Integrate local-first secret scanning into the export workflow
Release v0.1.5 introduces a local-first, privacy-preserving secret scanner to warn users about potential credentials, tokens, or private keys before they export their codebase.
Key Features & Enhancements
1. Core Secret Scanning Engine (apps/desktop/src/main/secretScanner.ts)
- Implemented high-performance, regex-based scanning in the Electron main process.
- Standardized rules to detect and validate common secrets:
- Cloud & API Credentials: AWS Access Key IDs, GitHub Personal Access Tokens (classic & new), and Slack tokens.
- Private Keys: Full PEM blocks (validated to discard code noise and verify base64 content length).
- Tokens & Secrets: JWT tokens, generic API key/secret assignments (e.g.,
api_key = "..."), inline environment variables (e.g.,SECRET_TOKEN=...), and configuration properties (e.g.,jwt.secretin.properties/.ymlwith checks to ignore environment placeholders or path names).
- Optimized scanning with concurrency limits and binary-search line-number lookups.
2. IPC & Security Boundary Integration
- Maintained a strict local-first security model: scanning occurs entirely on the main process; the renderer process only receives file paths, rule names, and redacted previews (first 3 characters +
***). - Configured IPC registration in the Electron main process, preload wrapper (
apps/desktop/src/preload/index.ts), and TypeScript interfaces (apps/desktop/src/shared/types.ts).
3. User Interface Integration
- Added the
SecretScanWarningmodal component (apps/desktop/src/renderer/components/SecretScanWarning.tsx) to display finding severities, locations, rules, and redacted previews. - Blocked the export pipeline on findings to show the warning modal, allowing the user to either cancel (safe default) or override and "Continue Anyway".
- Added proper UI state handling for scan limits (capped at 20 findings per file / 200 overall) and scanning errors.
4. Testing & Documentation
- Added 800+ lines of comprehensive unit tests (
apps/desktop/tests/secretScanner.test.ts) covering scanner heuristics, regex validators, file size bounds, and concurrency. - Detailed capabilities, security boundaries, and manual verification procedures in [docs/security.md]