go-devops/devkit/secret.go

package devkit

import (
	"bufio"
	"bytes"
	"io/fs"
	"os"
	"path/filepath"
	"regexp"
	"strings"
)

// Finding describes a secret-like match discovered while scanning source files.
type Finding struct {
	Path    string `json:"path"`
	Line    int    `json:"line"`
	Column  int    `json:"column"`
	Rule    string `json:"rule"`
	Snippet string `json:"snippet"`
}

var secretRules = []struct {
	name  string
	match *regexp.Regexp
}{
	{
		name:  "aws-access-key-id",
		match: regexp.MustCompile(`\bAKIA[0-9A-Z]{16}\b`),
	},
	{
		name:  "github-token",
		match: regexp.MustCompile(`\bgh[pousr]_[A-Za-z0-9_]{20,}\b`),
	},
	{
		name:  "generic-secret-assignment",
		match: regexp.MustCompile(`(?i)\b(?:api[_-]?key|client[_-]?secret|secret|token|password)\b\s*[:=]\s*["']?([A-Za-z0-9._\-+/]{8,})["']?`),
	},
}

var skipDirs = map[string]struct{}{
	".git":         {},
	"vendor":       {},
	"node_modules": {},
}

var textExts = map[string]struct{}{
	".go":     {},
	".md":     {},
	".txt":    {},
	".json":   {},
	".yaml":   {},
	".yml":    {},
	".toml":   {},
	".env":    {},
	".ini":    {},
	".cfg":    {},
	".conf":   {},
	".sh":     {},
	".tf":     {},
	".tfvars": {},
}

// ScanDir recursively scans a directory for secret-like patterns.
func ScanDir(root string) ([]Finding, error) {
	var findings []Finding

	if err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {
		if err != nil {
			return err
		}

		name := d.Name()
		if d.IsDir() {
			if _, ok := skipDirs[name]; ok || strings.HasPrefix(name, ".") && path != root {
				return filepath.SkipDir
			}
			return nil
		}

		if !isTextCandidate(name) {
			return nil
		}

		fileFindings, err := scanFile(path)
		if err != nil {
			return err
		}
		findings = append(findings, fileFindings...)
		return nil
	}); err != nil {
		return nil, err
	}

	return findings, nil
}

func scanFile(path string) ([]Finding, error) {
	data, err := fileRead(path)
	if err != nil {
		return nil, err
	}
	if len(data) == 0 || bytes.IndexByte(data, 0) >= 0 {
		return nil, nil
	}

	var findings []Finding
	scanner := bufio.NewScanner(bytes.NewReader(data))
	lineNo := 0
	for scanner.Scan() {
		lineNo++
		line := scanner.Text()
		matchedSpecific := false
		for _, rule := range secretRules {
			if rule.name == "generic-secret-assignment" && matchedSpecific {
				continue
			}
			if loc := rule.match.FindStringIndex(line); loc != nil {
				findings = append(findings, Finding{
					Path:    path,
					Line:    lineNo,
					Column:  loc[0] + 1,
					Rule:    rule.name,
					Snippet: strings.TrimSpace(line),
				})
				if rule.name != "generic-secret-assignment" {
					matchedSpecific = true
				}
			}
		}
	}
	if err := scanner.Err(); err != nil {
		return nil, err
	}

	return findings, nil
}

func isTextCandidate(name string) bool {
	if ext := strings.ToLower(filepath.Ext(name)); ext != "" {
		_, ok := textExts[ext]
		return ok
	}
	// Allow extension-less files such as Makefile, LICENSE, and .env.
	switch name {
	case "Makefile", "Dockerfile", "LICENSE", "README", "CLAUDE.md":
		return true
	}
	return strings.HasPrefix(name, ".")
}

// fileRead is factored out for tests.
var fileRead = func(path string) ([]byte, error) {
	return os.ReadFile(path)
}
feat(devkit): add secret scanning Co-Authored-By: Virgil <virgil@lethean.io> 2026-04-01 05:37:28 +00:00			`package devkit`

			`import (`
			`"bufio"`
			`"bytes"`
			`"io/fs"`
			`"os"`
			`"path/filepath"`
			`"regexp"`
			`"strings"`
			`)`

			`// Finding describes a secret-like match discovered while scanning source files.`
			`type Finding struct {`
			Path string `json:"path"`
			Line int `json:"line"`
			Column int `json:"column"`
			Rule string `json:"rule"`
			Snippet string `json:"snippet"`
			`}`

			`var secretRules = []struct {`
			`name string`
			`match *regexp.Regexp`
			`}{`
			`{`
			`name: "aws-access-key-id",`
			match: regexp.MustCompile(`\bAKIA[0-9A-Z]{16}\b`),
			`},`
			`{`
			`name: "github-token",`
			match: regexp.MustCompile(`\bgh[pousr]_[A-Za-z0-9_]{20,}\b`),
			`},`
			`{`
			`name: "generic-secret-assignment",`
			match: regexp.MustCompile(`(?i)\b(?:api[_-]?key\|client[_-]?secret\|secret\|token\|password)\b\s[:=]\s["']?([A-Za-z0-9._\-+/]{8,})["']?`),
			`},`
			`}`

			`var skipDirs = map[string]struct{}{`
			`".git": {},`
			`"vendor": {},`
			`"node_modules": {},`
			`}`

			`var textExts = map[string]struct{}{`
			`".go": {},`
			`".md": {},`
			`".txt": {},`
			`".json": {},`
			`".yaml": {},`
			`".yml": {},`
			`".toml": {},`
			`".env": {},`
			`".ini": {},`
			`".cfg": {},`
			`".conf": {},`
			`".sh": {},`
			`".tf": {},`
			`".tfvars": {},`
			`}`

			`// ScanDir recursively scans a directory for secret-like patterns.`
			`func ScanDir(root string) ([]Finding, error) {`
			`var findings []Finding`

			`if err := filepath.WalkDir(root, func(path string, d fs.DirEntry, err error) error {`
			`if err != nil {`
			`return err`
			`}`

			`name := d.Name()`
			`if d.IsDir() {`
			`if _, ok := skipDirs[name]; ok \|\| strings.HasPrefix(name, ".") && path != root {`
			`return filepath.SkipDir`
			`}`
			`return nil`
			`}`

			`if !isTextCandidate(name) {`
			`return nil`
			`}`

			`fileFindings, err := scanFile(path)`
			`if err != nil {`
			`return err`
			`}`
			`findings = append(findings, fileFindings...)`
			`return nil`
			`}); err != nil {`
			`return nil, err`
			`}`

			`return findings, nil`
			`}`

			`func scanFile(path string) ([]Finding, error) {`
			`data, err := fileRead(path)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if len(data) == 0 \|\| bytes.IndexByte(data, 0) >= 0 {`
			`return nil, nil`
			`}`

			`var findings []Finding`
			`scanner := bufio.NewScanner(bytes.NewReader(data))`
			`lineNo := 0`
			`for scanner.Scan() {`
			`lineNo++`
			`line := scanner.Text()`
			`matchedSpecific := false`
			`for _, rule := range secretRules {`
			`if rule.name == "generic-secret-assignment" && matchedSpecific {`
			`continue`
			`}`
			`if loc := rule.match.FindStringIndex(line); loc != nil {`
			`findings = append(findings, Finding{`
			`Path: path,`
			`Line: lineNo,`
			`Column: loc[0] + 1,`
			`Rule: rule.name,`
			`Snippet: strings.TrimSpace(line),`
			`})`
			`if rule.name != "generic-secret-assignment" {`
			`matchedSpecific = true`
			`}`
			`}`
			`}`
			`}`
			`if err := scanner.Err(); err != nil {`
			`return nil, err`
			`}`

			`return findings, nil`
			`}`

			`func isTextCandidate(name string) bool {`
			`if ext := strings.ToLower(filepath.Ext(name)); ext != "" {`
			`_, ok := textExts[ext]`
			`return ok`
			`}`
			`// Allow extension-less files such as Makefile, LICENSE, and .env.`
			`switch name {`
			`case "Makefile", "Dockerfile", "LICENSE", "README", "CLAUDE.md":`
			`return true`
			`}`
			`return strings.HasPrefix(name, ".")`
			`}`

			`// fileRead is factored out for tests.`
			`var fileRead = func(path string) ([]byte, error) {`
			`return os.ReadFile(path)`
			`}`