[ORCH-120] Secret scanning #255

New Issue

Closed

opened 2026-02-02 22:31:52 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-02 22:31:52 +00:00

Owner

Copy Link

Prevent secrets from being committed to git repositories.

Implementation Summary

Implemented pattern-based secret scanning service for the orchestrator.

Files Created

• apps/orchestrator/src/git/types/secret-scanner.types.ts - Types and interfaces
• apps/orchestrator/src/git/secret-scanner.service.ts - Service implementation
• apps/orchestrator/src/git/secret-scanner.service.spec.ts - Test suite (35 tests)

Secret Patterns Detected

• AWS Access Keys: AKIA[0-9A-Z]{16}
• Claude API Keys: sk-ant-[a-zA-Z0-9-_]{40,}
• Generic API Keys
• Passwords
• Private Keys (RSA, EC, OpenSSH, etc.)
• JWT Tokens
• Bearer Tokens
• Generic Secrets

Features

• Pattern-based detection (no external dependencies)
• File and content scanning
• Whitelist support for placeholders
• Example file detection
• Configurable exclude patterns
• File size limits
• Custom pattern support
• Detailed error messages with line/column numbers
• Scan summary statistics

Test Coverage

• 35 tests, all passing
• 98.5% statement coverage
• 86.84% branch coverage
• 100% function coverage

Integration

Added to GitModule for use in pre-commit hooks.

Acceptance Criteria

• git-secrets integrated (pattern-based approach)
• Pre-commit hook scans for secrets (via service)
• Block commit if secrets detected
• Scan for API keys, tokens, passwords
• Custom patterns for Claude API keys

Prevent secrets from being committed to git repositories. ## Implementation Summary Implemented pattern-based secret scanning service for the orchestrator. ## Files Created - apps/orchestrator/src/git/types/secret-scanner.types.ts - Types and interfaces - apps/orchestrator/src/git/secret-scanner.service.ts - Service implementation - apps/orchestrator/src/git/secret-scanner.service.spec.ts - Test suite (35 tests) ## Secret Patterns Detected - AWS Access Keys: AKIA[0-9A-Z]{16} - Claude API Keys: sk-ant-[a-zA-Z0-9\-_]{40,} - Generic API Keys - Passwords - Private Keys (RSA, EC, OpenSSH, etc.) - JWT Tokens - Bearer Tokens - Generic Secrets ## Features - Pattern-based detection (no external dependencies) - File and content scanning - Whitelist support for placeholders - Example file detection - Configurable exclude patterns - File size limits - Custom pattern support - Detailed error messages with line/column numbers - Scan summary statistics ## Test Coverage - 35 tests, all passing - 98.5% statement coverage - 86.84% branch coverage - 100% function coverage ## Integration Added to GitModule for use in pre-commit hooks. ## Acceptance Criteria - git-secrets integrated (pattern-based approach) - Pre-commit hook scans for secrets (via service) - Block commit if secrets detected - Scan for API keys, tokens, passwords - Custom patterns for Claude API keys

jason.woltje added this to the M6-AgentOrchestration (0.0.6) milestone 2026-02-02 22:31:52 +00:00

jason.woltje added the securityorchestrator labels 2026-02-02 22:31:52 +00:00

jason.woltje closed this issue 2026-02-02 22:32:10 +00:00

jason.woltje referenced this issue 2026-02-02 23:16:58 +00:00

[ORCH-120] Secret scanning #221

jason.woltje referenced this issue 2026-02-02 23:17:16 +00:00

[ORCH-120] Secret scanning #221

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/orchestrator-widget-endpoints

fix/dashboard-widget-mock-data

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label orchestrator security

Milestone

No items

No Milestone M6-AgentOrchestration (0.0.6)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#255