guardy 0.2.4

Fast, secure git hooks in Rust with secret scanning and protected file synchronization
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226

//! Static pattern library for secret detection
//!
//! This provides a global, shared pattern library that is compiled once
//! and shared across all threads via Arc for zero-copy access.
//!
//! Adapted from scan-v3 implementation for optimal performance.

use std::{
    collections::HashMap,
    sync::{Arc, LazyLock, OnceLock},
};

use anyhow::Result;
use regex::Regex;

/// Helper struct to hold the lazily compiled regex
struct LazyRegex {
    regex: OnceLock<Result<Regex, regex::Error>>,
    regex_str: &'static str,
    pattern_name: &'static str,
}

impl LazyRegex {
    fn new(regex_str: &'static str, pattern_name: &'static str) -> Arc<Self> {
        Arc::new(Self {
            regex: OnceLock::new(),
            regex_str,
            pattern_name,
        })
    }

    fn get(&self) -> Result<&Regex, regex::Error> {
        let result = self.regex.get_or_init(|| {
            let start = std::time::Instant::now();
            let compile_result = Regex::new(self.regex_str);
            let elapsed = start.elapsed();
            if tracing::enabled!(tracing::Level::TRACE) {
                match &compile_result {
                    Ok(_) => tracing::trace!(
                        "Compiled regex for pattern '{}' in {:?}",
                        self.pattern_name,
                        elapsed
                    ),
                    Err(e) => tracing::trace!(
                        "Failed to compile regex for pattern '{}': {}",
                        self.pattern_name,
                        e
                    ),
                }
            }
            compile_result
        });
        match result {
            Ok(r) => Ok(r),
            Err(e) => Err(e.clone()),
        }
    }
}

/// A pattern with lazy regex compilation
#[derive(Clone)]
pub struct CompiledPattern {
    /// Pattern index (for Aho-Corasick mapping)
    pub index: usize,
    /// Human-readable name
    pub name: Arc<str>,
    /// Lazily compiled regex (shared across clones)
    regex: Arc<LazyRegex>,
    /// Description of what this detects
    pub description: Arc<str>,
    /// Keywords for Aho-Corasick prefiltering
    pub keywords: Vec<String>,
    /// Priority (1-10, higher = run first)
    pub priority: u8,
    /// Entropy threshold override (None = use default, Some(f32::MAX) = skip entropy)
    pub entropy_threshold: Option<f32>,
}

impl CompiledPattern {
    /// Get the compiled regex, compiling it on first access
    pub fn get_regex(&self) -> Result<&Regex> {
        self.regex
            .get()
            .map_err(|e| anyhow::anyhow!("Regex compilation failed for '{}': {}", self.name, e))
    }

    /// Create a test pattern for unit tests
    #[cfg(test)]
    pub fn test_pattern(
        name: &'static str,
        regex_str: &'static str,
        description: &'static str,
    ) -> Self {
        Self {
            index: 0,
            name: name.into(),
            regex: LazyRegex::new(regex_str, name),
            description: description.into(),
            keywords: vec![],
            priority: 5,
            entropy_threshold: None,
        }
    }
}

impl std::fmt::Debug for CompiledPattern {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("CompiledPattern")
            .field("index", &self.index)
            .field("name", &self.name)
            .field("description", &self.description)
            .field("keywords", &self.keywords)
            .field("priority", &self.priority)
            .field("entropy_threshold", &self.entropy_threshold)
            .finish()
    }
}

/// The pattern library containing all compiled patterns
pub struct PatternLibrary {
    /// All compiled patterns
    patterns: Vec<CompiledPattern>,
    /// Keywords for Aho-Corasick prefiltering
    keywords: Vec<String>,
    /// Map from pattern index to Arc reference (for zero-copy)
    pattern_map: HashMap<usize, Arc<CompiledPattern>>,
    // Count computed dynamically from patterns.len()
}

impl PatternLibrary {
    /// Create a new pattern library from base and custom patterns
    fn new() -> Result<Self> {
        let start = std::time::Instant::now();

        // Step 1: Compile base patterns directly from native Rust data
        let mut all_patterns = Vec::new();
        let mut keywords = Vec::new();
        let mut pattern_map = HashMap::new();

        use super::base_patterns::BASE_PATTERNS;

        // Process base patterns directly (no YAML conversion)
        for (index, base_pattern) in BASE_PATTERNS.iter().enumerate() {
            let compiled = Self::compile_base_pattern(index, base_pattern)?;
            keywords.extend(compiled.keywords.clone());
            let arc_pattern = Arc::new(compiled.clone());
            pattern_map.insert(index, arc_pattern);
            all_patterns.push(compiled);
        }

        // Step 2: Process custom patterns (if any) - for future config integration
        // TODO: Load custom patterns from config system when needed

        // Sort patterns by priority (higher first)
        all_patterns.sort_by(|a, b| b.priority.cmp(&a.priority));

        // Remove duplicate keywords
        keywords.sort();
        keywords.dedup();

        tracing::debug!(
            "Pattern library initialized with {} patterns in {:?}",
            all_patterns.len(),
            start.elapsed()
        );

        Ok(Self {
            patterns: all_patterns,
            keywords,
            pattern_map,
        })
    }

    /// Create a CompiledPattern with lazy regex compilation
    fn compile_base_pattern(
        index: usize,
        base: &super::base_patterns::BasePattern,
    ) -> Result<CompiledPattern> {
        // Special handling for patterns that need custom entropy thresholds
        let entropy_threshold = match base.name {
            "UUID Identifier" => Some(1e-30), // Filter out placeholder UUIDs like
            // 00000000-0000-0000-0000-000000000000
            _ => None, // Use default for all others
        };

        Ok(CompiledPattern {
            index,
            name: Arc::from(base.name),
            regex: LazyRegex::new(base.regex, base.name),
            description: Arc::from(base.description),
            keywords: base.keywords.iter().map(|&s| s.to_string()).collect(),
            priority: base.priority,
            entropy_threshold,
        })
    }

    /// Get all patterns
    pub fn patterns(&self) -> &[CompiledPattern] {
        &self.patterns
    }

    /// Get all keywords for Aho-Corasick
    pub fn keywords(&self) -> &[String] {
        &self.keywords
    }

    /// Get a pattern by index (zero-copy via Arc)
    pub fn get_pattern(&self, index: usize) -> Option<Arc<CompiledPattern>> {
        self.pattern_map.get(&index).cloned()
    }

    /// Get total pattern count
    pub fn count(&self) -> usize {
        self.patterns.len()
    }
}

/// Global shared pattern library - compiled once, shared everywhere
pub static PATTERN_LIBRARY: LazyLock<Arc<PatternLibrary>> = LazyLock::new(|| {
    Arc::new(PatternLibrary::new().expect("Failed to initialize pattern library - this is fatal"))
});

/// Get the global pattern library
pub fn get_pattern_library() -> Arc<PatternLibrary> {
    PATTERN_LIBRARY.clone()
}