Class: Ace::Git::Secrets::Models::ScanReport

Inherits:

Object

• Object
• Ace::Git::Secrets::Models::ScanReport

Defined in:

lib/ace/git/secrets/models/scan_report.rb

Overview

Represents a complete scan report with detected tokens and metadata

Instance Attribute Summary

• #commits_scanned ⇒ Object readonly

  Returns the value of attribute commits_scanned.

• #detection_method ⇒ Object readonly

  Returns the value of attribute detection_method.

• #repository_path ⇒ Object readonly

  Returns the value of attribute repository_path.

• #scan_duration ⇒ Object readonly

  Returns the value of attribute scan_duration.

• #scan_options ⇒ Object readonly

  Returns the value of attribute scan_options.

• #scanned_at ⇒ Object readonly

  Returns the value of attribute scanned_at.

• #thread_count ⇒ Object readonly

  Returns the value of attribute thread_count.

• #tokens ⇒ Object readonly

  Returns the value of attribute tokens.

Instance Method Summary

• #affected_commits ⇒ Array<String>

  Get unique commits with tokens.

• #affected_files ⇒ Array<String>

  Get unique files with tokens.

• #clean? ⇒ Boolean

  Check if any tokens were detected.

• #deduplicated_tokens ⇒ Hash<String, Hash>

  Get unique tokens grouped by raw_value with all their locations.

• #high_confidence_count ⇒ Integer

  Count of high confidence tokens.

• #initialize(tokens: [], repository_path: nil, scanned_at: nil, scan_options: {}, commits_scanned: 0, detection_method: "ruby_patterns", scan_duration: nil, thread_count: nil) ⇒ ScanReport constructor

  A new instance of ScanReport.

• #low_confidence_count ⇒ Integer

  Count of low confidence tokens.

• #medium_confidence_count ⇒ Integer

  Count of medium confidence tokens.

• #revocable_tokens ⇒ Array<DetectedToken>

  Get tokens that can be revoked.

• #save_providers_report(sessions_dir, session_id) ⇒ String^?

  Save providers-grouped markdown report for revocation workflow.

• #save_to_file(format: :json, directory: nil, include_raw: true, quiet: false) ⇒ String

  Save report to file in cache directory.

• #summary ⇒ Hash

  Summary statistics.

• #to_h(include_raw: false) ⇒ Hash

  Convert to hash for serialization.

• #to_json(include_raw: false) ⇒ String

  Serialize to JSON.

• #to_markdown ⇒ String

  Format as markdown for file output.

• #to_providers_markdown ⇒ String

  Format as providers-grouped markdown for revocation workflow.

• #to_summary(report_path: nil) ⇒ String

  Generate concise summary for stdout.

• #to_table ⇒ String

  Format as table for CLI output.

• #to_yaml(include_raw: false) ⇒ String

  Serialize to YAML.

• #token_count ⇒ Integer

  Total number of detected tokens.

• #token_types ⇒ Array<String>

  Get unique token types found.

• #tokens_by_confidence(level) ⇒ Array<DetectedToken>

  Get tokens by confidence level.

• #tokens_found? ⇒ Boolean

  Check if tokens were detected.

Constructor Details

#initialize(tokens: [], repository_path: nil, scanned_at: nil, scan_options: {}, commits_scanned: 0, detection_method: "ruby_patterns", scan_duration: nil, thread_count: nil) ⇒ ScanReport

Returns a new instance of ScanReport.

Parameters:

• tokens (Array<DetectedToken>) (defaults to: []) —

  Detected tokens

• repository_path (String) (defaults to: nil) —

  Path to scanned repository

• scanned_at (Time) (defaults to: nil) —

  When scan was performed

• scan_options (Hash) (defaults to: {}) —

  Options used for scanning

• commits_scanned (Integer) (defaults to: 0) —

  Number of commits scanned

• detection_method (String) (defaults to: "ruby_patterns") —

  Primary detection method used

• scan_duration (Float, nil) (defaults to: nil) —

  Scan duration in seconds

• thread_count (Integer, nil) (defaults to: nil) —

  Number of threads used for scanning

# File 'lib/ace/git/secrets/models/scan_report.rb', line 25

def initialize(tokens: [], repository_path: nil, scanned_at: nil,
  scan_options: {}, commits_scanned: 0, detection_method: "ruby_patterns",
  scan_duration: nil, thread_count: nil)
  @tokens = tokens.freeze
  @repository_path = repository_path
  @scanned_at = scanned_at || Time.now
  @scan_options = scan_options.freeze
  @commits_scanned = commits_scanned
  @detection_method = detection_method
  @scan_duration = scan_duration
  @thread_count = thread_count
end

Instance Attribute Details

#commits_scanned ⇒ Object (readonly)

Returns the value of attribute commits_scanned.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def commits_scanned
  @commits_scanned
end

#detection_method ⇒ Object (readonly)

Returns the value of attribute detection_method.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def detection_method
  @detection_method
end

#repository_path ⇒ Object (readonly)

Returns the value of attribute repository_path.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def repository_path
  @repository_path
end

#scan_duration ⇒ Object (readonly)

Returns the value of attribute scan_duration.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def scan_duration
  @scan_duration
end

#scan_options ⇒ Object (readonly)

Returns the value of attribute scan_options.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def scan_options
  @scan_options
end

#scanned_at ⇒ Object (readonly)

Returns the value of attribute scanned_at.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def scanned_at
  @scanned_at
end

#thread_count ⇒ Object (readonly)

Returns the value of attribute thread_count.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def thread_count
  @thread_count
end

#tokens ⇒ Object (readonly)

Returns the value of attribute tokens.

# File 'lib/ace/git/secrets/models/scan_report.rb', line 14

def tokens
  @tokens
end

Instance Method Details

#affected_commits ⇒ Array<String>

Get unique commits with tokens

Returns:

• (Array<String>)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 95

def affected_commits
  tokens.map(&:commit_hash).uniq
end

#affected_files ⇒ Array<String>

Get unique files with tokens

Returns:

• (Array<String>)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 89

def affected_files
  tokens.map(&:file_path).uniq.sort
end

#clean? ⇒ Boolean

Check if any tokens were detected

Returns:

• (Boolean)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 40

def clean?
  tokens.empty?
end

#deduplicated_tokens ⇒ Hash<String, Hash>

Get unique tokens grouped by raw_value with all their locations

Returns:

• (Hash<String, Hash>) —

  Map of raw_value => { token:, locations: [] }

# File 'lib/ace/git/secrets/models/scan_report.rb', line 264

def deduplicated_tokens
  result = {}
  tokens.each do |token|
    if result.key?(token.raw_value)
      result[token.raw_value][:locations] << {
        commit: token.short_commit,
        file: token.file_path,
        line: token.line_number
      }
    else
      result[token.raw_value] = {
        token: token,
        locations: [{
          commit: token.short_commit,
          file: token.file_path,
          line: token.line_number
        }]
      }
    end
  end
  result
end

#high_confidence_count ⇒ Integer

Count of high confidence tokens

Returns:

• (Integer)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 65

def high_confidence_count
  tokens_by_confidence("high").size
end

#low_confidence_count ⇒ Integer

Count of low confidence tokens

Returns:

• (Integer)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 77

def low_confidence_count
  tokens_by_confidence("low").size
end

#medium_confidence_count ⇒ Integer

Count of medium confidence tokens

Returns:

• (Integer)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 71

def medium_confidence_count
  tokens_by_confidence("medium").size
end

#revocable_tokens ⇒ Array<DetectedToken>

Get tokens that can be revoked

Returns:

• (Array<DetectedToken>)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 101

def revocable_tokens
  tokens.select(&:revocable?)
end

#save_providers_report(sessions_dir, session_id) ⇒ String^?

Save providers-grouped markdown report for revocation workflow

Parameters:

• sessions_dir (String) —

  Sessions directory to save report

• session_id (String) —

  Session ID prefix for filename

Returns:

• (String, nil) —

  Path to saved report, or nil if no tokens

# File 'lib/ace/git/secrets/models/scan_report.rb', line 225

def save_providers_report(sessions_dir, session_id)
  providers_content = to_providers_markdown
  return nil unless providers_content

  providers_path = File.join(sessions_dir, "#{session_id}-providers.md")
  File.write(providers_path, providers_content)
  providers_path
rescue => e
  # Log error but don't fail main report save
  warn "Warning: Could not save providers report: #{e.message}"
  nil
end

#save_to_file(format: :json, directory: nil, include_raw: true, quiet: false) ⇒ String

Save report to file in cache directory

Parameters:

• format (Symbol) (defaults to: :json) —

  Output format (:json or :markdown)

• directory (String, nil) (defaults to: nil) —

  Custom cache directory (defaults to .ace-local/git-secrets)

• include_raw (Boolean) (defaults to: true) —

  Include raw token values in JSON (default: true for machine-readable)

• quiet (Boolean) (defaults to: false) —

  Suppress security warning (default: false)

Returns:

• (String) —

  Path to saved report file

# File 'lib/ace/git/secrets/models/scan_report.rb', line 196

def save_to_file(format: :json, directory: nil, include_raw: true, quiet: false)
  cache_dir = directory || File.join(repository_path || ".", ".ace-local", "git-secrets")
  sessions_dir = File.join(cache_dir, "sessions")
  FileUtils.mkdir_p(sessions_dir)

  session_id = Ace::B36ts.encode(scanned_at)
  ext = (format == :markdown) ? "md" : "json"
  path = File.join(sessions_dir, "#{session_id}-report.#{ext}")

  # JSON format includes raw values by default for revoke/rewrite-history workflows
  # Markdown format never includes raw values (human-readable)
  content = (format == :markdown) ? to_markdown : to_json(include_raw: include_raw)
  File.write(path, content)

  # Security warning: remind user that raw secrets are written to disk
  if include_raw && tokens_found? && !quiet
    warn "SECURITY: Report contains raw token values. Delete after remediation: #{path}"
  end

  # Generate providers report for revocation workflow (only when tokens found)
  save_providers_report(sessions_dir, session_id) if tokens_found?

  path
end

#summary ⇒ Hash

Summary statistics

Returns:

• (Hash)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 107

def summary
  {
    total_tokens: token_count,
    high_confidence: high_confidence_count,
    medium_confidence: medium_confidence_count,
    low_confidence: low_confidence_count,
    token_types: token_types,
    affected_files: affected_files.size,
    affected_commits: affected_commits.size,
    revocable: revocable_tokens.size,
    detection_method: detection_method
  }
end

#to_h(include_raw: false) ⇒ Hash

Convert to hash for serialization

Parameters:

• include_raw (Boolean) (defaults to: false) —

  Whether to include raw token values

Returns:

• (Hash)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 124

def to_h(include_raw: false)
  result = {
    scan_metadata: {
      repository: repository_path,
      scanned_at: scanned_at.iso8601,
      commits_scanned: commits_scanned,
      scan_duration_seconds: scan_duration&.round(2),
      thread_count: thread_count,
      detection_method: detection_method
    },
    scan_options: scan_options,
    summary: summary,
    tokens: tokens.map { |t| t.to_h(include_raw: include_raw) }
  }
  # Remove nil values from scan_metadata
  result[:scan_metadata].compact!
  result
end

#to_json(include_raw: false) ⇒ String

Serialize to JSON

Parameters:

• include_raw (Boolean) (defaults to: false) —

  Whether to include raw token values

Returns:

• (String)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 146

def to_json(include_raw: false)
  JSON.pretty_generate(to_h(include_raw: include_raw))
end

#to_markdown ⇒ String

Format as markdown for file output

Returns:

• (String)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 337

def to_markdown
  lines = []
  lines << "# Security Scan Report"
  lines << ""
  lines << "## Scan Metadata"
  lines << ""
  lines << "| Field | Value |"
  lines << "|-------|-------|"
  lines << "| Repository | `#{repository_path}` |"
  lines << "| Scanned at | #{scanned_at.iso8601} |"
  lines << "| Commits scanned | #{commits_scanned} |"
  lines << "| Scan duration | #{scan_duration ? format_duration(scan_duration) : "N/A"} |"
  lines << "| Thread count | #{thread_count || "N/A"} |"
  lines << "| Detection method | #{detection_method} |"
  lines << ""
  lines << "## Summary"
  lines << ""
  lines << "| Metric | Count |"
  lines << "|--------|-------|"
  lines << "| Total tokens | #{token_count} |"
  lines << "| High confidence | #{high_confidence_count} |"
  lines << "| Medium confidence | #{medium_confidence_count} |"
  lines << "| Low confidence | #{low_confidence_count} |"
  lines << ""

  if tokens.any?
    lines << "## Detected Tokens"
    lines << ""

    tokens.each_with_index do |token, idx|
      lines << "### #{idx + 1}. #{token.token_type}"
      lines << ""
      lines << "- **Confidence**: #{token.confidence}"
      lines << "- **Value**: `#{token.masked_value}`"
      lines << "- **Commit**: #{token.short_commit}"
      lines << "- **File**: `#{token.file_path}#{":#{token.line_number}" if token.line_number}`"
      lines << "- **Detected by**: #{token.detected_by}"
      lines << ""
    end
  else
    lines << "No tokens detected. Repository is clean."
    lines << ""
  end

  lines.join("\n")
end

#to_providers_markdown ⇒ String

Format as providers-grouped markdown for revocation workflow

Returns:

• (String)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 289

def to_providers_markdown
  return nil if clean?

  deduped = deduplicated_tokens

  # Group by provider, with revocable providers first
  by_provider = deduped.values.group_by { |entry| entry[:token].provider_name }

  # Sort providers: revocable first, manual last
  provider_order = %w[GitHub AWS Anthropic OpenAI]
  sorted_providers = by_provider.keys.sort_by do |name|
    idx = provider_order.index(name)
    idx.nil? ? provider_order.size : idx
  end

  lines = []
  lines << "# Tokens to Revoke"
  lines << ""
  lines << "**Scan**: #{scanned_at.strftime("%Y-%m-%d %H:%M:%S")} | " \
           "**Unique tokens**: #{deduped.size} | " \
           "**Providers**: #{by_provider.size}"
  lines << ""

  sorted_providers.each do |provider_name|
    provider_tokens = by_provider[provider_name]
    lines << "## #{provider_name} (#{provider_tokens.size} token#{"s" if provider_tokens.size != 1})"
    lines << ""

    provider_tokens.each_with_index do |entry, idx|
      token = entry[:token]
      locations = entry[:locations]

      lines << "### #{idx + 1}. `#{token.masked_value}` (#{token.token_type})"
      lines << ""
      lines << "**Locations:**"
      locations.each do |loc|
        line_suffix = loc[:line] ? ":#{loc[:line]}" : ""
        lines << "- `#{loc[:commit]}` #{loc[:file]}#{line_suffix}"
      end
      lines << ""
    end
  end

  lines.join("\n")
end

#to_summary(report_path: nil) ⇒ String

Generate concise summary for stdout

Parameters:

• report_path (String, nil) (defaults to: nil) —

  Path to full report file

Returns:

• (String)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 241

def to_summary(report_path: nil)
  lines = []

  # Timing and thread info
  timing = scan_duration ? "in #{format_duration(scan_duration)}" : ""
  threads = thread_count ? " (#{thread_count} threads)" : ""
  lines << "Scan completed#{" " + timing unless timing.empty?}#{threads}"

  # Token counts
  lines << if clean?
    "No tokens detected. Repository is clean."
  else
    "Tokens found: #{token_count} (high: #{high_confidence_count}, medium: #{medium_confidence_count})"
  end

  # Report path
  lines << "Report saved: #{report_path}" if report_path

  lines.join("\n")
end

#to_table ⇒ String

Format as table for CLI output

Returns:

• (String)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 159

def to_table
  return "No tokens detected. Repository is clean." if clean?

  lines = []
  lines << "Scan Report: #{repository_path}"
  lines << "=" * 60
  lines << "Scanned at: #{scanned_at}"
  lines << "Commits scanned: #{commits_scanned}"
  lines << "Detection method: #{detection_method}"
  lines << ""
  lines << "Summary:"
  lines << "  Total tokens: #{token_count}"
  lines << "  High confidence: #{high_confidence_count}"
  lines << "  Medium confidence: #{medium_confidence_count}"
  lines << "  Low confidence: #{low_confidence_count}"
  lines << ""
  lines << "Detected Tokens:"
  lines << "-" * 60

  tokens.each_with_index do |token, idx|
    lines << "#{idx + 1}. #{token.token_type} (#{token.confidence})"
    lines << "   Value: #{token.masked_value}"
    lines << "   Commit: #{token.short_commit}"
    lines << "   File: #{token.file_path}#{":#{token.line_number}" if token.line_number}"
    lines << "   Detected by: #{token.detected_by}"
    lines << ""
  end

  lines.join("\n")
end

#to_yaml(include_raw: false) ⇒ String

Serialize to YAML

Parameters:

• include_raw (Boolean) (defaults to: false) —

  Whether to include raw token values

Returns:

• (String)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 153

def to_yaml(include_raw: false)
  to_h(include_raw: include_raw).to_yaml
end

#token_count ⇒ Integer

Total number of detected tokens

Returns:

• (Integer)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 52

def token_count
  tokens.size
end

#token_types ⇒ Array<String>

Get unique token types found

Returns:

• (Array<String>)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 83

def token_types
  tokens.map(&:token_type).uniq.sort
end

#tokens_by_confidence(level) ⇒ Array<DetectedToken>

Get tokens by confidence level

Parameters:

• level (String) —

  Confidence level (high, medium, low)

Returns:

• (Array<DetectedToken>)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 59

def tokens_by_confidence(level)
  tokens.select { |t| t.confidence == level }
end

#tokens_found? ⇒ Boolean

Check if tokens were detected

Returns:

• (Boolean)

# File 'lib/ace/git/secrets/models/scan_report.rb', line 46

def tokens_found?
  !clean?
end