secretscan

package
v3.1.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 21, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IsFalsePositive 

func IsFalsePositive(match string, pattern *Pattern) bool

IsFalsePositive checks if a match is a false positive

Types

type Category 

type Category string

Category represents the category of a detected secret 

const (
	CategoryAPIKey           Category = "api-key"
	CategoryPrivateKey       Category = "private-key"
	CategoryPassword         Category = "password"
	CategoryToken            Category = "token"
	CategoryCertificate      Category = "certificate"
	CategoryConnectionString Category = "connection-string"
	CategoryCredential       Category = "credential"
	CategorySecret           Category = "secret"
)

type DetectedSecret 

type DetectedSecret struct {
	PatternID   string   `json:"pattern_id"`
	PatternName string   `json:"pattern_name"`
	Category    Category `json:"category"`
	Severity    Severity `json:"severity"`
	FilePath    string   `json:"file_path"`
	LineNumber  int      `json:"line_number"`
	MatchedText string   `json:"matched_text"`
	MaskedText  string   `json:"masked_text"`
	CommitSHA   string   `json:"commit_sha,omitempty"`
}

DetectedSecret represents a secret found during scanning

type Pattern 

type Pattern struct {
	ID                   string
	Name                 string
	Description          string
	Regex                *regexp.Regexp
	Severity             Severity
	Category             Category
	FalsePositiveRegexes []*regexp.Regexp
}

Pattern represents a secret detection pattern

func GetBuiltinPatterns 

func GetBuiltinPatterns() []Pattern

GetBuiltinPatterns returns all built-in secret detection patterns

type ScanResult 

type ScanResult struct {
	Secrets      []DetectedSecret `json:"secrets"`
	ScannedFiles int              `json:"scanned_files"`
	ScanDuration time.Duration    `json:"scan_duration"`
	Blocked      bool             `json:"blocked"`
	Message      string           `json:"message,omitempty"`
}

ScanResult contains the results of a secret scan

type Scanner 

type Scanner struct {
	// contains filtered or unexported fields
}

Scanner scans content for secrets

func NewScanner 

func NewScanner() *Scanner

NewScanner creates a new secret scanner

func (*Scanner) ScanCommitRange 

func (s *Scanner) ScanCommitRange(ctx context.Context, repo *git.Repository, oldCommitID, newCommitID string) (*ScanResult, error)

ScanCommitRange scans all commits in a range for secrets

func (*Scanner) ScanContent 

func (s *Scanner) ScanContent(content, filePath string) []DetectedSecret

ScanContent scans text content for secrets

func (*Scanner) ScanDiff 

func (s *Scanner) ScanDiff(diff string) []DetectedSecret

ScanDiff scans a git diff for secrets (only added lines)

func (*Scanner) ScanFile 

func (s *Scanner) ScanFile(ctx context.Context, repo *git.Repository, commitID, filePath string) ([]DetectedSecret, error)

ScanFile scans a single file for secrets

func (*Scanner) ScanReader 

func (s *Scanner) ScanReader(r io.Reader, filePath string) ([]DetectedSecret, error)

ScanReader scans content from an io.Reader for secrets

type Severity 

type Severity string

Severity represents the severity level of a detected secret 

const (
	SeverityCritical Severity = "critical"
	SeverityHigh     Severity = "high"
	SeverityMedium   Severity = "medium"
	SeverityLow      Severity = "low"
)

Source Files

  • patterns.go
  • scanner.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.