feat: add secret detection with Secretlint (v0.8.0)

Add critical security feature to detect 350+ types of hardcoded secrets using industry-standard Secretlint library. Features: - Detect AWS keys, GitHub tokens, NPM tokens, SSH keys, API keys, etc. - All secrets marked as CRITICAL severity - Context-aware remediation suggestions per secret type - New SecretDetector using @secretlint/node - New SecretViolation value object (100% test coverage) - CLI output with "🔐 Secrets" section - Async pipeline support for secret detection Tests: - Added 47 new tests (566 total, 100% pass rate) - Coverage: 93.3% statements, 83.74% branches - SecretViolation: 23 tests, 100% coverage - SecretDetector: 24 tests Dependencies: - @secretlint/node: 11.2.5 - @secretlint/core: 11.2.5 - @secretlint/types: 11.2.5 - @secretlint/secretlint-rule-preset-recommend: 11.2.5
2025-12-28 07:16:53 +05:00 · 2025-11-25 18:24:22 +05:00
parent 8d400c9517
commit 0b1cc5a79a
18 changed files with 1186 additions and 11 deletions
--- a/packages/guardian/src/application/use-cases/AnalyzeProject.ts
+++ b/packages/guardian/src/application/use-cases/AnalyzeProject.ts
@@ -9,6 +9,7 @@ import { IEntityExposureDetector } from "../../domain/services/IEntityExposureDe
 import { IDependencyDirectionDetector } from "../../domain/services/IDependencyDirectionDetector"
 import { IRepositoryPatternDetector } from "../../domain/services/RepositoryPatternDetectorService"
 import { IAggregateBoundaryDetector } from "../../domain/services/IAggregateBoundaryDetector"
+import { ISecretDetector } from "../../domain/services/ISecretDetector"
 import { SourceFile } from "../../domain/entities/SourceFile"
 import { DependencyGraph } from "../../domain/entities/DependencyGraph"
 import { FileCollectionStep } from "./pipeline/FileCollectionStep"
@@ -42,6 +43,7 @@ export interface AnalyzeProjectResponse {
    dependencyDirectionViolations: DependencyDirectionViolation[]
    repositoryPatternViolations: RepositoryPatternViolation[]
    aggregateBoundaryViolations: AggregateBoundaryViolation[]
+    secretViolations: SecretViolation[]
    metrics: ProjectMetrics
 }

@@ -163,6 +165,17 @@ export interface AggregateBoundaryViolation {
    severity: SeverityLevel
 }

+export interface SecretViolation {
+    rule: typeof RULES.SECRET_EXPOSURE
+    secretType: string
+    file: string
+    line: number
+    column: number
+    message: string
+    suggestion: string
+    severity: SeverityLevel
+}
+
 export interface ProjectMetrics {
    totalFiles: number
    totalFunctions: number
@@ -193,6 +206,7 @@ export class AnalyzeProject extends UseCase<
        dependencyDirectionDetector: IDependencyDirectionDetector,
        repositoryPatternDetector: IRepositoryPatternDetector,
        aggregateBoundaryDetector: IAggregateBoundaryDetector,
+        secretDetector: ISecretDetector,
    ) {
        super()
        this.fileCollectionStep = new FileCollectionStep(fileScanner)
@@ -205,6 +219,7 @@ export class AnalyzeProject extends UseCase<
            dependencyDirectionDetector,
            repositoryPatternDetector,
            aggregateBoundaryDetector,
+            secretDetector,
        )
        this.resultAggregator = new ResultAggregator()
    }
@@ -224,7 +239,7 @@ export class AnalyzeProject extends UseCase<
                rootDir: request.rootDir,
            })

-            const detectionResult = this.detectionPipeline.execute({
+            const detectionResult = await this.detectionPipeline.execute({
                sourceFiles,
                dependencyGraph,
            })