Jeffrin-dev · Jeffrin-dev · Mar 29, 2026 · Mar 29, 2026
diff --git a/shadowaudit/reports/gdpr_report.py b/shadowaudit/reports/gdpr_report.py
@@ -50,7 +50,16 @@ def generate_gdpr_report(from_date: str | date, to_date: str | date, *, log_path
 
                 scan_result = event.get("scan_result", {}) or {}
                 action_counter.update([scan_result.get("action_taken", "unknown")])
-                entity_counter.update(scan_result.get("detected_entities", []) or [])
+                detected_entities = scan_result.get("detected_entities", []) or []
+                entity_counter.update(detected_entities)
+
+                secrets_found = scan_result.get("secrets_found", []) or []
+                if secrets_found:
+                    entity_counter.update(["SECRET"])
+
+    categories_of_personal_data = sorted(entity_counter.keys())
+    if entity_counter.get("SECRET"):
+        categories_of_personal_data.append("API keys and credentials")
 
     return {
         "article": "GDPR Article 30",
@@ -70,7 +79,7 @@ def generate_gdpr_report(from_date: str | date, to_date: str | date, *, log_path
                 "security and compliance monitoring",
             ],
             "categories_of_data_subjects": ["application users", "operators"],
-            "categories_of_personal_data": sorted(entity_counter.keys()),
+            "categories_of_personal_data": categories_of_personal_data,
             "technical_measures": [
                 "automated scanning of prompts",
                 "event-level audit logging",

diff --git a/tests/test_audit_and_reports.py b/tests/test_audit_and_reports.py
@@ -10,14 +10,14 @@
 from shadowaudit.reports.gdpr_report import generate_gdpr_report
 
 
-def _event(ts: str, request_id: str, entities: list[str]) -> AuditEvent:
+def _event(ts: str, request_id: str, entities: list[str], *, secrets: list[str] | None = None) -> AuditEvent:
     return AuditEvent(
         timestamp=ts,
         request_id=request_id,
         scan_result=ScanResult(
             request_id=request_id,
             detected_entities=entities,
-            secrets_found=[],
+            secrets_found=secrets or [],
             action_taken="detected" if entities else "clean",
             tokens_before=3,
             tokens_after=3,
@@ -51,3 +51,14 @@ def test_generate_gdpr_report_filters_date_range(tmp_path: Path) -> None:
     assert report["article"] == "GDPR Article 30"
     assert report["summary"]["total_events"] == 1
     assert report["summary"]["detected_entity_types"] == {"EMAIL": 1}
+
+
+def test_generate_gdpr_report_includes_secrets_in_summary_and_processing(tmp_path: Path) -> None:
+    log_path = tmp_path / "audit.log"
+    logger = AuditLogger(log_path)
+    logger.append(_event("2026-01-10T10:00:00Z", "req-1", [], secrets=["sk-abc123"]))
+
+    report = generate_gdpr_report("2026-01-01", "2026-01-31", log_path=log_path)
+
+    assert report["summary"]["detected_entity_types"] == {"SECRET": 1}
+    assert "API keys and credentials" in report["processing"]["categories_of_personal_data"]