Add SecretsDetector with entropy and prefix heuristics and integrate into CLI scan by Jeffrin-dev · Pull Request #11 · Jeffrin-dev/ShadowAudit

Jeffrin-dev · 2026-03-29T05:02:41Z

Provide secret-detection support alongside PII scanning to surface API keys and other high-entropy tokens during scan CLI runs.
Use both an optional detect-secrets library and in-house heuristics (Shannon entropy, prefix patterns, and stopword filtering) to reduce false positives.

Add shadowaudit.core.secrets.SecretsDetector implementing entropy scoring, candidate extraction, prefix pattern matching, optional detect-secrets integration, and filtering heuristics.
Integrate SecretsDetector into the scan CLI command to populate secrets_found on the scan result and set action_taken to detected when either entities or secrets are present.
Include explicit prefix patterns for common token formats (e.g., sk-, ghp_, AKIA, xoxb-) and a stopword list plus minimum candidate length to avoid flagging ordinary words.
Add and update unit tests to cover entropy scoring, prefix pattern detection, ignoring normal English sentences, and CLI-level secret detection.

Ran the test suite with pytest including the new tests in tests/test_cli_scan.py and tests/test_policy_and_secrets.py.
All automated tests, including the new secrets detection and CLI tests, passed successfully.

Filter entropy candidates by length and stopwords

7959085

Jeffrin-dev added the codex label Mar 29, 2026 — with ChatGPT Codex Connector

Merge branch 'main' into codex/add-regex-patterns-for-api-keys-a3yf4a

8766c7a

Jeffrin-dev merged commit 039e275 into main Mar 29, 2026
1 check passed

Provide feedback