39 lines
3.1 KiB
Markdown
39 lines
3.1 KiB
Markdown
# Secret Detection Tenant Configuration API
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
IMPLEMENTED
|
|
|
|
## Description
|
|
Per-tenant secret detection configuration with SecretRevelationPolicy (FullMask/PartialReveal/AuditOnly), exception allowlist patterns, enabled rule categories, and CRUD API endpoints with OpenAPI specs. Includes EF Core/Dapper persistence.
|
|
|
|
## Implementation Details
|
|
- **Revelation Policy**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationPolicy.cs` - `SecretRevelationPolicy` enum (FullMask, PartialReveal, AuditOnly) controlling how detected secrets are displayed
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretRevelationService.cs` - `SecretRevelationService` applying revelation policy to detected secrets
|
|
- **Detection Settings**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Configuration/SecretDetectionSettings.cs` - `SecretDetectionSettings` per-tenant configuration including enabled rule categories, exception allowlist patterns, and revelation policy
|
|
- **Secret Masking**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Core/Secrets/Masking/SecretMasker.cs` - `SecretMasker` applying masking according to the configured revelation policy
|
|
- **Persistence**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresSecretDetectionSettingsRepository.cs` - `PostgresSecretDetectionSettingsRepository` persisting per-tenant settings in PostgreSQL
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Entities/SecretDetectionSettingsRow.cs` - Database entity for settings storage
|
|
- **API**:
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Services/SecretDetectionSettingsService.cs` - `SecretDetectionSettingsService` business logic for CRUD operations on detection settings
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Contracts/SecretDetectionConfigContracts.cs` - API contracts for secret detection configuration endpoints
|
|
- **Tests**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/SecretDetectionSettingsTests.cs` - Settings model tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/SecretRevelationServiceTests.cs` - Revelation service tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Configuration/RevelationPolicyConfigTests.cs` - Policy config tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests/Secrets/Masking/SecretMaskerTests.cs` - Masking tests
|
|
|
|
## E2E Test Plan
|
|
- [ ] Create a per-tenant secret detection configuration via the API with FullMask revelation policy and verify it persists in PostgreSQL
|
|
- [ ] Switch revelation policy to PartialReveal and verify detected secrets show partial content (e.g., first/last 4 characters)
|
|
- [ ] Configure exception allowlist patterns and verify matching secrets are excluded from detection results
|
|
- [ ] Enable/disable specific rule categories and verify only enabled categories produce findings
|
|
- [ ] Verify AuditOnly mode logs secrets for audit without masking in internal records
|
|
- [ ] Verify CRUD API endpoints return proper OpenAPI-compliant responses with correct HTTP status codes
|