circle-ir-ai 2.7.19 → 2.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/secret-scan/history-patterns.d.ts +30 -0
- package/dist/secret-scan/history-patterns.d.ts.map +1 -0
- package/dist/secret-scan/history-patterns.js +162 -0
- package/dist/secret-scan/history-patterns.js.map +1 -0
- package/dist/secret-scan/index.d.ts +14 -7
- package/dist/secret-scan/index.d.ts.map +1 -1
- package/dist/secret-scan/index.js +15 -8
- package/dist/secret-scan/index.js.map +1 -1
- package/dist/secret-scan/patterns.d.ts +14 -1
- package/dist/secret-scan/patterns.d.ts.map +1 -1
- package/dist/secret-scan/patterns.js +14 -1
- package/dist/secret-scan/patterns.js.map +1 -1
- package/dist/secret-scan/scanner.d.ts +29 -44
- package/dist/secret-scan/scanner.d.ts.map +1 -1
- package/dist/secret-scan/scanner.js +231 -210
- package/dist/secret-scan/scanner.js.map +1 -1
- package/dist/trust/passes/hardcoded-secrets.d.ts +11 -1
- package/dist/trust/passes/hardcoded-secrets.d.ts.map +1 -1
- package/dist/trust/passes/hardcoded-secrets.js +19 -5
- package/dist/trust/passes/hardcoded-secrets.js.map +1 -1
- package/package.json +2 -2
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal Secret Patterns for Git History Scanning
|
|
3
|
+
*
|
|
4
|
+
* IMPORTANT: These patterns are ONLY for scanning git diffs where we cannot
|
|
5
|
+
* use circle-ir's analyze() function. For working-tree file scanning, we
|
|
6
|
+
* delegate to circle-ir's ScanSecretsPass which has comprehensive coverage.
|
|
7
|
+
*
|
|
8
|
+
* This file intentionally duplicates a minimal subset of patterns to support
|
|
9
|
+
* git history scanning. The authoritative patterns live in circle-ir.
|
|
10
|
+
*/
|
|
11
|
+
import type { SecretSeverity } from './scanner.js';
|
|
12
|
+
export interface HistoryPattern {
|
|
13
|
+
id: string;
|
|
14
|
+
name: string;
|
|
15
|
+
pattern: RegExp;
|
|
16
|
+
severity: SecretSeverity;
|
|
17
|
+
category: string;
|
|
18
|
+
falsePositivePatterns?: RegExp[];
|
|
19
|
+
validator?: (match: string) => boolean;
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* Minimal high-confidence patterns for git history scanning.
|
|
23
|
+
* These mirror circle-ir's ScanSecretsPass provider patterns.
|
|
24
|
+
*/
|
|
25
|
+
export declare const HISTORY_SCAN_PATTERNS: HistoryPattern[];
|
|
26
|
+
/**
|
|
27
|
+
* Calculate Shannon entropy of a string
|
|
28
|
+
*/
|
|
29
|
+
export declare function calculateEntropy(str: string): number;
|
|
30
|
+
//# sourceMappingURL=history-patterns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EAuIjD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD"}
|
|
@@ -0,0 +1,162 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal Secret Patterns for Git History Scanning
|
|
3
|
+
*
|
|
4
|
+
* IMPORTANT: These patterns are ONLY for scanning git diffs where we cannot
|
|
5
|
+
* use circle-ir's analyze() function. For working-tree file scanning, we
|
|
6
|
+
* delegate to circle-ir's ScanSecretsPass which has comprehensive coverage.
|
|
7
|
+
*
|
|
8
|
+
* This file intentionally duplicates a minimal subset of patterns to support
|
|
9
|
+
* git history scanning. The authoritative patterns live in circle-ir.
|
|
10
|
+
*/
|
|
11
|
+
/**
|
|
12
|
+
* Minimal high-confidence patterns for git history scanning.
|
|
13
|
+
* These mirror circle-ir's ScanSecretsPass provider patterns.
|
|
14
|
+
*/
|
|
15
|
+
export const HISTORY_SCAN_PATTERNS = [
|
|
16
|
+
// AWS
|
|
17
|
+
{
|
|
18
|
+
id: 'aws-access-key-id',
|
|
19
|
+
name: 'AWS Access Key ID',
|
|
20
|
+
pattern: /\bAKIA[0-9A-Z]{16}\b/g,
|
|
21
|
+
severity: 'critical',
|
|
22
|
+
category: 'aws',
|
|
23
|
+
},
|
|
24
|
+
// GitHub tokens
|
|
25
|
+
{
|
|
26
|
+
id: 'github-pat',
|
|
27
|
+
name: 'GitHub Personal Access Token',
|
|
28
|
+
pattern: /\bghp_[A-Za-z0-9]{36}\b/g,
|
|
29
|
+
severity: 'critical',
|
|
30
|
+
category: 'github',
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
id: 'github-oauth',
|
|
34
|
+
name: 'GitHub OAuth Token',
|
|
35
|
+
pattern: /\bgho_[A-Za-z0-9]{36}\b/g,
|
|
36
|
+
severity: 'critical',
|
|
37
|
+
category: 'github',
|
|
38
|
+
},
|
|
39
|
+
{
|
|
40
|
+
id: 'github-app-token',
|
|
41
|
+
name: 'GitHub App Token',
|
|
42
|
+
pattern: /\bghs_[A-Za-z0-9]{36}\b/g,
|
|
43
|
+
severity: 'critical',
|
|
44
|
+
category: 'github',
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
id: 'github-user-token',
|
|
48
|
+
name: 'GitHub User-to-Server Token',
|
|
49
|
+
pattern: /\bghu_[A-Za-z0-9]{36}\b/g,
|
|
50
|
+
severity: 'critical',
|
|
51
|
+
category: 'github',
|
|
52
|
+
},
|
|
53
|
+
{
|
|
54
|
+
id: 'github-refresh-token',
|
|
55
|
+
name: 'GitHub Refresh Token',
|
|
56
|
+
pattern: /\bghr_[A-Za-z0-9]{36}\b/g,
|
|
57
|
+
severity: 'critical',
|
|
58
|
+
category: 'github',
|
|
59
|
+
},
|
|
60
|
+
// Stripe
|
|
61
|
+
{
|
|
62
|
+
id: 'stripe-secret-key',
|
|
63
|
+
name: 'Stripe Secret Key',
|
|
64
|
+
pattern: /\bsk_live_[A-Za-z0-9]{24,}\b/g,
|
|
65
|
+
severity: 'critical',
|
|
66
|
+
category: 'stripe',
|
|
67
|
+
},
|
|
68
|
+
{
|
|
69
|
+
id: 'stripe-publishable-key',
|
|
70
|
+
name: 'Stripe Publishable Key',
|
|
71
|
+
pattern: /\bpk_live_[A-Za-z0-9]{24,}\b/g,
|
|
72
|
+
severity: 'high',
|
|
73
|
+
category: 'stripe',
|
|
74
|
+
},
|
|
75
|
+
// OpenAI
|
|
76
|
+
{
|
|
77
|
+
id: 'openai-api-key',
|
|
78
|
+
name: 'OpenAI API Key',
|
|
79
|
+
pattern: /\bsk-[A-Za-z0-9]{48}\b/g,
|
|
80
|
+
severity: 'critical',
|
|
81
|
+
category: 'openai',
|
|
82
|
+
},
|
|
83
|
+
// Anthropic
|
|
84
|
+
{
|
|
85
|
+
id: 'anthropic-api-key',
|
|
86
|
+
name: 'Anthropic API Key',
|
|
87
|
+
pattern: /\bsk-ant-[A-Za-z0-9_-]{90,}\b/g,
|
|
88
|
+
severity: 'critical',
|
|
89
|
+
category: 'anthropic',
|
|
90
|
+
},
|
|
91
|
+
// Slack
|
|
92
|
+
{
|
|
93
|
+
id: 'slack-token',
|
|
94
|
+
name: 'Slack Token',
|
|
95
|
+
pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
|
|
96
|
+
severity: 'critical',
|
|
97
|
+
category: 'slack',
|
|
98
|
+
},
|
|
99
|
+
// Google
|
|
100
|
+
{
|
|
101
|
+
id: 'gcp-api-key',
|
|
102
|
+
name: 'Google Cloud API Key',
|
|
103
|
+
pattern: /\bAIza[0-9A-Za-z_-]{35}\b/g,
|
|
104
|
+
severity: 'critical',
|
|
105
|
+
category: 'gcp',
|
|
106
|
+
},
|
|
107
|
+
// JWT
|
|
108
|
+
{
|
|
109
|
+
id: 'jwt-token',
|
|
110
|
+
name: 'JSON Web Token',
|
|
111
|
+
pattern: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
|
|
112
|
+
severity: 'critical',
|
|
113
|
+
category: 'jwt',
|
|
114
|
+
validator: (match) => {
|
|
115
|
+
const parts = match.split('.');
|
|
116
|
+
if (parts.length !== 3)
|
|
117
|
+
return false;
|
|
118
|
+
try {
|
|
119
|
+
const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
|
|
120
|
+
return header && typeof header === 'object';
|
|
121
|
+
}
|
|
122
|
+
catch {
|
|
123
|
+
return false;
|
|
124
|
+
}
|
|
125
|
+
},
|
|
126
|
+
},
|
|
127
|
+
// Private Keys
|
|
128
|
+
{
|
|
129
|
+
id: 'pem-private-key',
|
|
130
|
+
name: 'PEM Private Key',
|
|
131
|
+
pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP )?PRIVATE KEY-----/g,
|
|
132
|
+
severity: 'critical',
|
|
133
|
+
category: 'private-key',
|
|
134
|
+
},
|
|
135
|
+
// npm
|
|
136
|
+
{
|
|
137
|
+
id: 'npm-token',
|
|
138
|
+
name: 'npm Access Token',
|
|
139
|
+
pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
|
|
140
|
+
severity: 'critical',
|
|
141
|
+
category: 'npm',
|
|
142
|
+
},
|
|
143
|
+
];
|
|
144
|
+
/**
|
|
145
|
+
* Calculate Shannon entropy of a string
|
|
146
|
+
*/
|
|
147
|
+
export function calculateEntropy(str) {
|
|
148
|
+
const len = str.length;
|
|
149
|
+
if (len === 0)
|
|
150
|
+
return 0;
|
|
151
|
+
const freq = new Map();
|
|
152
|
+
for (const char of str) {
|
|
153
|
+
freq.set(char, (freq.get(char) || 0) + 1);
|
|
154
|
+
}
|
|
155
|
+
let entropy = 0;
|
|
156
|
+
for (const count of freq.values()) {
|
|
157
|
+
const p = count / len;
|
|
158
|
+
entropy -= p * Math.log2(p);
|
|
159
|
+
}
|
|
160
|
+
return entropy;
|
|
161
|
+
}
|
|
162
|
+
//# sourceMappingURL=history-patterns.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAcH;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAqB;IACrD,MAAM;IACN;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,YAAY;IACZ;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,WAAW;KACtB;IAED,QAAQ;IACR;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;KAClB;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;gBAChF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;IAED,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;KACxB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1,12 +1,19 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Secret Scan Module
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* -
|
|
6
|
-
* - Git history scanning
|
|
7
|
-
* -
|
|
8
|
-
*
|
|
4
|
+
* Architecture (refactored):
|
|
5
|
+
* - Working-tree scanning: Delegates to circle-ir's ScanSecretsPass
|
|
6
|
+
* - Git history scanning: Uses minimal patterns (circle-ir-ai domain)
|
|
7
|
+
* - LLM verification: Reduces false positives via context analysis
|
|
8
|
+
*
|
|
9
|
+
* This module consumes CircleIR findings for SAST, not reimplementing.
|
|
10
|
+
*/
|
|
11
|
+
export { SecretScanner, scanForSecrets, quickSecretScan, formatSecretReport, type SecretScanOptions, type ScanProgress, type DetectedSecret, type SecretScanResult, type SecretSeverity, } from './scanner.js';
|
|
12
|
+
export { HISTORY_SCAN_PATTERNS, calculateEntropy, type HistoryPattern, } from './history-patterns.js';
|
|
13
|
+
/**
|
|
14
|
+
* @deprecated Use circle-ir's ScanSecretsPass for SAST detection.
|
|
15
|
+
* These exports are maintained for backwards compatibility only.
|
|
16
|
+
* Import from './history-patterns.js' for git history scanning.
|
|
9
17
|
*/
|
|
10
|
-
export { SECRET_PATTERNS,
|
|
11
|
-
export { SecretScanner, scanForSecrets, quickSecretScan, formatSecretReport, type SecretScanOptions, type ScanProgress, type DetectedSecret, type SecretScanResult, } from './scanner.js';
|
|
18
|
+
export { SECRET_PATTERNS, getPatternsByCategory, getPatternsBySeverity, getPatternCategories, type SecretPattern, } from './patterns.js';
|
|
12
19
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secret-scan/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secret-scan/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EACL,aAAa,EACb,cAAc,EACd,eAAe,EACf,kBAAkB,EAClB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,KAAK,cAAc,GACpB,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,qBAAqB,EACrB,gBAAgB,EAChB,KAAK,cAAc,GACpB,MAAM,uBAAuB,CAAC;AAE/B;;;;GAIG;AACH,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,EACpB,KAAK,aAAa,GACnB,MAAM,eAAe,CAAC"}
|
|
@@ -1,14 +1,21 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Secret Scan Module
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* -
|
|
6
|
-
* - Git history scanning
|
|
7
|
-
* -
|
|
8
|
-
*
|
|
4
|
+
* Architecture (refactored):
|
|
5
|
+
* - Working-tree scanning: Delegates to circle-ir's ScanSecretsPass
|
|
6
|
+
* - Git history scanning: Uses minimal patterns (circle-ir-ai domain)
|
|
7
|
+
* - LLM verification: Reduces false positives via context analysis
|
|
8
|
+
*
|
|
9
|
+
* This module consumes CircleIR findings for SAST, not reimplementing.
|
|
9
10
|
*/
|
|
10
|
-
//
|
|
11
|
-
export { SECRET_PATTERNS, calculateEntropy, getPatternsByCategory, getPatternsBySeverity, getPatternCategories, } from './patterns.js';
|
|
12
|
-
// Scanner
|
|
11
|
+
// Scanner (main API)
|
|
13
12
|
export { SecretScanner, scanForSecrets, quickSecretScan, formatSecretReport, } from './scanner.js';
|
|
13
|
+
// History patterns (for git history scanning only)
|
|
14
|
+
export { HISTORY_SCAN_PATTERNS, calculateEntropy, } from './history-patterns.js';
|
|
15
|
+
/**
|
|
16
|
+
* @deprecated Use circle-ir's ScanSecretsPass for SAST detection.
|
|
17
|
+
* These exports are maintained for backwards compatibility only.
|
|
18
|
+
* Import from './history-patterns.js' for git history scanning.
|
|
19
|
+
*/
|
|
20
|
+
export { SECRET_PATTERNS, getPatternsByCategory, getPatternsBySeverity, getPatternCategories, } from './patterns.js';
|
|
14
21
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secret-scan/index.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secret-scan/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,qBAAqB;AACrB,OAAO,EACL,aAAa,EACb,cAAc,EACd,eAAe,EACf,kBAAkB,GAMnB,MAAM,cAAc,CAAC;AAEtB,mDAAmD;AACnD,OAAO,EACL,qBAAqB,EACrB,gBAAgB,GAEjB,MAAM,uBAAuB,CAAC;AAE/B;;;;GAIG;AACH,OAAO,EACL,eAAe,EACf,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,GAErB,MAAM,eAAe,CAAC"}
|
|
@@ -1,7 +1,20 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Secret Detection Pattern Library
|
|
3
3
|
*
|
|
4
|
-
*
|
|
4
|
+
* @deprecated This file is DEPRECATED. circle-ir's ScanSecretsPass now handles
|
|
5
|
+
* SAST-level secret detection. This module violated the architectural boundary
|
|
6
|
+
* by reimplementing SAST logic that belongs in circle-ir.
|
|
7
|
+
*
|
|
8
|
+
* For git history scanning (circle-ir-ai's legitimate domain), use
|
|
9
|
+
* './history-patterns.js' which contains a minimal pattern set.
|
|
10
|
+
*
|
|
11
|
+
* This file is maintained only for backwards compatibility. Do not add new
|
|
12
|
+
* patterns here - contribute them to circle-ir instead.
|
|
13
|
+
*
|
|
14
|
+
* Migration:
|
|
15
|
+
* - Working-tree scanning: Use circle-ir's analyze() → filter hardcoded-credential findings
|
|
16
|
+
* - Git history scanning: Use HISTORY_SCAN_PATTERNS from './history-patterns.js'
|
|
17
|
+
* - LLM verification: Use SecretScanner with llmVerify: true
|
|
5
18
|
*/
|
|
6
19
|
export type SecretSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
7
20
|
export interface SecretPattern {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;IACvC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;CAClC;AAgbD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAY1C,CAAC;AAEF;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAEvE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,cAAc,GAAG,aAAa,EAAE,CAE/E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C"}
|
|
@@ -1,7 +1,20 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Secret Detection Pattern Library
|
|
3
3
|
*
|
|
4
|
-
*
|
|
4
|
+
* @deprecated This file is DEPRECATED. circle-ir's ScanSecretsPass now handles
|
|
5
|
+
* SAST-level secret detection. This module violated the architectural boundary
|
|
6
|
+
* by reimplementing SAST logic that belongs in circle-ir.
|
|
7
|
+
*
|
|
8
|
+
* For git history scanning (circle-ir-ai's legitimate domain), use
|
|
9
|
+
* './history-patterns.js' which contains a minimal pattern set.
|
|
10
|
+
*
|
|
11
|
+
* This file is maintained only for backwards compatibility. Do not add new
|
|
12
|
+
* patterns here - contribute them to circle-ir instead.
|
|
13
|
+
*
|
|
14
|
+
* Migration:
|
|
15
|
+
* - Working-tree scanning: Use circle-ir's analyze() → filter hardcoded-credential findings
|
|
16
|
+
* - Git history scanning: Use HISTORY_SCAN_PATTERNS from './history-patterns.js'
|
|
17
|
+
* - LLM verification: Use SecretScanner with llmVerify: true
|
|
5
18
|
*/
|
|
6
19
|
/**
|
|
7
20
|
* AWS Credential Patterns
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAgBH;;GAEG;AACH,MAAM,WAAW,GAAoB;IACnC;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;KAClF;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,sFAAsF;QAC/F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,6BAA6B;QAC1C,OAAO,EAAE,2EAA2E;QACpF,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC;KACtC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,wCAAwC;QACrD,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,+BAA+B;QAC5C,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,2CAA2C;QACxD,OAAO,EAAE,iDAAiD;QAC1D,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,aAAa,CAAC;KAC1B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,wDAAwD;QACrE,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;QACxB,qBAAqB,EAAE;YACrB,UAAU;YACV,cAAc;YACd,uBAAuB;YACvB,OAAO;YACP,MAAM;YACN,KAAK;SACN;KACF;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,6BAA6B;QAC1C,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,qBAAqB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;QAClD,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,yCAAyC;YACzC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YAC9C,iEAAiE;YACjE,OAAO,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC;QAC5B,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,GAAoB;IACnC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,WAAW;QACjB,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,KAAK,CAAC;QACjB,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,yBAAyB;YACzB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,KAAK,CAAC;YACrC,IAAI,CAAC;gBACH,kCAAkC;gBAClC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;gBAChF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAoB;IACxC;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,6CAA6C;QAC1D,OAAO,EAAE,wFAAwF;QACjG,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC;QACnE,qBAAqB,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC;KACrE;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,oCAAoC;QACjD,OAAO,EAAE,sHAAsH;QAC/H,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,CAAC;QAC7D,qBAAqB,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,CAAC;KAChE;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAoB;IAC1C;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,+EAA+E;QACxF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,2BAA2B,CAAC;KACxC;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,sBAAsB,CAAC;KACnC;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,mFAAmF;QAC5F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,aAAa,GAAoB;IACrC;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,+BAA+B;QAC5C,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,OAAO,CAAC;KACpB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,SAAS,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,iCAAiC;QAC9C,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,0BAA0B,EAAE,YAAY,CAAC;KACrD;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,qBAAqB,GAAoB;IAC7C;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,WAAW,EAAE,yBAAyB;QACtC,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC;KACxD;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,iBAAiB,CAAC;KAC9B;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,8BAA8B;QAC3C,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;KACjC;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,IAAI,CAAC;KACjB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,kBAAkB;QAC/B,OAAO,EAAE,+CAA+C;QACxD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,KAAK,CAAC;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAoB;IACvC;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,QAAQ,CAAC;KACrB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,yBAAyB;QACtC,OAAO,EAAE,qCAAqC;QAC9C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,KAAK,CAAC;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAoB;IAC3C;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,gBAAgB;YAChB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC/B,4BAA4B;YAC5B,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACtC,sDAAsD;YACtD,OAAO,OAAO,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;QAC3C,CAAC;KACF;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,4DAA4D;QACzE,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACtC,4CAA4C;YAC5C,OAAO,OAAO,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;QAC3C,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C,GAAG,WAAW;IACd,GAAG,cAAc;IACjB,GAAG,cAAc;IACjB,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,gBAAgB;IACnB,GAAG,kBAAkB;IACrB,GAAG,aAAa;IAChB,GAAG,qBAAqB;IACxB,GAAG,eAAe;IAClB,GAAG,mBAAmB;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAwB;IAC5D,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC"}
|
|
@@ -1,15 +1,18 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Secret Scanner Module
|
|
2
|
+
* Secret Scanner Module (Refactored)
|
|
3
3
|
*
|
|
4
|
-
*
|
|
4
|
+
* Architecture:
|
|
5
|
+
* - SAST detection: Delegates to circle-ir's ScanSecretsPass (no regex duplication)
|
|
6
|
+
* - Git history: Scans commits for secrets introduced historically (circle-ir-ai domain)
|
|
7
|
+
* - LLM verification: Reduces false positives via context-aware analysis
|
|
8
|
+
*
|
|
9
|
+
* This module consumes CircleIR findings rather than reimplementing SAST logic.
|
|
5
10
|
*/
|
|
6
|
-
|
|
11
|
+
export type SecretSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
7
12
|
/**
|
|
8
13
|
* Options for secret scanning
|
|
9
14
|
*/
|
|
10
15
|
export interface SecretScanOptions {
|
|
11
|
-
/** Patterns to use (defaults to all) */
|
|
12
|
-
patterns?: SecretPattern[];
|
|
13
16
|
/** Categories to include (defaults to all) */
|
|
14
17
|
includeCategories?: string[];
|
|
15
18
|
/** Categories to exclude */
|
|
@@ -24,6 +27,8 @@ export interface SecretScanOptions {
|
|
|
24
27
|
includeFiles?: string[];
|
|
25
28
|
/** File patterns to exclude (glob) */
|
|
26
29
|
excludeFiles?: string[];
|
|
30
|
+
/** Enable LLM verification to reduce false positives */
|
|
31
|
+
llmVerify?: boolean;
|
|
27
32
|
/** Progress callback */
|
|
28
33
|
onProgress?: (progress: ScanProgress) => void;
|
|
29
34
|
}
|
|
@@ -31,7 +36,7 @@ export interface SecretScanOptions {
|
|
|
31
36
|
* Scan progress information
|
|
32
37
|
*/
|
|
33
38
|
export interface ScanProgress {
|
|
34
|
-
phase: 'indexing' | 'scanning-files' | 'scanning-history' | 'complete';
|
|
39
|
+
phase: 'indexing' | 'scanning-files' | 'scanning-history' | 'verifying' | 'complete';
|
|
35
40
|
currentFile?: string;
|
|
36
41
|
filesScanned: number;
|
|
37
42
|
totalFiles: number;
|
|
@@ -69,6 +74,10 @@ export interface DetectedSecret {
|
|
|
69
74
|
commitDate?: string;
|
|
70
75
|
/** Whether secret is still present in HEAD */
|
|
71
76
|
presentInHead: boolean;
|
|
77
|
+
/** LLM verification result */
|
|
78
|
+
llmVerified?: boolean;
|
|
79
|
+
/** LLM confidence score */
|
|
80
|
+
llmConfidence?: number;
|
|
72
81
|
}
|
|
73
82
|
/**
|
|
74
83
|
* Scan result summary
|
|
@@ -99,56 +108,40 @@ export interface SecretScanResult {
|
|
|
99
108
|
* Secret Scanner class
|
|
100
109
|
*/
|
|
101
110
|
export declare class SecretScanner {
|
|
102
|
-
private patterns;
|
|
103
111
|
private options;
|
|
104
112
|
constructor(options?: SecretScanOptions);
|
|
105
|
-
/**
|
|
106
|
-
* Select patterns based on options
|
|
107
|
-
*/
|
|
108
|
-
private selectPatterns;
|
|
109
113
|
/**
|
|
110
114
|
* Scan a directory for secrets
|
|
111
115
|
*/
|
|
112
116
|
scan(directory: string): Promise<SecretScanResult>;
|
|
113
117
|
/**
|
|
114
|
-
* Scan a single file
|
|
118
|
+
* Scan a single file using circle-ir's ScanSecretsPass
|
|
115
119
|
*/
|
|
116
|
-
|
|
120
|
+
private scanFileWithCircleIR;
|
|
117
121
|
/**
|
|
118
|
-
* Scan
|
|
122
|
+
* Scan git history for secrets
|
|
123
|
+
* Uses minimal patterns since we can't run circle-ir on diffs
|
|
119
124
|
*/
|
|
120
|
-
private
|
|
125
|
+
private scanGitHistory;
|
|
121
126
|
/**
|
|
122
|
-
*
|
|
123
|
-
* Looks for unescaped `/` delimiters surrounding the match range.
|
|
127
|
+
* Scan a git diff for secrets using minimal history patterns
|
|
124
128
|
*/
|
|
125
|
-
private
|
|
129
|
+
private scanDiff;
|
|
126
130
|
/**
|
|
127
|
-
* Scan
|
|
131
|
+
* Scan a single line using minimal history patterns
|
|
132
|
+
* This is only used for git history scanning where we can't use circle-ir
|
|
128
133
|
*/
|
|
129
|
-
private
|
|
134
|
+
private scanLineWithPatterns;
|
|
130
135
|
/**
|
|
131
|
-
*
|
|
132
|
-
*
|
|
133
|
-
* #62: `repoDir` is required so emitted DetectedSecret.file matches
|
|
134
|
-
* scanFile's `path.resolve()` output and dedup at the caller can find
|
|
135
|
-
* HEAD↔history matches. The relative `currentFile` is preserved for
|
|
136
|
-
* exclude-glob matching (`isPathExcluded` expects repo-relative).
|
|
136
|
+
* LLM verification to reduce false positives
|
|
137
137
|
*/
|
|
138
|
-
private
|
|
138
|
+
private llmVerifySecrets;
|
|
139
139
|
/**
|
|
140
|
-
* Built-in path-skip
|
|
141
|
-
* (`getFiles`) and the git-history diff path (`scanDiff`). #60: previously
|
|
142
|
-
* only the working-tree walk applied these — git-history scans walked
|
|
143
|
-
* every diff including `Cargo.lock`, `*.lock`, binary blobs, etc.,
|
|
144
|
-
* producing noisy "Status: Historical" findings on paths the user had
|
|
145
|
-
* already excluded from their working-tree scan.
|
|
140
|
+
* Built-in path-skip patterns
|
|
146
141
|
*/
|
|
147
142
|
private static readonly BUILTIN_EXCLUDE_PATTERNS;
|
|
148
143
|
/**
|
|
149
|
-
*
|
|
150
|
-
* regex excludes + user-supplied include/exclude minimatch globs.
|
|
151
|
-
* Used by both the working-tree walk and the git-history diff parser.
|
|
144
|
+
* Check if path should be excluded
|
|
152
145
|
*/
|
|
153
146
|
private isPathExcluded;
|
|
154
147
|
/**
|
|
@@ -159,14 +152,6 @@ export declare class SecretScanner {
|
|
|
159
152
|
* Check if directory is a git repo
|
|
160
153
|
*/
|
|
161
154
|
private isGitRepo;
|
|
162
|
-
/**
|
|
163
|
-
* Redact a secret for safe display
|
|
164
|
-
*/
|
|
165
|
-
private redactSecret;
|
|
166
|
-
/**
|
|
167
|
-
* Truncate long lines
|
|
168
|
-
*/
|
|
169
|
-
private truncateLine;
|
|
170
155
|
/**
|
|
171
156
|
* Generate .gitignore recommendations
|
|
172
157
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/secret-scan/scanner.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/secret-scan/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAaH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEpE;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,8CAA8C;IAC9C,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,4BAA4B;IAC5B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iCAAiC;IACjC,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,kCAAkC;IAClC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,mDAAmD;IACnD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,wDAAwD;IACxD,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,CAAC;CAC/C;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,UAAU,GAAG,gBAAgB,GAAG,kBAAkB,GAAG,WAAW,GAAG,UAAU,CAAC;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,qBAAqB;IACrB,QAAQ,EAAE,cAAc,CAAC;IACzB,eAAe;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,aAAa,EAAE,OAAO,CAAC;IACvB,8BAA8B;IAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2BAA2B;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,cAAc,EAAE,MAAM,CAAC;IACvB,2BAA2B;IAC3B,OAAO,EAAE,cAAc,EAAE,CAAC;IAC1B,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAC3C,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,mDAAmD;IACnD,aAAa,EAAE,MAAM,CAAC;IACtB,8BAA8B;IAC9B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,wBAAwB,EAAE,MAAM,EAAE,CAAC;CACpC;AA4DD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,OAAO,CAAoB;gBAEvB,OAAO,GAAE,iBAAsB;IAI3C;;OAEG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAgIxD;;OAEG;YACW,oBAAoB;IA8BlC;;;OAGG;YACW,cAAc;IAmD5B;;OAEG;IACH,OAAO,CAAC,QAAQ;IAmDhB;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAkD5B;;OAEG;YACW,gBAAgB;IAgD9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,CA4B9C;IAEF;;OAEG;IACH,OAAO,CAAC,cAAc;IAetB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAuChB;;OAEG;IACH,OAAO,CAAC,SAAS;IAYjB;;OAEG;IACH,OAAO,CAAC,gCAAgC;CAmDzC;AAyBD;;GAEG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAG3B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAK3B;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAiFnE"}
|