recoder-security/dist/secret-detector.d.ts

Enterprise-grade security and compliance layer for CodeCraft CLI

/**
 * Secret Detection and Prevention System
 * Prevents API keys, passwords, and sensitive data from being leaked in generated code
 * Provides real-time scanning, pattern matching, and automatic remediation
 */
export interface SecretPattern {
    id: string;
    name: string;
    description: string;
    pattern: RegExp;
    severity: 'low' | 'medium' | 'high' | 'critical';
    confidence: number;
    category: 'api_key' | 'password' | 'token' | 'certificate' | 'database' | 'cloud' | 'generic';
    provider?: string;
    entropy?: number;
    examples: string[];
    falsePositivePatterns?: RegExp[];
    validationUrl?: string;
}
export interface SecretDetection {
    id: string;
    pattern: SecretPattern;
    match: string;
    redactedMatch: string;
    file: string;
    line: number;
    column: number;
    context: string;
    confidence: number;
    entropy: number;
    verified: boolean;
    remediation: {
        action: 'remove' | 'redact' | 'replace' | 'warn';
        replacement: string;
        explanation: string;
    };
    metadata: {
        timestamp: number;
        userId?: string;
        sessionId?: string;
        scanType: 'pre_generation' | 'post_generation' | 'file_scan' | 'realtime';
    };
}
export interface ScanResult {
    scanId: string;
    timestamp: number;
    target: string;
    totalFiles: number;
    scannedFiles: number;
    totalDetections: number;
    detections: SecretDetection[];
    summary: {
        critical: number;
        high: number;
        medium: number;
        low: number;
        verified: number;
        falsePositives: number;
    };
    remediated: boolean;
    duration: number;
}
export interface SecretDetectorConfig {
    enabled: boolean;
    scanGenerated: boolean;
    scanUploaded: boolean;
    scanRealtime: boolean;
    autoRemediate: boolean;
    alertOnDetection: boolean;
    maxFileSize: number;
    excludePatterns: string[];
    customPatterns: SecretPattern[];
    verificationEnabled: boolean;
    verificationTimeout: number;
}
export declare class SecretDetector {
    private readonly logger;
    private readonly config;
    private readonly patterns;
    private readonly detectionHistory;
    constructor(config?: Partial<SecretDetectorConfig>);
    /**
     * Scan text for secrets
     */
    scanText(text: string, context: {
        file?: string;
        userId?: string;
        sessionId?: string;
        scanType: 'pre_generation' | 'post_generation' | 'file_scan' | 'realtime';
    }): Promise<SecretDetection[]>;
    /**
     * Scan file for secrets
     */
    scanFile(filePath: string, context?: {
        userId?: string;
        sessionId?: string;
    }): Promise<SecretDetection[]>;
    /**
     * Scan directory recursively
     */
    scanDirectory(dirPath: string, context?: {
        userId?: string;
        sessionId?: string;
    }): Promise<ScanResult>;
    /**
     * Remediate detected secrets by removing or replacing them
     */
    remediateText(text: string, detections: SecretDetection[]): Promise<string>;
    /**
     * Add custom secret pattern
     */
    addCustomPattern(pattern: SecretPattern): void;
    /**
     * Remove custom pattern
     */
    removeCustomPattern(patternId: string): void;
    /**
     * Get detection statistics
     */
    getStatistics(): {
        patternsLoaded: number;
        totalDetections: number;
        criticalDetections: number;
        verifiedDetections: number;
        sessionsScanned: number;
    };
    /**
     * Load built-in secret patterns
     */
    private loadSecretPatterns;
    /**
     * Load custom patterns from configuration
     */
    private loadCustomPatterns;
    /**
     * Check if match is a false positive
     */
    private isFalsePositive;
    /**
     * Calculate entropy of a string
     */
    private calculateEntropy;
    /**
     * Calculate confidence score for a detection
     */
    private calculateConfidence;
    /**
     * Generate remediation strategy for a detection
     */
    private generateRemediation;
    /**
     * Redact secret by showing only first and last few characters
     */
    private redactSecret;
    /**
     * Generate environment variable name from pattern name
     */
    private generateEnvVarName;
    /**
     * Get line and column information for character index
     */
    private getLineInfo;
    /**
     * Check if file should be excluded from scanning
     */
    private shouldExcludeFile;
    /**
     * Get files to scan in directory
     */
    private getFilesToScan;
    /**
     * Verify if detected secrets are real (optional)
     */
    private verifySecrets;
    /**
     * Alert on critical secret detections
     */
    private alertOnDetections;
    /**
     * Remediate detections by modifying files
     */
    private remediateDetections;
    /**
     * Generate unique detection ID
     */
    private generateDetectionId;
    /**
     * Generate unique scan ID
     */
    private generateScanId;
}
//# sourceMappingURL=secret-detector.d.ts.map