47 lines
3.6 KiB
Markdown
47 lines
3.6 KiB
Markdown
# Secret Detection and Credential Leak Guard
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Secret detection analyzer with leak evidence capture, alert emission, and integration into the scanner worker pipeline. Compatible with Grype credential leak test scenarios.
|
|
|
|
## Implementation Details
|
|
- **Secrets Analyzer**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs` - `SecretsAnalyzer` detecting exposed secrets (API keys, tokens, passwords, private keys) in container image layers using regex-based detection rules
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerHost.cs` - `SecretsAnalyzerHost` managing the lifecycle and execution of the secrets analyzer
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerOptions.cs` - Configuration options for detection rules, severity thresholds, and enabled categories
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/ServiceCollectionExtensions.cs` - DI registration for secrets analysis
|
|
- **Pipeline Integration**:
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Secrets/SecretsAnalyzerStageExecutor.cs` - `SecretsAnalyzerStageExecutor` scanner worker pipeline stage executing secrets analysis
|
|
- **Alert Emission**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretAlertEmitter.cs` - `SecretAlertEmitter` emitting alerts for discovered credential leaks
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertEmitter.cs` - Interface for alert emission
|
|
- **Exception Matching**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionMatcher.cs` - `SecretExceptionMatcher` matching findings against allowlist patterns to suppress known-safe secrets
|
|
- **Tests**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerTests.cs` - Unit tests for secret detection
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerIntegrationTests.cs` - Integration tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerHostTests.cs` - Host lifecycle tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/RegexDetectorTests.cs` - Regex detection rule tests
|
|
|
|
## E2E Test Plan
|
|
- [ ] Scan a container image containing known test secrets and verify `SecretsAnalyzer` detects API keys, tokens, and passwords with correct file paths and line numbers
|
|
- [ ] Verify `SecretAlertEmitter` emits alerts for each detected secret with severity classification
|
|
- [ ] Verify `SecretExceptionMatcher` suppresses findings matching allowlist patterns (e.g., placeholder values, test credentials)
|
|
- [ ] Verify the `SecretsAnalyzerStageExecutor` integrates into the scanner worker pipeline and produces findings in the unified finding format
|
|
- [ ] Verify the analyzer handles large files and binary content without performance degradation or false positives
|
|
- [ ] Verify compatibility with Grype credential leak test scenarios by running against the same test fixtures
|
|
|
|
## Verification
|
|
- Run ID: `run-002`
|
|
- Verified at: `2026-02-12T06:04:37.4704947Z`
|
|
- Evidence:
|
|
- `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/tier0-source-check.json`
|
|
- `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/tier1-build-check.json`
|
|
- `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/tier2-e2e-check.json`
|
|
- `docs/qa/feature-checks/runs/scanner/secret-detection-and-credential-leak-guard/run-002/retest-result.json`
|