Skip to content

Integrate local-first secret scanning into the export workflow

Choose a tag to compare

@jkjitendra jkjitendra released this 05 Jun 19:37
c7a251a

Release v0.1.5 introduces a local-first, privacy-preserving secret scanner to warn users about potential credentials, tokens, or private keys before they export their codebase.

Key Features & Enhancements

1. Core Secret Scanning Engine (apps/desktop/src/main/secretScanner.ts)

  • Implemented high-performance, regex-based scanning in the Electron main process.
  • Standardized rules to detect and validate common secrets:
    • Cloud & API Credentials: AWS Access Key IDs, GitHub Personal Access Tokens (classic & new), and Slack tokens.
    • Private Keys: Full PEM blocks (validated to discard code noise and verify base64 content length).
    • Tokens & Secrets: JWT tokens, generic API key/secret assignments (e.g., api_key = "..."), inline environment variables (e.g., SECRET_TOKEN=...), and configuration properties (e.g., jwt.secret in .properties/.yml with checks to ignore environment placeholders or path names).
  • Optimized scanning with concurrency limits and binary-search line-number lookups.

2. IPC & Security Boundary Integration

  • Maintained a strict local-first security model: scanning occurs entirely on the main process; the renderer process only receives file paths, rule names, and redacted previews (first 3 characters + ***).
  • Configured IPC registration in the Electron main process, preload wrapper (apps/desktop/src/preload/index.ts), and TypeScript interfaces (apps/desktop/src/shared/types.ts).

3. User Interface Integration

  • Added the SecretScanWarning modal component (apps/desktop/src/renderer/components/SecretScanWarning.tsx) to display finding severities, locations, rules, and redacted previews.
  • Blocked the export pipeline on findings to show the warning modal, allowing the user to either cancel (safe default) or override and "Continue Anyway".
  • Added proper UI state handling for scan limits (capped at 20 findings per file / 200 overall) and scanning errors.

4. Testing & Documentation

  • Added 800+ lines of comprehensive unit tests (apps/desktop/tests/secretScanner.test.ts) covering scanner heuristics, regex validators, file size bounds, and concurrency.
  • Detailed capabilities, security boundaries, and manual verification procedures in [docs/security.md]