38 lines
3.0 KiB
Markdown
38 lines
3.0 KiB
Markdown
# Secret Detection and Credential Leak Guard
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Secret detection analyzer with leak evidence capture, alert emission, and integration into the scanner worker pipeline. Compatible with Grype credential leak test scenarios.
|
|
|
|
## Implementation Details
|
|
- **Secrets Analyzer**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs` - `SecretsAnalyzer` detecting exposed secrets (API keys, tokens, passwords, private keys) in container image layers using regex-based detection rules
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerHost.cs` - `SecretsAnalyzerHost` managing the lifecycle and execution of the secrets analyzer
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerOptions.cs` - Configuration options for detection rules, severity thresholds, and enabled categories
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/ServiceCollectionExtensions.cs` - DI registration for secrets analysis
|
|
- **Pipeline Integration**:
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Secrets/SecretsAnalyzerStageExecutor.cs` - `SecretsAnalyzerStageExecutor` scanner worker pipeline stage executing secrets analysis
|
|
- **Alert Emission**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretAlertEmitter.cs` - `SecretAlertEmitter` emitting alerts for discovered credential leaks
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertEmitter.cs` - Interface for alert emission
|
|
- **Exception Matching**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionMatcher.cs` - `SecretExceptionMatcher` matching findings against allowlist patterns to suppress known-safe secrets
|
|
- **Tests**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerTests.cs` - Unit tests for secret detection
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerIntegrationTests.cs` - Integration tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerHostTests.cs` - Host lifecycle tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/RegexDetectorTests.cs` - Regex detection rule tests
|
|
|
|
## E2E Test Plan
|
|
- [ ] Scan a container image containing known test secrets and verify `SecretsAnalyzer` detects API keys, tokens, and passwords with correct file paths and line numbers
|
|
- [ ] Verify `SecretAlertEmitter` emits alerts for each detected secret with severity classification
|
|
- [ ] Verify `SecretExceptionMatcher` suppresses findings matching allowlist patterns (e.g., placeholder values, test credentials)
|
|
- [ ] Verify the `SecretsAnalyzerStageExecutor` integrates into the scanner worker pipeline and produces findings in the unified finding format
|
|
- [ ] Verify the analyzer handles large files and binary content without performance degradation or false positives
|
|
- [ ] Verify compatibility with Grype credential leak test scenarios by running against the same test fixtures
|