Class: Ace::Git::Secrets::Organisms::SecurityAuditor

Inherits:
Object
  • Object
show all
Defined in:
lib/ace/git/secrets/organisms/security_auditor.rb

Overview

Orchestrates security scanning and reporting High-level workflow for detecting tokens in repositories

Uses gitleaks for token detection with whitelist filtering, formatted reporting, and actionable next steps.

Requires gitleaks to be installed: brew install gitleaks

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(repository_path: ".", gitleaks_config: nil, output_format: "table", whitelist: [], exclusions: nil) ⇒ SecurityAuditor

Returns a new instance of SecurityAuditor.

Parameters:

  • repository_path (String) (defaults to: ".")

    Path to git repository

  • gitleaks_config (String, nil) (defaults to: nil)

    Path to gitleaks config file

  • output_format (String) (defaults to: "table")

    Output format (table, json, yaml)

  • whitelist (Array<Hash>) (defaults to: [])

    Patterns/files to whitelist

  • exclusions (Array<String>, nil) (defaults to: nil)

    Glob patterns for files to exclude



22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 22

def initialize(repository_path: ".", gitleaks_config: nil, output_format: "table",
  whitelist: [], exclusions: nil)
  @scanner = Molecules::HistoryScanner.new(
    repository_path: repository_path,
    gitleaks_config: gitleaks_config,
    exclusions: exclusions
  )
  @output_format = output_format
  @whitelist = whitelist || []
  @whitelisted_count = 0
  @whitelist_audit_log = []
end

Instance Attribute Details

#output_formatObject (readonly)

Returns the value of attribute output_format.



15
16
17
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 15

def output_format
  @output_format
end

#scannerObject (readonly)

Returns the value of attribute scanner.



15
16
17
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 15

def scanner
  @scanner
end

#whitelistObject (readonly)

Returns the value of attribute whitelist.



15
16
17
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 15

def whitelist
  @whitelist
end

#whitelist_audit_logObject (readonly)

Returns the value of attribute whitelist_audit_log.



15
16
17
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 15

def whitelist_audit_log
  @whitelist_audit_log
end

#whitelisted_countObject (readonly)

Returns the value of attribute whitelisted_count.



15
16
17
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 15

def whitelisted_count
  @whitelisted_count
end

Instance Method Details

#audit(since: nil, min_confidence: "low", output_path: nil, verbose: false) ⇒ Models::ScanReport

Run full security audit on repository

Parameters:

  • since (String, nil) (defaults to: nil)

    Start commit or date

  • min_confidence (String) (defaults to: "low")

    Minimum confidence level

  • output_path (String, nil) (defaults to: nil)

    Path to save report

  • verbose (Boolean) (defaults to: false)

    Enable verbose output

Returns:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 41

def audit(since: nil, min_confidence: "low", output_path: nil, verbose: false)
  puts "Scanning Git history for authentication tokens..." if verbose

  start_time = Time.now

  report = scanner.scan(
    since: since,
    min_confidence: min_confidence
  )

  scan_duration = Time.now - start_time

  # Apply whitelist filtering
  report = apply_whitelist(report) if whitelist.any?

  # Add timing metadata to report
  report = add_timing_metadata(report, scan_duration)

  # Output results
  output_report(report, output_path)

  report
end

#audit_files(min_confidence: "low", output_path: nil) ⇒ Models::ScanReport

Audit only current files (no history)

Parameters:

  • min_confidence (String) (defaults to: "low")

    Minimum confidence level

  • output_path (String, nil) (defaults to: nil)

    Path to save report

Returns:



69
70
71
72
73
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 69

def audit_files(min_confidence: "low", output_path: nil)
  report = scanner.scan_files(min_confidence: min_confidence)
  output_report(report, output_path)
  report
end

#format_report(report) ⇒ String

Get formatted output

Parameters:

Returns:

  • (String) 


78
79
80
81
82
83
84
85
86
87
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 78

def format_report(report)
  case output_format
  when "json"
    report.to_json(include_raw: true)
  when "yaml"
    report.to_yaml
  else
    report.to_table
  end
end

#next_steps(report) ⇒ String

Print actionable next steps

Parameters:

Returns:

  • (String) 


92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
 
# File 'lib/ace/git/secrets/organisms/security_auditor.rb', line 92

def next_steps(report)
  return "No tokens detected. Repository is clean." if report.clean?

  steps = []
  steps << "SECURITY ALERT: #{report.token_count} token(s) detected in repository"
  steps << ""
  steps << "Recommended next steps:"
  steps << "1. Review detected tokens to confirm they are real (not false positives)"
  steps << "2. Revoke tokens immediately: ace-git-secrets revoke"
  steps << "3. Remove tokens from history: ace-git-secrets rewrite-history"
  steps << "4. Force push the cleaned history: git push --force-with-lease"
  steps << "5. Notify affected team members to re-clone"
  steps << ""

  if report.revocable_tokens.any?
    steps << "Tokens that can be revoked via API: #{report.revocable_tokens.size}"
  end

  manual = report.tokens.reject(&:revocable?)
  if manual.any?
    steps << "Tokens requiring manual revocation: #{manual.size}"
    steps << "  Visit provider dashboards to revoke these manually."
  end

  steps.join("\n")
end