Skip to content

Add hardcoded secret detection#84

Open
daniplatform wants to merge 3 commits into
ParzivalHack:mainfrom
daniplatform:feature/secret_detection
Open

Add hardcoded secret detection#84
daniplatform wants to merge 3 commits into
ParzivalHack:mainfrom
daniplatform:feature/secret_detection

Conversation

@daniplatform

@daniplatform daniplatform commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

daniplatform and others added 3 commits July 10, 2026 11:47
Adds a dedicated secrets-scanning ruleset (AWS/GCP/Azure/GitHub/Slack/Stripe
keys, private key material, JWTs, generic secret assignments) plus a
Shannon-entropy fallback rule for unpatterned high-entropy tokens. Matched
secret values are always redacted before being stored on an Issue.

New `pyspector secrets` CLI group:
- `scan` — working tree, `--staged-only` (pre-commit), or `--history` (full
  git object history, to catch secrets removed from HEAD but still reachable)
- `baseline` — snapshot current findings into .pyspector_baseline.json for
  incremental adoption on legacy repos
- `install-hook` — installs a pre-commit hook running the staged-only scan

Rebased onto main to reconcile with the recently-merged ParzivalHack#55 (regex-only
G110-G133 secret detectors bundled into the main ruleset): this feature adds
a separate, opt-in `pyspector secrets` command with entropy-based detection,
git-history/staged scanning, baselining, and hook installation, none of
which ParzivalHack#55 covers.

Test fixtures for the AWS/Slack/Stripe rules are split with `concat!` so the
provider-shaped secret string never appears contiguous in source (avoids
tripping GitHub push protection on synthetic-but-realistic test data).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant