token", "version": "1.0.0", "category": "registry", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.sendgrid-api-key", "version": "1.0.0", "category": "api-keys", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.slack-token", "version": "1.0.0", "category": "api-keys", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.slack-webhook", "version": "1.0.0", "category": "webhook", "severity": "medium", "enabled": true},
{"id": "stellaops.secrets.stripe-restricted-key", "version": "1.0.0", "category": "payment", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.stripe-secret-key", "version": "1.0.0", "category": "payment", "severity": "critical", "enabled": true},
{"id": "stellaops.secrets.telegram-bot-token", "version": "1.0.0", "category": "api-keys", "severity": "high", "enabled": true},
{"id": "stellaops.secrets.twilio-api-key", "version": "1.0.0", "category": "api-keys", "severity": "high", "enabled": true}
],
"integrity": {
"algorithm": "sha256",
"rulesFile": "secrets.ruleset.rules.jsonl",
"rulesDigest": "placeholder-will-be-computed-at-build"
},
"statistics": {
"totalRules": 30,
"enabledRules": 30,
"categories": ["cloud", "credentials", "api-keys", "registry", "scm", "platform", "crypto", "payment", "webhook", "database"],
"severityCounts": {
"critical": 12,
"high": 14,
"medium": 4
}
}
}

30
offline/rules/secrets/bundles/2026.01/secrets.ruleset.rules.jsonl Normal file
View File

@@ -0,0 +1,30 @@
{"id":"stellaops.secrets.aws-access-key","version":"1.0.0","name":"AWS Access Key ID","description":"Detects AWS Access Key IDs which start with AKIA, ASIA, AIDA, AGPA, AROA, AIPA, ANPA, or ANVA","type":"regex","pattern":"(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}","severity":"high","confidence":"high","keywords":["AKIA","ASIA","AIDA","AGPA","AROA","AIPA","ANPA","ANVA","aws"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.tf","*.tfvars","*.config"],"enabled":true,"tags":["aws","cloud","credentials"],"references":["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"]}
{"id":"stellaops.secrets.aws-secret-key","version":"1.0.0","name":"AWS Secret Access Key","description":"Detects AWS Secret Access Keys (40-character base64 strings near AWS context)","type":"regex","pattern":"(?i)(?:aws[_-]?secret[_-]?(?:access[_-]?)?key|secret[_-]?key)['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/+=]{40})['\"]?","severity":"critical","confidence":"high","keywords":["aws_secret","secret_key","secret_access_key","aws"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.tf","*.tfvars","*.config","*.sh","*.bash"],"enabled":true,"tags":["aws","cloud","credentials"],"references":["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html"]}
{"id":"stellaops.secrets.azure-storage-key","version":"1.0.0","name":"Azure Storage Account Key","description":"Detects Azure Storage account access keys","type":"regex","pattern":"(?i)(?:storage[_-]?(?:account[_-]?)?key|azure[_-]?storage)['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9+/]{86}==)['\"]?","severity":"critical","confidence":"high","keywords":["azure","storage_key","azure_storage"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.tf","*.tfvars","*.config"],"enabled":true,"tags":["azure","cloud","credentials"],"references":["https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage"]}
{"id":"stellaops.secrets.database-connection-string","version":"1.0.0","name":"Database Connection String","description":"Detects database connection strings with embedded credentials","type":"regex","pattern":"(?i)(?:(?:jdbc|mongodb(?:\\+srv)?|mysql|postgres(?:ql)?|sqlserver|oracle|redis)://[^:]+:[^@]+@|(?:password|pwd)\\s*=\\s*['\"]?[^;'\"\\s]+)","severity":"critical","confidence":"medium","keywords":["connection_string","jdbc","mongodb","mysql","postgres","sqlserver","password","pwd"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config","*.xml","appsettings.json","web.config"],"enabled":true,"tags":["database","credentials"],"references":[]}
{"id":"stellaops.secrets.datadog-api-key","version":"1.0.0","name":"Datadog API Key","description":"Detects Datadog API keys","type":"regex","pattern":"(?i)(?:datadog[_-]?api[_-]?key|dd[_-]?api[_-]?key)['\"]?\\s*[:=]\\s*['\"]?([a-fA-F0-9]{32})['\"]?","severity":"high","confidence":"high","keywords":["datadog","dd_api_key"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["datadog","monitoring","api-key"],"references":["https://docs.datadoghq.com/account_management/api-app-keys/"]}
{"id":"stellaops.secrets.discord-bot-token","version":"1.0.0","name":"Discord Bot Token","description":"Detects Discord bot tokens","type":"regex","pattern":"[MN][A-Za-z\\d]{23,}\\.[a-zA-Z\\d-_]{6}\\.[a-zA-Z\\d-_]{27}","severity":"high","confidence":"high","keywords":["discord","bot_token"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config","*.js","*.ts","*.py"],"enabled":true,"tags":["discord","bot","token"],"references":["https://discord.com/developers/docs/reference"]}
{"id":"stellaops.secrets.docker-hub-token","version":"1.0.0","name":"Docker Hub Access Token","description":"Detects Docker Hub personal access tokens","type":"regex","pattern":"dckr_pat_[A-Za-z0-9-_]{56}","severity":"high","confidence":"high","keywords":["dckr_pat","docker","dockerhub"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config",".docker/config.json"],"enabled":true,"tags":["docker","registry","token"],"references":["https://docs.docker.com/docker-hub/access-tokens/"]}
{"id":"stellaops.secrets.gcp-service-account","version":"1.0.0","name":"GCP Service Account Key","description":"Detects Google Cloud Platform service account JSON keys","type":"regex","pattern":"(?i)\"type\"\\s*:\\s*\"service_account\"","severity":"critical","confidence":"high","keywords":["service_account","gcp","google_cloud","private_key"],"filePatterns":["*.json"],"enabled":true,"tags":["gcp","cloud","credentials"],"references":["https://cloud.google.com/iam/docs/creating-managing-service-account-keys"]}
{"id":"stellaops.secrets.generic-api-key","version":"1.0.0","name":"Generic API Key","description":"Detects generic API keys in configuration","type":"regex","pattern":"(?i)(?:api[_-]?key|apikey)['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9_-]{20,})['\"]?","severity":"medium","confidence":"low","keywords":["api_key","apikey"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["api-key","credentials"],"references":[]}
{"id":"stellaops.secrets.generic-password","version":"1.0.0","name":"Generic Password","description":"Detects passwords in configuration files","type":"regex","pattern":"(?i)(?:password|passwd|pwd|secret)['\"]?\\s*[:=]\\s*['\"]?([^'\";\\s]{8,})['\"]?","severity":"high","confidence":"low","keywords":["password","passwd","pwd","secret"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config","*.xml"],"enabled":true,"tags":["password","credentials"],"references":[]}
{"id":"stellaops.secrets.github-app-token","version":"1.0.0","name":"GitHub App Installation Token","description":"Detects GitHub App installation access tokens","type":"regex","pattern":"ghs_[A-Za-z0-9_]{36,255}","severity":"critical","confidence":"high","keywords":["ghs_","github_app"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.sh","*.bash"],"enabled":true,"tags":["github","app","token"],"references":["https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps"]}
{"id":"stellaops.secrets.github-pat","version":"1.0.0","name":"GitHub Personal Access Token","description":"Detects GitHub Personal Access Tokens (classic and fine-grained)","type":"regex","pattern":"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,255}","severity":"critical","confidence":"high","keywords":["ghp_","gho_","ghu_","ghs_","ghr_","github"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.sh","*.bash","*.md","*.txt"],"enabled":true,"tags":["github","vcs","credentials","token"],"references":["https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens"]}
{"id":"stellaops.secrets.gitlab-pat","version":"1.0.0","name":"GitLab Personal Access Token","description":"Detects GitLab personal access tokens","type":"regex","pattern":"glpat-[A-Za-z0-9_-]{20,}","severity":"critical","confidence":"high","keywords":["glpat-","gitlab"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.sh","*.bash"],"enabled":true,"tags":["gitlab","vcs","credentials","token"],"references":["https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html"]}
{"id":"stellaops.secrets.heroku-api-key","version":"1.0.0","name":"Heroku API Key","description":"Detects Heroku API keys","type":"regex","pattern":"(?i)(?:heroku[_-]?api[_-]?key)['\"]?\\s*[:=]\\s*['\"]?([a-f0-9-]{36})['\"]?","severity":"high","confidence":"high","keywords":["heroku","api_key"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["heroku","platform","api-key"],"references":["https://devcenter.heroku.com/articles/platform-api-quickstart"]}
{"id":"stellaops.secrets.jwt-secret","version":"1.0.0","name":"JWT Secret Key","description":"Detects JWT secret keys in configuration","type":"regex","pattern":"(?i)(?:jwt[_-]?secret|jwt[_-]?key|secret[_-]?key)['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9+/=_-]{32,})['\"]?","severity":"high","confidence":"medium","keywords":["jwt_secret","jwt_key","secret_key","JWT"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config","appsettings.json"],"enabled":true,"tags":["jwt","authentication","credentials"],"references":["https://jwt.io/introduction"]}
{"id":"stellaops.secrets.mailchimp-api-key","version":"1.0.0","name":"Mailchimp API Key","description":"Detects Mailchimp API keys","type":"regex","pattern":"[a-f0-9]{32}-us[0-9]{1,2}","severity":"medium","confidence":"high","keywords":["mailchimp","api_key"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["mailchimp","email","api-key"],"references":["https://mailchimp.com/developer/marketing/docs/fundamentals/"]}
{"id":"stellaops.secrets.npm-token","version":"1.0.0","name":"NPM Access Token","description":"Detects NPM access tokens","type":"regex","pattern":"npm_[A-Za-z0-9]{36}","severity":"high","confidence":"high","keywords":["npm_","npmrc"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties",".npmrc"],"enabled":true,"tags":["npm","registry","token"],"references":["https://docs.npmjs.com/creating-and-viewing-access-tokens"]}
{"id":"stellaops.secrets.nuget-api-key","version":"1.0.0","name":"NuGet API Key","description":"Detects NuGet API keys","type":"regex","pattern":"oy2[a-z0-9]{43}","severity":"high","confidence":"high","keywords":["nuget","api_key","oy2"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config","nuget.config"],"enabled":true,"tags":["nuget","registry","api-key"],"references":["https://docs.microsoft.com/en-us/nuget/nuget-org/scoped-api-keys"]}
{"id":"stellaops.secrets.private-key-ec","version":"1.0.0","name":"EC Private Key","description":"Detects EC (Elliptic Curve) private keys","type":"regex","pattern":"-----BEGIN EC PRIVATE KEY-----","severity":"critical","confidence":"high","keywords":["EC PRIVATE KEY","-----BEGIN"],"filePatterns":["*.pem","*.key","*.yml","*.yaml","*.json","*.env","*.config"],"enabled":true,"tags":["crypto","private-key","ec"],"references":[]}
{"id":"stellaops.secrets.private-key-generic","version":"1.0.0","name":"Generic Private Key","description":"Detects generic PKCS#8 private keys","type":"regex","pattern":"-----BEGIN PRIVATE KEY-----","severity":"critical","confidence":"high","keywords":["PRIVATE KEY","-----BEGIN"],"filePatterns":["*.pem","*.key","*.yml","*.yaml","*.json","*.env","*.config"],"enabled":true,"tags":["crypto","private-key"],"references":[]}
{"id":"stellaops.secrets.private-key-openssh","version":"1.0.0","name":"OpenSSH Private Key","description":"Detects OpenSSH private keys","type":"regex","pattern":"-----BEGIN OPENSSH PRIVATE KEY-----","severity":"critical","confidence":"high","keywords":["OPENSSH PRIVATE KEY","-----BEGIN"],"filePatterns":["*.pem","*.key","id_rsa","id_ed25519","id_ecdsa","*.yml","*.yaml","*.json","*.env"],"enabled":true,"tags":["crypto","private-key","ssh"],"references":[]}
{"id":"stellaops.secrets.private-key-rsa","version":"1.0.0","name":"RSA Private Key","description":"Detects RSA private keys","type":"regex","pattern":"-----BEGIN RSA PRIVATE KEY-----","severity":"critical","confidence":"high","keywords":["RSA PRIVATE KEY","-----BEGIN"],"filePatterns":["*.pem","*.key","*.yml","*.yaml","*.json","*.env","*.config"],"enabled":true,"tags":["crypto","private-key","rsa"],"references":[]}
{"id":"stellaops.secrets.pypi-token","version":"1.0.0","name":"PyPI API Token","description":"Detects PyPI API tokens","type":"regex","pattern":"pypi-[A-Za-z0-9_-]{100,}","severity":"high","confidence":"high","keywords":["pypi-","pypi"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties",".pypirc"],"enabled":true,"tags":["pypi","registry","token"],"references":["https://pypi.org/help/#apitoken"]}
{"id":"stellaops.secrets.sendgrid-api-key","version":"1.0.0","name":"SendGrid API Key","description":"Detects SendGrid API keys","type":"regex","pattern":"SG\\.[A-Za-z0-9_-]{22}\\.[A-Za-z0-9_-]{43}","severity":"high","confidence":"high","keywords":["SG.","sendgrid"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["sendgrid","email","api-key"],"references":["https://docs.sendgrid.com/ui/account-and-settings/api-keys"]}
{"id":"stellaops.secrets.slack-token","version":"1.0.0","name":"Slack Token","description":"Detects Slack bot, user, and workspace tokens","type":"regex","pattern":"xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[A-Za-z0-9]{24,}","severity":"high","confidence":"high","keywords":["xoxb-","xoxa-","xoxp-","xoxr-","xoxs-","slack"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["slack","messaging","token"],"references":["https://api.slack.com/authentication/token-types"]}
{"id":"stellaops.secrets.slack-webhook","version":"1.0.0","name":"Slack Webhook URL","description":"Detects Slack incoming webhook URLs","type":"regex","pattern":"https://hooks\\.slack\\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+","severity":"medium","confidence":"high","keywords":["hooks.slack.com","webhook"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["slack","webhook"],"references":["https://api.slack.com/messaging/webhooks"]}
{"id":"stellaops.secrets.stripe-restricted-key","version":"1.0.0","name":"Stripe Restricted API Key","description":"Detects Stripe restricted API keys","type":"regex","pattern":"rk_(?:live|test)_[A-Za-z0-9]{24,}","severity":"high","confidence":"high","keywords":["rk_live","rk_test","stripe"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["stripe","payment","api-key"],"references":["https://stripe.com/docs/keys"]}
{"id":"stellaops.secrets.stripe-secret-key","version":"1.0.0","name":"Stripe Secret API Key","description":"Detects Stripe secret API keys","type":"regex","pattern":"sk_(?:live|test)_[A-Za-z0-9]{24,}","severity":"critical","confidence":"high","keywords":["sk_live","sk_test","stripe"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["stripe","payment","api-key"],"references":["https://stripe.com/docs/keys"]}
{"id":"stellaops.secrets.telegram-bot-token","version":"1.0.0","name":"Telegram Bot Token","description":"Detects Telegram bot tokens","type":"regex","pattern":"[0-9]{8,10}:[A-Za-z0-9_-]{35}","severity":"high","confidence":"medium","keywords":["telegram","bot"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["telegram","bot","token"],"references":["https://core.telegram.org/bots/api"]}
{"id":"stellaops.secrets.twilio-api-key","version":"1.0.0","name":"Twilio API Key","description":"Detects Twilio API keys and auth tokens","type":"regex","pattern":"SK[a-f0-9]{32}","severity":"high","confidence":"high","keywords":["SK","twilio"],"filePatterns":["*.yml","*.yaml","*.json","*.env","*.properties","*.config"],"enabled":true,"tags":["twilio","sms","api-key"],"references":["https://www.twilio.com/docs/usage/api"]}

109
offline/rules/secrets/bundles/README.md Normal file
View File

@@ -0,0 +1,109 @@
# StellaOps Secret Detection Rule Bundles
This directory contains pre-compiled rule bundles for secret leak detection. These bundles are used for offline/air-gapped deployments and are signed for integrity verification.
## Directory Structure
```
bundles/
├── 2026.01/ # CalVer versioned bundle
│ ├── secrets.ruleset.manifest.json # Bundle manifest with metadata and rule index
│ └── secrets.ruleset.rules.jsonl # Compiled rules in JSON Lines format
└── README.md
```
## Bundle Format
### Manifest File (`secrets.ruleset.manifest.json`)
The manifest contains:
- **schemaVersion**: Bundle schema version
- **id**: Unique bundle identifier
- **version**: CalVer version (YYYY.MM format)
- **createdAt**: ISO 8601 UTC timestamp
- **rules**: Array of rule summaries (id, version, category, severity, enabled)
- **integrity**: Hash algorithm and digest of the rules file
- **statistics**: Rule counts by severity and category
### Rules File (`secrets.ruleset.rules.jsonl`)
Each line is a complete rule definition in JSON format containing:
- **id**: Unique rule identifier (e.g., "stellaops.secrets.aws-access-key")
- **version**: SemVer version
- **name**: Human-readable name
- **description**: Detailed description
- **type**: Detection type ("regex" or "entropy")
- **pattern**: Regex pattern for regex-type rules
- **severity**: "critical", "high", "medium", or "low"
- **confidence**: "high", "medium", or "low"
- **keywords**: Array of keywords for pre-filtering
- **filePatterns**: File glob patterns to match
- **enabled**: Whether the rule is active
- **tags**: Categorization tags
## Usage
### Loading a Bundle via CLI
```bash
# Create a new bundle from sources
stellaops secrets bundle create ./sources --output ./bundles/2026.02 --version 2026.02
# Verify bundle integrity
stellaops secrets bundle verify ./bundles/2026.01
# Show bundle info
stellaops secrets bundle info ./bundles/2026.01
```
### Loading a Bundle Programmatically
```csharp
var loader = serviceProvider.GetRequiredService<IRulesetLoader>();
var ruleset = await loader.LoadFromBundleAsync("./bundles/2026.01", ct);
// Use with SecretsAnalyzer
var analyzer = new SecretsAnalyzerHost(ruleset, options);
var results = await analyzer.AnalyzeAsync(files, ct);
```
## Offline Kit Integration
Bundles are included in the Offline Kit export under `rules/secrets/`. During import, the bundle signature is verified against the Attestor trust store before activation.
See [Offline Kit Documentation](../../../docs/24_OFFLINE_KIT.md) for details.
## Rule Categories
| Category | Description | Example Rules |
|----------|-------------|---------------|
| cloud | Cloud provider credentials | AWS, Azure, GCP keys |
| credentials | Generic passwords and secrets | Connection strings, passwords |
| api-keys | Third-party API keys | Datadog, SendGrid, Stripe |
| registry | Package registry tokens | NPM, NuGet, PyPI |
| scm | Source control tokens | GitHub, GitLab PATs |
| crypto | Cryptographic keys | Private keys (RSA, EC, SSH) |
| payment | Payment processor keys | Stripe secret keys |
| webhook | Webhook URLs | Slack webhooks |
## Severity Levels
| Severity | Description |
|----------|-------------|
| critical | Immediate credential exposure risk (cloud keys, private keys) |
| high | High-value tokens with significant access (PATs, API keys) |
| medium | Limited-scope credentials or lower confidence detections |
| low | Informational findings, potential false positives |
## Contributing New Rules
1. Create a new rule JSON file in `sources/` following the schema
2. Run validation: `stellaops secrets bundle create ./sources --output ./test-bundle --validate-only`
3. Submit PR with the new rule file
4. New bundles are built automatically during release
## Version History
| Version | Date | Changes |
|---------|------|---------|
| 2026.01 | 2026-01-04 | Initial release with 30 rules |