Secret Detection Tenant Configuration API

Module

Scanner

Status

IMPLEMENTED

Description

Per-tenant secret detection configuration with SecretRevelationPolicy (FullMask/PartialReveal/AuditOnly), exception allowlist patterns, enabled rule categories, and CRUD API endpoints with OpenAPI specs. Includes EF Core/Dapper persistence.

Implementation Details

Revelation Policy:
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationPolicy.cs - SecretRevelationPolicy enum (FullMask, PartialReveal, AuditOnly) controlling how detected secrets are displayed
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationService.cs - SecretRevelationService applying revelation policy to detected secrets
Detection Settings:
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretDetectionSettings.cs - SecretDetectionSettings per-tenant configuration including enabled rule categories, exception allowlist patterns, and revelation policy
Secret Masking:
- src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Masking/SecretMasker.cs - SecretMasker applying masking according to the configured revelation policy
Persistence:
- src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresSecretDetectionSettingsRepository.cs - PostgresSecretDetectionSettingsRepository persisting per-tenant settings in PostgreSQL
- src/Scanner/__Libraries/StellaOps.Scanner.Storage/Entities/SecretDetectionSettingsRow.cs - Database entity for settings storage
API:
- src/Scanner/StellaOps.Scanner.WebService/Services/SecretDetectionSettingsService.cs - SecretDetectionSettingsService business logic for CRUD operations on detection settings
- src/Scanner/StellaOps.Scanner.WebService/Contracts/SecretDetectionConfigContracts.cs - API contracts for secret detection configuration endpoints
Tests:
- src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/SecretDetectionSettingsTests.cs - Settings model tests
- src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/SecretRevelationServiceTests.cs - Revelation service tests
- src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/RevelationPolicyConfigTests.cs - Policy config tests
- src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Masking/SecretMaskerTests.cs - Masking tests

E2E Test Plan

Create a per-tenant secret detection configuration via the API with FullMask revelation policy and verify it persists in PostgreSQL
Switch revelation policy to PartialReveal and verify detected secrets show partial content (e.g., first/last 4 characters)
Configure exception allowlist patterns and verify matching secrets are excluded from detection results
Enable/disable specific rule categories and verify only enabled categories produce findings
Verify AuditOnly mode logs secrets for audit without masking in internal records
Verify CRUD API endpoints return proper OpenAPI-compliant responses with correct HTTP status codes

3.1 KiB Raw Blame History