secure-keys 1.1.7 → 1.2.0

data/lib/validation/validation_result.rb

@@ -0,0 +1,117 @@
+#!/usr/bin/env ruby
+
+require_relative '../core/console/logger'
+
+module SecureKeys
+  module Validation
+    # Encapsulates the result of validating a single secret value
+    class ValidationResult
+      private
+
+      attr_writer :key, :value, :issues, :detected_type
+
+      public
+
+      attr_reader :key, :value, :issues, :detected_type
+
+      # Initialize a new validation result
+      # @param key [Symbol] The key identifier that was validated
+      # @param value [String] The value that was validated
+      # @param issues [Array<ValidationIssue>] The list of issues found during validation
+      # @param detected_type [Hash, nil] The detected secret type config, if any pattern matched
+      def initialize(key:, value:, issues:, detected_type: nil)
+        @key = key
+        @value = value
+        @issues = issues
+        @detected_type = detected_type
+      end
+
+      # Check if validation passed with no errors or critical issues
+      # @return [Boolean] true if no critical or error issues were found
+      def valid?
+        !errors? && !critical?
+      end
+
+      # Check if any critical-severity issues were found
+      # @return [Boolean] true if critical issues exist
+      def critical?
+        issues.any? { |issue| issue.severity == :critical }
+      end
+
+      # Check if any error-severity issues were found
+      # @return [Boolean] true if error issues exist
+      def errors?
+        issues.any? { |issue| issue.severity == :error }
+      end
+
+      # Check if any warning-severity issues were found
+      # @return [Boolean] true if warning issues exist
+      def warnings?
+        issues.any? { |issue| issue.severity == :warning }
+      end
+
+      # Returns the highest severity level across all issues
+      # @return [Symbol] :critical, :error, :warning, or :ok
+      def severity_level
+        return :critical if critical?
+        return :error if errors?
+        return :warning if warnings?
+
+        :ok
+      end
+
+      # Returns a one-line summary of the validation outcome
+      # @return [String] The summary string
+      def summary
+        return "✅ '#{key}' passed validation" if valid?
+
+        "#{severity_icon} '#{key}' has #{issues.length} issue(s)"
+      end
+
+      # Prints the full validation result to the console via Logger
+      def print
+        Core::Console::Logger.message(message: "\nValidation Result for '#{key}':")
+        Core::Console::Logger.message(message: '-' * 70)
+
+        if detected_type
+          Core::Console::Logger.message(message: "Detected Type: #{detected_type[:description]}")
+          Core::Console::Logger.message(message: "Severity:      #{detected_type[:severity]}")
+        end
+
+        if issues.empty?
+          Core::Console::Logger.success(message: '✅ No issues found')
+        else
+          Core::Console::Logger.message(message: '')
+          issues.each { |issue| Core::Console::Logger.message(message: "  #{issue}") }
+        end
+
+        Core::Console::Logger.message(message: '-' * 70)
+      end
+
+      # Returns a hash representation of the validation result
+      # @return [Hash] The hash representation
+      def to_h
+        {
+          key:,
+          valid: valid?,
+          severity: severity_level,
+          detected_type:,
+          issues: issues.map(&:to_h),
+        }
+      end
+
+      private
+
+      # Returns the appropriate icon for the current severity level
+      # @return [String] The severity icon
+      def severity_icon
+        case severity_level
+        when :critical then '🔴'
+        when :error then '❌'
+        when :warning then '⚠️'
+        else '✅'
+        end
+      end
+    end
+  end
+end

data/lib/validation/validator.rb

@@ -0,0 +1,203 @@
+#!/usr/bin/env ruby
+
+require_relative 'globals/globals'
+require_relative 'utils/weak_secrets'
+require_relative 'utils/patterns'
+require_relative 'utils/min_length'
+require_relative 'utils/entropy'
+require_relative 'validation_issue'
+require_relative 'validation_result'
+
+module SecureKeys
+  module Validation
+    # Validates individual secret values against known patterns and security rules
+    class Validator
+      private
+
+      attr_accessor :issues
+
+      public
+
+      # Initialize a new validator
+      def initialize
+        self.issues = []
+      end
+
+      # Validate a single secret value against all configured rules
+      # @param key [Symbol] The key identifier for the secret
+      # @param value [String] The value to validate
+      # @param options [Hash] Additional validation options
+      # @option options [Boolean] :check_entropy Enable Shannon entropy checking (default: false)
+      # @option options [Boolean] :allow_production Skip production key warnings (default: false)
+      # @option options [Boolean] :warn_on_pattern Emit informational notices for matched patterns (default: false)
+      # @return [ValidationResult] The result of the validation
+      def validate(key:, value:, options: {})
+        self.issues = []
+
+        check_empty(key:, value:)
+        check_weak_secret(key:, value:)
+        check_minimum_length(key:, value:)
+        check_pattern_match(key:, value:, options:)
+        check_entropy(key:, value:) if options[:check_entropy]
+
+        ValidationResult.new(key:, value:, issues:, detected_type: detect_type(value:))
+      end
+
+      # Detect the secret type of a value by matching against known patterns
+      # @param value [String] The value to analyze
+      # @return [Hash, nil] The matching pattern config merged with :type key, or nil if no match
+      def detect_type(value:)
+        PATTERNS.each do |type, config|
+          return config.merge(type:) if value.to_s.match?(config[:pattern])
+        end
+
+        nil
+      end
+
+      # Returns security recommendations for a given key name
+      # @param key [Symbol] The key identifier
+      # @return [Array<String>] List of actionable recommendations
+      def recommendations(key:)
+        result = []
+        formatted_key = key.to_s.downcase
+
+        if formatted_key.include?('github')
+          result << 'Use GitHub Personal Access Tokens with minimal required scopes'
+          result << 'Consider fine-grained tokens with repository-specific access'
+        end
+
+        if formatted_key.include?('aws')
+          result << 'Use AWS IAM roles instead of long-lived access keys when possible'
+          result << 'Enable MFA for all IAM users with access keys'
+          result << 'Rotate AWS access keys every 90 days'
+        end
+
+        if formatted_key.include?('stripe')
+          result << 'Never commit live Stripe keys to version control'
+          result << 'Use Stripe test keys for development and staging'
+          result << 'Consider Stripe restricted keys with minimal permissions'
+        end
+
+        if formatted_key.include?('api') || formatted_key.include?('key')
+          result << 'Rotate this key regularly (every 90 days recommended)'
+          result << 'Use environment-specific keys for dev, staging, and production'
+        end
+
+        result
+      end
+
+      private
+
+      # Check if the value is empty
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_empty(key:, value:)
+        return unless value.to_s.empty?
+
+        issues << ValidationIssue.new(
+          severity: :error,
+          type: :empty_value,
+          message: "Key '#{key}' has an empty value",
+          recommendation: 'Provide a non-empty secret value'
+        )
+      end
+
+      # Check if the value is a known weak or placeholder secret
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_weak_secret(key:, value:)
+        return unless value
+
+        formatted_value = value.downcase
+
+        WEAK_SECRETS.each do |weak|
+          next unless formatted_value == weak || formatted_value.include?(weak)
+
+          issues << ValidationIssue.new(
+            severity: :critical,
+            type: :weak_secret,
+            message: "Key '#{key}' uses a weak or placeholder value matching '#{weak}'",
+            recommendation: 'Replace with a strong, randomly generated secret'
+          )
+        end
+      end
+
+      # Check if the value meets the minimum length requirement for its inferred key type
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_minimum_length(key:, value:)
+        return unless value
+
+        key_type = determine_key_type(key:)
+        min_length = MIN_LENGTHS[key_type] || MIN_LENGTHS[:key]
+
+        return unless value.length < min_length
+
+        issues << ValidationIssue.new(
+          severity: :warning,
+          type: :too_short,
+          message: "Key '#{key}' is too short (#{value.length} chars, minimum is #{min_length})",
+          recommendation: "Use a longer secret (recommended: #{min_length * 2}+ characters)"
+        )
+      end
+
+      # Check if the value matches a known production secret pattern
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      # @param options [Hash] Validation options controlling severity behaviour
+      def check_pattern_match(key:, value:, options:)
+        return unless value
+
+        detected = detect_type(value:)
+        return unless detected
+
+        if detected[:severity] == :critical && !options[:allow_production]
+          issues << ValidationIssue.new(
+            severity: :critical,
+            type: :production_key_detected,
+            message: "Key '#{key}' appears to be a live #{detected[:description]}",
+            recommendation: 'Use test or development keys locally. Store production keys in your CI/CD secrets manager.'
+          )
+        elsif options[:warn_on_pattern]
+          issues << ValidationIssue.new(
+            severity: :info,
+            type: :pattern_detected,
+            message: "Key '#{key}' matches the pattern for: #{detected[:description]}",
+            recommendation: nil
+          )
+        end
+      end
+
+      # Check if the value has sufficient Shannon entropy to be a strong secret
+      # @param key [Symbol] The key identifier
+      # @param value [String] The value to check
+      def check_entropy(key:, value:)
+        return unless value
+
+        entropy = Entropy.calculate(string: value)
+        return unless entropy < Globals.min_entropy_threshold
+
+        issues << ValidationIssue.new(
+          severity: :warning,
+          type: :low_entropy,
+          message: "Key '#{key}' has low entropy (#{entropy.round(2)})",
+          recommendation: 'Use a more random secret with a wider variety of characters'
+        )
+      end
+
+      # Infer the semantic key type from the key name for minimum-length lookup
+      # @param key [Symbol] The key identifier
+      # @return [Symbol] One of :api_key, :token, :secret, :password, or :key
+      def determine_key_type(key:)
+        formatted_key = key.to_s.downcase
+
+        return :api_key if formatted_key.include?('api') && formatted_key.include?('key')
+        return :token if formatted_key.include?('token')
+        return :secret if formatted_key.include?('secret')
+        return :password if formatted_key.include?('password') || formatted_key.include?('pwd')
+
+        :key
+      end
+    end
+  end
+end

data/lib/version.rb

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 module SecureKeys
-  VERSION = '1.1.7'.freeze
+  VERSION = '1.2.0'.freeze
   SUMMARY = 'Secure Keys is a simple tool for managing your secret keys'.freeze
   DESCRIPTION = 'Secure Keys is a simple tool to manage your secret keys in your iOS project'.freeze
   HOMEPAGE_URI = 'https://github.com/derian-cordoba/secure-keys'.freeze

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure-keys
 version: !ruby/object:Gem::Version
-  version: 1.1.7
+  version: 1.2.0
 platform: ruby
 authors:
 - Derian Córdoba
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-05-11 00:00:00.000000000 Z
+date: 2026-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -172,6 +172,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- "./lib/core/console/arguments/fetchable.rb"
 - "./lib/core/console/arguments/handler.rb"
 - "./lib/core/console/arguments/parser.rb"
 - "./lib/core/console/arguments/xcframework/handler.rb"
@@ -192,6 +193,22 @@ files:
 - "./lib/core/utils/swift/xcframework.rb"
 - "./lib/core/utils/swift/xcodeproj.rb"
 - "./lib/keys.rb"
+- "./lib/services/environment.rb"
+- "./lib/validation/actions/scan.rb"
+- "./lib/validation/console/arguments/parser.rb"
+- "./lib/validation/console/arguments/scan/handler.rb"
+- "./lib/validation/console/arguments/scan/parser.rb"
+- "./lib/validation/globals/globals.rb"
+- "./lib/validation/models/finding.rb"
+- "./lib/validation/models/scan_result.rb"
+- "./lib/validation/scanner.rb"
+- "./lib/validation/utils/entropy.rb"
+- "./lib/validation/utils/min_length.rb"
+- "./lib/validation/utils/patterns.rb"
+- "./lib/validation/utils/weak_secrets.rb"
+- "./lib/validation/validation_issue.rb"
+- "./lib/validation/validation_result.rb"
+- "./lib/validation/validator.rb"
 - "./lib/version.rb"
 - README.md
 - bin/secure-keys
@@ -204,6 +221,7 @@ metadata:
   homepage_uri: https://github.com/derian-cordoba/secure-keys
   source_code_uri: https://github.com/derian-cordoba/secure-keys
   changelog_uri: https://github.com/derian-cordoba/secure-keys/releases
+  allowed_push_host: https://rubygems.org
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []