Module: Ace::Git::Secrets

Defined in:

lib/ace/git/secrets.rb,
lib/ace/git/secrets/cli.rb,
lib/ace/git/secrets/version.rb,
lib/ace/git/secrets/cli/commands/scan.rb,
lib/ace/git/secrets/models/scan_report.rb,
lib/ace/git/secrets/cli/commands/revoke.rb,
lib/ace/git/secrets/cli/commands/rewrite.rb,
lib/ace/git/secrets/atoms/gitleaks_runner.rb,
lib/ace/git/secrets/commands/scan_command.rb,
lib/ace/git/secrets/models/detected_token.rb,
lib/ace/git/secrets/molecules/git_rewriter.rb,
lib/ace/git/secrets/organisms/release_gate.rb,
lib/ace/git/secrets/commands/revoke_command.rb,
lib/ace/git/secrets/molecules/token_revoker.rb,
lib/ace/git/secrets/atoms/service_api_client.rb,
lib/ace/git/secrets/commands/rewrite_command.rb,
lib/ace/git/secrets/models/revocation_result.rb,
lib/ace/git/secrets/molecules/history_scanner.rb,
lib/ace/git/secrets/organisms/history_cleaner.rb,
lib/ace/git/secrets/cli/commands/check_release.rb,
lib/ace/git/secrets/organisms/security_auditor.rb,
lib/ace/git/secrets/commands/check_release_command.rb

Defined Under Namespace

Modules: Atoms, CLI, Commands, Models, Molecules, Organisms Classes: Error, GitRewriteError, RevocationError

Constant Summary

VERSION =

'0.15.5'

Class Method Summary

• .config ⇒ Hash

  Load ace-git-secrets configuration using ace-config cascade Follows ADR-022: Load defaults from .ace-defaults/, merge user overrides from .ace/ Uses Ace::Support::Config.create() for configuration cascade resolution.

• .exclusions ⇒ Array<String>

  Get file exclusions from config ADR-022: Exclusions come from .ace-defaults/, merged with user config.

• .fallback_defaults ⇒ Hash

  Fallback defaults when config loading fails Note: Should rarely be used - .ace-defaults/ should always be present.

• .find_user_gitleaks_config ⇒ String^?

  Find user gitleaks config in project .ace/ directory.

• .gitleaks_available? ⇒ Boolean

  Check if gitleaks is available in PATH.

• .gitleaks_config_path ⇒ String^?

  Resolve gitleaks config path with cascade Checks: .ace/git-secrets/gitleaks.toml -> .ace-defaults/git-secrets/gitleaks.toml.

• .reset_config! ⇒ void

  Reset config cache Useful for testing to ensure clean state between tests.

Class Method Details

.config ⇒ Hash

Note:

Thread Safety: This method is thread-safe via Mutex synchronization. The config is loaded once and cached for subsequent calls. IMPORTANT: Config MUST be preloaded via CLI.start before parallel operations begin. When using ace-git-secrets as a library (not via CLI), call Ace::Git::Secrets.config explicitly before spawning any threads that perform scanning or revocation. Failure to preload may result in race conditions during config initialization under concurrent load.

Load ace-git-secrets configuration using ace-config cascade Follows ADR-022: Load defaults from .ace-defaults/, merge user overrides from .ace/ Uses Ace::Support::Config.create() for configuration cascade resolution

Returns:

• (Hash) —

  Configuration hash

# File 'lib/ace/git/secrets.rb', line 59

def self.config
  @config_mutex.synchronize do
    @config ||= begin
      gem_root = Gem.loaded_specs["ace-git-secrets"]&.gem_dir ||
        File.expand_path("../../..", __dir__)

      resolver = Ace::Support::Config.create(
        config_dir: ".ace",
        defaults_dir: ".ace-defaults",
        gem_path: gem_root
      )

      # Resolve config for git-secrets namespace
      config = resolver.resolve_namespace("git-secrets")

      # Extract git-secrets section if present
      config.data["git-secrets"] || config.data
    rescue => e
      warn "Warning: Could not load ace-git-secrets config: #{e.message}"
      fallback_defaults
    end
  end
end

.exclusions ⇒ Array<String>

Get file exclusions from config ADR-022: Exclusions come from .ace-defaults/, merged with user config

Returns:

• (Array<String>) —

  Glob patterns for files to exclude

# File 'lib/ace/git/secrets.rb', line 100

def self.exclusions
  config["exclusions"] || []
end

.fallback_defaults ⇒ Hash

Fallback defaults when config loading fails Note: Should rarely be used - .ace-defaults/ should always be present

Returns:

• (Hash) —

  Minimal fallback configuration

# File 'lib/ace/git/secrets.rb', line 86

def self.fallback_defaults
  {
    "exclusions" => [],
    "whitelist" => [],
    "output" => {
      "format" => "table",
      "mask_tokens" => true
    }
  }
end

.find_user_gitleaks_config ⇒ String^?

Find user gitleaks config in project .ace/ directory

Returns:

• (String, nil) —

  Path to user gitleaks config

# File 'lib/ace/git/secrets.rb', line 138

def self.find_user_gitleaks_config
  # Search from current dir upward for .ace/git-secrets/gitleaks.toml
  dir = Dir.pwd
  while dir != "/"
    config_path = File.join(dir, ".ace", "git-secrets", "gitleaks.toml")
    return config_path if File.exist?(config_path)
    dir = File.dirname(dir)
  end
  nil
end

.gitleaks_available? ⇒ Boolean

Check if gitleaks is available in PATH

Returns:

• (Boolean) —

  true if gitleaks is available

# File 'lib/ace/git/secrets.rb', line 151

def self.gitleaks_available?
  @gitleaks_available ||= system("which gitleaks > /dev/null 2>&1")
end

.gitleaks_config_path ⇒ String^?

Note:

Thread Safety: This method uses the same mutex as config to ensure thread-safe initialization. Like config, it should be preloaded before spawning threads (the CLI does this automatically via CLI.start).

Note:

Environment Variable: Set ACE_GITLEAKS_CONFIG_PATH to override automatic config discovery (useful for testing).

Resolve gitleaks config path with cascade Checks: .ace/git-secrets/gitleaks.toml -> .ace-defaults/git-secrets/gitleaks.toml

Returns:

• (String, nil) —

  Path to gitleaks config, or nil if not found

# File 'lib/ace/git/secrets.rb', line 113

def self.gitleaks_config_path
  @config_mutex.synchronize do
    @gitleaks_config_path ||= begin
      # Check environment variable override first (useful for testing)
      env_path = ENV["ACE_GITLEAKS_CONFIG_PATH"]
      if env_path && File.exist?(env_path)
        env_path
      else
        # Check user config first (project .ace/)
        user_path = find_user_gitleaks_config
        if user_path && File.exist?(user_path)
          user_path
        else
          # Fall back to gem defaults
          gem_root = File.expand_path("../../..", __dir__)
          example_path = File.join(gem_root, ".ace-defaults", "git-secrets", "gitleaks.toml")
          File.exist?(example_path) ? example_path : nil
        end
      end
    end
  end
end

.reset_config! ⇒ void

This method returns an undefined value.

Reset config cache Useful for testing to ensure clean state between tests. Thread-safe - uses mutex to reset all cached values atomically.

# File 'lib/ace/git/secrets.rb', line 159

def self.reset_config!
  @config_mutex.synchronize do
    @config = nil
    @gitleaks_config_path = nil
  end
  @gitleaks_available = nil
end