Skip to content

Built-in secrets detection scanner #20

New issue
New issue
Open
Open
Built-in secrets detection scanner#20
Labels
enhancementNew feature or request
@haasonsaas

Description

@haasonsaas
haasonsaas
opened on Mar 11, 2026

Problem

CodeRabbit integrates 40+ linters and scanners. GitHub Copilot blends CodeQL results. DiffScope has a Semgrep plugin but no built-in secrets detection. Hardcoded API keys, passwords, and tokens in diffs should be caught without requiring external tool setup.

Proposed Solution

  1. Built-in regex-based secrets scanner that runs on every diff:

    • AWS access keys (AKIA...)
    • GitHub tokens (ghp_, gho_, ghs_)
    • Generic API keys (high-entropy strings in assignments)
    • Private keys (PEM headers)
    • Connection strings with passwords
    • JWT tokens
    • Slack webhooks/tokens

  2. Run as a pre-analysis step (like existing plugins) — findings injected into the review context

  3. Configurable allowlist for false positives (test fixtures, examples)

  4. Severity: always critical — secrets in diffs should block merge in CI mode

Implementation

  • Pattern library inspired by truffleHog/gitleaks patterns
  • Entropy-based detection for generic secrets
  • .diffscope-secrets-allowlist for false positive suppression

Priority

Tier 3 — Security hygiene. Low effort, high value.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions