-
-
Notifications
You must be signed in to change notification settings - Fork 11
Security
CKB provides security analysis tools to help detect and prevent security issues in your codebase. The primary feature is Secret Detection, which scans for exposed credentials, API keys, and other sensitive information.
The scanSecrets tool detects exposed secrets in your codebase using pattern matching and entropy analysis.
| Secret Type | Examples | Severity |
|---|---|---|
| AWS Credentials |
AKIA..., aws_secret_key=...
|
Critical |
| GitHub Tokens |
ghp_..., gho_..., ghu_...
|
Critical |
| Stripe Keys |
sk_live_..., rk_live_...
|
Critical |
| Private Keys | -----BEGIN RSA PRIVATE KEY----- |
Critical |
| Slack Tokens |
xoxb-..., xoxp-...
|
High |
| Google API Keys | AIza... |
High |
| NPM/PyPI Tokens |
npm_..., pypi-...
|
High |
| JWT Tokens | eyJ... |
Medium |
| Generic API Keys |
api_key=... (with entropy check) |
Medium |
| Passwords in URLs | ://user:pass@host |
High |
# Scan current directory
ckb scan-secrets
# Scan specific paths
ckb scan-secrets --paths="src/**/*.ts"
# Scan only critical/high severity
ckb scan-secrets --min-severity=high
# Scan git history (slower, more thorough)
ckb scan-secrets --scope=history --max-commits=100
# Scan only staged files (useful as pre-commit hook)
ckb scan-secrets --scope=staged{
"tool": "scanSecrets",
"params": {
"scope": "workdir",
"minSeverity": "high",
"paths": ["src/**/*.ts"],
"excludePaths": ["vendor/*", "node_modules/*"]
}
}| Scope | Description | Use Case |
|---|---|---|
workdir |
Current working directory files | Default, quick scan |
staged |
Only git staged files | Pre-commit hooks |
history |
Git commit history | Security audits, incident response |
| Parameter | Type | Default | Description |
|---|---|---|---|
scope |
string | workdir |
What to scan: workdir, staged, history
|
paths |
array | all files | Limit scan to these paths (glob patterns) |
excludePaths |
array | common excludes | Skip these paths |
minSeverity |
string | low |
Minimum severity: critical, high, medium, low
|
sinceCommit |
string | - | For history scope: scan commits since this ref |
maxCommits |
int | 100 | For history scope: limit commits for performance |
useGitleaks |
bool | false | Use gitleaks if installed (more patterns) |
useTrufflehog |
bool | false | Use trufflehog if installed (verified secrets) |
applyAllowlist |
bool | true | Apply configured false positive suppressions |
{
"findings": [
{
"file": "config/settings.go",
"line": 42,
"type": "aws_access_key",
"severity": "critical",
"match": "AKIA****************",
"rule": "aws_access_key_id",
"confidence": 0.95,
"source": "builtin"
}
],
"summary": {
"totalFindings": 3,
"bySeverity": { "critical": 1, "high": 2 },
"filesWithSecrets": 2
}
}The scanner automatically filters common false positives:
- Example/placeholder values (
EXAMPLE_KEY,your_api_key) - Test values (
test123,changeme,dummy) - Documentation patterns (
<your-key-here>) - Low-entropy strings that match generic patterns
Create .ckb/secrets-allowlist.json to suppress known false positives:
{
"version": "1.0",
"entries": [
{
"id": "test-files",
"type": "path",
"value": "**/*_test.go",
"reason": "Test files contain mock credentials"
},
{
"id": "example-docs",
"type": "pattern",
"value": "EXAMPLE",
"reason": "Documentation examples"
},
{
"id": "known-safe-key",
"type": "hash",
"value": "a1b2c3d4e5f6",
"reason": "Public test API key"
},
{
"id": "disable-generic",
"type": "rule",
"value": "generic_api_key",
"reason": "Too many false positives in this codebase"
}
]
}Allowlist Entry Types:
| Type | Value | Description |
|---|---|---|
path |
glob pattern | Suppress all findings in matching files |
pattern |
regex | Suppress findings where secret matches |
hash |
finding hash | Suppress specific finding instance |
rule |
rule name | Disable entire detection rule |
For more comprehensive scanning, CKB can optionally integrate with external tools:
# Install gitleaks
brew install gitleaks # macOS
# or
go install github.com/gitleaks/gitleaks/v8@latest
# Use with CKB
ckb scan-secrets --use-gitleaksBenefits:
- 100+ additional patterns
- Maintained by security community
- Git history scanning optimized
# Install trufflehog
brew install trufflehog # macOS
# or
pip install trufflehog
# Use with CKB
ckb scan-secrets --use-trufflehogBenefits:
- Verified secrets (confirms if credentials are active)
- Entropy-based detection
- Multiple source types
scanSecrets is included in these presets:
| Preset | Description |
|---|---|
review |
PR reviews - catch secrets before merge |
refactor |
Security audits during code changes |
ckb mcp --preset=review#!/bin/bash
# .git/hooks/pre-commit
# Scan only staged files
result=$(ckb scan-secrets --scope=staged --min-severity=high)
if echo "$result" | grep -q '"totalFindings":[1-9]'; then
echo "ERROR: Secrets detected in staged files!"
echo "$result" | jq '.findings[]'
exit 1
finame: Security Scan
on: [push, pull_request]
jobs:
secrets:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for history scan
- name: Install CKB
run: npm install -g @tastehub/ckb
- name: Scan for secrets
run: |
ckb init
ckb scan-secrets --min-severity=high --output=json > secrets.json
if [ $(jq '.summary.totalFindings' secrets.json) -gt 0 ]; then
echo "::error::Secrets detected!"
jq '.findings[]' secrets.json
exit 1
fi- Run in CI/CD - Catch secrets before they're committed
- Use pre-commit hooks - Prevent secrets from entering git history
- Scan history after incidents - Find and rotate exposed credentials
- Maintain allowlist - Reduce noise from known false positives
- Use external tools - gitleaks/trufflehog for comprehensive coverage
- Rotate immediately - If a real secret is found, rotate it first, then remove from code
CKB includes 26 builtin detection patterns:
Critical Severity:
- AWS Access Key ID (
AKIA...) - AWS Secret Key
- GitHub Personal Access Token (
ghp_...) - GitHub OAuth Token (
gho_...) - GitHub App Token (
ghu_...,ghs_...) - GitHub Fine-Grained PAT
- Stripe Live Secret Key (
sk_live_...) - Stripe Live Restricted Key (
rk_live_...) - RSA/EC/OpenSSH/DSA/PGP Private Keys
High Severity:
- GitHub Refresh Token (
ghr_...) - Slack Bot Token (
xoxb-...) - Slack User Token (
xoxp-...) - Slack App Token (
xapp-...) - Google API Key (
AIza...) - NPM Token (
npm_...) - PyPI Token (
pypi-...) - Password in URL
- Basic Auth Header
Medium Severity:
- Slack Webhook URL
- JWT Token
- Generic API Key (entropy > 3.5)
- Generic Secret/Password (entropy > 3.0)
- Bearer Token
Low Severity:
- Stripe Test Key (
sk_test_...)
The existing auditRisk tool includes a security_sensitive factor that identifies files handling security-related code (authentication, encryption, credentials handling). Combined with scanSecrets, you get comprehensive security coverage:
# Find risky security-sensitive code
ckb audit --factor=security_sensitive
# Then scan those files for actual secrets
ckb scan-secrets --paths="internal/auth/*"- Features#code-quality--risk - Risk scoring and hotspot detection
- Quality-Gates - Enforce security policies in CI/CD
- Workflow-Examples - Security-focused CI/CD workflows