# Secret Detection Tenant Configuration API ## Module Scanner ## Status VERIFIED ## Description Per-tenant secret detection configuration with SecretRevelationPolicy (FullMask/PartialReveal/AuditOnly), exception allowlist patterns, enabled rule categories, and CRUD API endpoints with OpenAPI specs. Includes EF Core/Dapper persistence. ## Implementation Details - **Revelation Policy**: - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationPolicy.cs` - `SecretRevelationPolicy` enum (FullMask, PartialReveal, AuditOnly) controlling how detected secrets are displayed - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationService.cs` - `SecretRevelationService` applying revelation policy to detected secrets - **Detection Settings**: - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretDetectionSettings.cs` - `SecretDetectionSettings` per-tenant configuration including enabled rule categories, exception allowlist patterns, and revelation policy - **Secret Masking**: - `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Masking/SecretMasker.cs` - `SecretMasker` applying masking according to the configured revelation policy - **Persistence**: - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresSecretDetectionSettingsRepository.cs` - `PostgresSecretDetectionSettingsRepository` persisting per-tenant settings in PostgreSQL - `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Entities/SecretDetectionSettingsRow.cs` - Database entity for settings storage - **API**: - `src/Scanner/StellaOps.Scanner.WebService/Services/SecretDetectionSettingsService.cs` - `SecretDetectionSettingsService` business logic for CRUD operations on detection settings - `src/Scanner/StellaOps.Scanner.WebService/Contracts/SecretDetectionConfigContracts.cs` - API contracts for secret detection configuration endpoints - **Tests**: - `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/SecretDetectionSettingsTests.cs` - Settings model tests - `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/SecretRevelationServiceTests.cs` - Revelation service tests - `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/RevelationPolicyConfigTests.cs` - Policy config tests - `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Masking/SecretMaskerTests.cs` - Masking tests ## E2E Test Plan - [ ] Create a per-tenant secret detection configuration via the API with FullMask revelation policy and verify it persists in PostgreSQL - [ ] Switch revelation policy to PartialReveal and verify detected secrets show partial content (e.g., first/last 4 characters) - [ ] Configure exception allowlist patterns and verify matching secrets are excluded from detection results - [ ] Enable/disable specific rule categories and verify only enabled categories produce findings - [ ] Verify AuditOnly mode logs secrets for audit without masking in internal records - [ ] Verify CRUD API endpoints return proper OpenAPI-compliant responses with correct HTTP status codes --- ## Verification | Check | Result | |-------|--------| | Tier 0 - Source files exist | PASS | | Tier 1 - Build + code review | PASS | | Tier 2 - Integration tests | PASS | | Verified | 2026-02-13T18:10:00Z |