ln-761-secret-scanner
L3 Worker - Scans codebase for hardcoded secrets and credentials
Main Workflow
stateDiagram-v2
[*] --> Phase1: Start Scan
state Phase1 {
[*] --> CheckTools
CheckTools --> LoadConfig
LoadConfig --> [*]
CheckTools: Check gitleaks/trufflehog
LoadConfig: Load .gitleaks.toml + baseline
}
Phase1 --> Phase2: Tools Ready
state Phase2 {
[*] --> RunScanner
RunScanner --> ParseOutput
ParseOutput --> [*]
RunScanner: Execute available scanner
ParseOutput: Normalize to common format
}
Phase2 --> Phase3: Scan Complete
state Phase3 {
[*] --> Classify
Classify --> Filter
Filter --> Build
Build --> [*]
Classify: Severity classification
Filter: False positive filtering
Build: Build report (no secrets!)
}
Phase3 --> Phase4: Report Ready
state Phase4 {
[*] --> Remediate
Remediate --> Return
Return --> [*]
Remediate: Attach remediation guidance
Return: Return to orchestrator
}
Phase4 --> [*]: Findings Returned
Tool Detection Flow
flowchart TD
Start([Start Tool Detection]) --> Gitleaks{gitleaks installed?}
Gitleaks -->|Yes| UseGitleaks[Use gitleaks]
Gitleaks -->|No| Trufflehog{trufflehog installed?}
Trufflehog -->|Yes| UseTrufflehog[Use trufflehog]
Trufflehog -->|No| Manual[Manual grep patterns]
UseGitleaks --> Config{.gitleaks.toml exists?}
UseTrufflehog --> Config
Manual --> DefaultPatterns[Use default patterns]
Config -->|Yes| LoadCustom[Load custom config]
Config -->|No| DefaultPatterns
LoadCustom --> Baseline{Baseline exists?}
DefaultPatterns --> Baseline
Baseline -->|Yes| LoadBaseline[Load false positive baseline]
Baseline -->|No| Ready([Ready to Scan])
LoadBaseline --> Ready
classDef tool fill:#87CEEB
classDef config fill:#DDA0DD
classDef fallback fill:#FFE4B5
class UseGitleaks,UseTrufflehog tool
class LoadCustom,LoadBaseline config
class Manual,DefaultPatterns fallback
Severity Classification
flowchart LR
subgraph Critical["Critical (Immediate Rotation)"]
AWS[AWS Keys]
Private[Private Keys]
JWT[JWT Secrets]
end
subgraph High["High (Rotate Soon)"]
Password[Passwords]
ConnStr[Connection Strings]
end
subgraph Medium["Medium (Review)"]
APIKey[Generic API Keys]
Token[Generic Tokens]
end
subgraph Low["Low (Log Only)"]
Base64[High Entropy Strings]
Potential[Potential Secrets]
end
Critical --> Rotate[Mandatory Rotation]
High --> Rotate
Medium --> Review[Manual Review]
Low --> Log[Baseline Candidate]
classDef critical fill:#FF6B6B
classDef high fill:#FFB347
classDef medium fill:#FFEB3B
classDef low fill:#90EE90
class AWS,Private,JWT critical
class Password,ConnStr high
class APIKey,Token medium
class Base64,Potential low
False Positive Filtering
flowchart TD
Finding([Each Finding]) --> Baseline{In baseline?}
Baseline -->|Yes| Exclude1[Exclude: Known FP]
Baseline -->|No| Allowlist{Matches allowlist?}
Allowlist -->|Yes| Exclude2[Exclude: Allowlisted]
Allowlist -->|No| Path{In excluded path?}
Path -->|Yes| Exclude3[Exclude: Path excluded]
Path -->|No| Include[Include in Report]
Exclude1 --> Reason[Log exclusion reason]
Exclude2 --> Reason
Exclude3 --> Reason
Include --> Classify[Classify severity]
Classify --> Remediate[Add remediation]
Remediate --> Output([Add to findings])
Reason --> Output
classDef exclude fill:#90EE90
classDef include fill:#FF6B6B
class Exclude1,Exclude2,Exclude3 exclude
class Include include