stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/scanner/secret-detection-and-credential-leak-guard.md

3.0 KiB
Raw Blame History

Secret Detection and Credential Leak Guard

Module

Scanner

Status

IMPLEMENTED

Description

Secret detection analyzer with leak evidence capture, alert emission, and integration into the scanner worker pipeline. Compatible with Grype credential leak test scenarios.

Implementation Details

  • Secrets Analyzer:
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs - SecretsAnalyzer detecting exposed secrets (API keys, tokens, passwords, private keys) in container image layers using regex-based detection rules
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerHost.cs - SecretsAnalyzerHost managing the lifecycle and execution of the secrets analyzer
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzerOptions.cs - Configuration options for detection rules, severity thresholds, and enabled categories
    • src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/ServiceCollectionExtensions.cs - DI registration for secrets analysis
  • Pipeline Integration:
    • src/Scanner/StellaOps.Scanner.Worker/Processing/Secrets/SecretsAnalyzerStageExecutor.cs - SecretsAnalyzerStageExecutor scanner worker pipeline stage executing secrets analysis
  • Alert Emission:
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/SecretAlertEmitter.cs - SecretAlertEmitter emitting alerts for discovered credential leaks
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Alerts/ISecretAlertEmitter.cs - Interface for alert emission
  • Exception Matching:
    • src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretExceptionMatcher.cs - SecretExceptionMatcher matching findings against allowlist patterns to suppress known-safe secrets
  • Tests:
    • src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerTests.cs - Unit tests for secret detection
    • src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerIntegrationTests.cs - Integration tests
    • src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/SecretsAnalyzerHostTests.cs - Host lifecycle tests
    • src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Secrets.Tests/RegexDetectorTests.cs - Regex detection rule tests

E2E Test Plan

  • Scan a container image containing known test secrets and verify SecretsAnalyzer detects API keys, tokens, and passwords with correct file paths and line numbers
  • Verify SecretAlertEmitter emits alerts for each detected secret with severity classification
  • Verify SecretExceptionMatcher suppresses findings matching allowlist patterns (e.g., placeholder values, test credentials)
  • Verify the SecretsAnalyzerStageExecutor integrates into the scanner worker pipeline and produces findings in the unified finding format
  • Verify the analyzer handles large files and binary content without performance degradation or false positives
  • Verify compatibility with Grype credential leak test scenarios by running against the same test fixtures