Class: Rails::Guarddog::Checkers::SecretsChecker
- Inherits:
-
BaseChecker
- Object
- BaseChecker
- Rails::Guarddog::Checkers::SecretsChecker
- Defined in:
- lib/rails/guarddog/checkers/secrets_checker.rb
Constant Summary collapse
- SKIP_PATH_FRAGMENTS =
Paths whose files should never be checked for secrets. Locale/i18n YAML files contain human-readable strings, not credentials.
%w[config/locales].freeze
- PATTERNS =
Each pattern uses:
\b / \w* — boundary/prefix so compound names like AUTH_TOKEN, access_token, devise_token are all caught. [^\s'"]{N,} — secret value must be space-free and at least N chars; this eliminates human-readable sentences (false positives) e.g. no_token: "You can't access this page..." won't match. [ /\bapi[_-]?key\s*[=:]\s*['"][^\s'"]{6,}['"]/i, /\bsecret[_-]?key\s*[=:]\s*['"][^\s'"]{6,}['"]/i, /\bpassword\s*[=:]\s*['"][^\s'"]{4,}['"]/i, # Matches: token, AUTH_TOKEN, access_token, devise_token, reset_token, etc. /\b\w*token\w*\s*[=:]\s*['"][^\s'"]{6,}['"]/i ].freeze
Instance Attribute Summary
Attributes inherited from BaseChecker
Instance Method Summary collapse
Methods inherited from BaseChecker
Constructor Details
This class inherits a constructor from Rails::Guarddog::Checkers::BaseChecker
Instance Method Details
#run ⇒ Object
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
# File 'lib/rails/guarddog/checkers/secrets_checker.rb', line 23 def run %w[*.rb *.yml .env .env.local].each do |file_pattern| glob_files("**/{#{file_pattern}}").each do |file| next if skip_file?(file) content = File.read(file) rescue next content.each_line.with_index do |line, idx| PATTERNS.each do |pat| if line.match?(pat) && !line.strip.start_with?('#') add_finding( severity: :critical, message: "Hardcoded secret detected", file: file, line: idx + 1, remediation: "Use ENV variables or Rails credentials" ) end end end end end findings end |