keyhog-scanner 0.5.40

keyhog-scanner: high-performance SIMD-accelerated secret detection engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281

use super::inference::surrounding_line_window;
use crate::ascii_ci::ci_find;

/// Returns `true` if the match is in a context that indicates a false positive.
pub fn is_false_positive_match_context(
    text: &str,
    match_start: usize,
    file_path: Option<&str>,
) -> bool {
    is_false_positive_match_context_with_path(text, match_start, file_path, None)
}

/// Same as `is_false_positive_match_context` but accepts a pre-lowered path
/// to avoid re-allocating the lowercase path string on every match.
pub fn is_false_positive_match_context_with_path(
    text: &str,
    match_start: usize,
    _file_path: Option<&str>,
    path_lower: Option<&str>,
) -> bool {
    // Raw bytes against pre-lowered needles via `ci_find`. The earlier shape
    // copied the window into a stack buffer, made it ascii-lowercase, then
    // `.to_string()`-allocated for the heap form before running 8 substring
    // searches on it. Every match was paying that 1-2 µs of memcpy + heap
    // copy even when the very first `ci_find` would have returned false
    // immediately. The `ci_find` path skims via memchr2 SIMD and only walks
    // bytes when a candidate first-byte is actually present.
    let window = surrounding_line_window(text, match_start, 1);
    let bytes = window.as_bytes();

    is_go_sum_checksum_bytes(bytes, path_lower)
        || is_integrity_hash_bytes(bytes)
        || is_configmap_binary_data_bytes(bytes)
        || is_git_lfs_pointer_context_bytes(bytes)
        || is_renovate_digest_context_bytes(bytes)
        || is_cors_header_bytes(bytes)
        || is_http_cache_header_bytes(bytes)
        || has_disclaimer_comment_bytes(bytes)
}

/// Detect trailing/leading comment disclaimers like `// not a real key`,
/// `# fake credential`, `-- for demo only`. The credential value itself
/// may look 100% legitimate (correct prefix, high entropy) - the human
/// has just declared it isn't real. Suppress the finding.
///
/// Anchored to a comment marker first so we don't accidentally suppress
/// real findings on lines that happen to mention "fake" in prose.
/// Disclaimer-phrase list loaded once from the embedded Tier-B TOML
/// at `crates/scanner/data/disclaimer-phrases.toml`. Lifting this
/// list out of source code lets the community PR new phrases
/// without touching Rust - the moat under CLAUDE.md's Tier-B rule.
static DISCLAIMER_PHRASES: std::sync::LazyLock<Vec<String>> = std::sync::LazyLock::new(|| {
    #[derive(serde::Deserialize)]
    struct DisclaimerFile {
        phrases: Vec<String>,
    }
    let raw = include_str!("../../data/disclaimer-phrases.toml");
    // Soft-fail to an empty phrase list rather than panicking the
    // scanner worker. A corrupted-binary / broken-build state should
    // degrade detection precision, not crash. The `tracing::warn!`
    // surfaces the regression in logs so CI catches it.
    match toml::from_str::<DisclaimerFile>(raw) {
        Ok(parsed) => parsed
            .phrases
            .into_iter()
            .map(|p| p.to_ascii_lowercase())
            .collect(),
        Err(e) => {
            tracing::warn!(
                error = %e,
                "disclaimer-phrases.toml failed to parse; falling back to empty phrase list \
                 (test-file disclaimers will not be suppressed this run)",
            );
            Vec::new()
        }
    }
});

/// Case-insensitive variant that avoids lowering the haystack. The needles
/// (comment markers + disclaimer phrases) are all ASCII lowercase already,
/// so we match the haystack against them case-insensitively via `ci_find`.
fn has_disclaimer_comment_bytes(bytes: &[u8]) -> bool {
    const COMMENT_MARKERS: &[&[u8]] = &[b"//", b"#", b"--", b"/*", b"<!--", b"rem "];
    let phrases: &[String] = &DISCLAIMER_PHRASES;
    for marker in COMMENT_MARKERS {
        let m_len = marker.len();
        let first_lower = marker[0];
        let first_upper = first_lower.to_ascii_uppercase();
        for start in memchr::memchr2_iter(first_lower, first_upper, bytes) {
            if start + m_len > bytes.len() {
                break;
            }
            if !bytes[start..start + m_len].eq_ignore_ascii_case(marker) {
                continue;
            }
            let comment_tail = &bytes[start + m_len..];
            for phrase in phrases {
                if ci_find(comment_tail, phrase.as_bytes()) {
                    return true;
                }
            }
        }
    }
    false
}

/// Check whether a line-level match sits in known false-positive context.
///
/// The path parameter is consumed case-insensitively via
/// `ends_with_ignore_ascii_case`, so callers no longer need to pre-lower
/// it. The `_with_path` form kept as a stable alias for downstream
/// consumers that already passed a lowered path through.
pub fn is_false_positive_context(lines: &[&str], line_idx: usize, file_path: Option<&str>) -> bool {
    is_false_positive_context_with_path(lines, line_idx, file_path)
}

/// Same as [`is_false_positive_context`]. Retained for source compatibility
/// with callers that historically pre-lowered the path; the body no longer
/// requires a lowered string thanks to byte-wise case-insensitive checks.
pub fn is_false_positive_context_with_path(
    lines: &[&str],
    line_idx: usize,
    path_lower: Option<&str>,
) -> bool {
    if line_idx >= lines.len() {
        return false;
    }

    // Operate on raw bytes against pre-lowered needles via `ci_find`. The
    // previous shape allocated a `String` per current line + per surrounding
    // line (radius up to 8) on every match; on a 100 KiB dense-hit chunk that
    // was ~24k transient `String`s landing in the per-match hot path.
    let line_bytes = lines[line_idx].as_bytes();

    is_go_sum_checksum_bytes(line_bytes, path_lower)
        || is_integrity_hash_context(lines, line_idx, line_bytes)
        || is_configmap_binary_data_context(lines, line_idx, line_bytes)
        || is_git_lfs_pointer_context_with_lines(lines, line_idx, line_bytes)
        || is_renovate_digest_context_with_lines(lines, line_idx, line_bytes)
        || is_cors_header_bytes(line_bytes)
        || is_http_cache_header_context(lines, line_idx, line_bytes)
}

fn is_go_sum_checksum_bytes(bytes: &[u8], path: Option<&str>) -> bool {
    ci_find(bytes, b"h1:")
        || path
            .is_some_and(|p| crate::ascii_ci::ends_with_ignore_ascii_case(p.as_bytes(), b"go.sum"))
}

fn is_integrity_hash_context(lines: &[&str], line_idx: usize, line_bytes: &[u8]) -> bool {
    is_integrity_hash_bytes(line_bytes)
        || surrounding_lines_contain(lines, line_idx, 2, |candidate| {
            is_integrity_hash_bytes(candidate.as_bytes())
        })
}

fn is_integrity_hash_bytes(bytes: &[u8]) -> bool {
    ci_find(bytes, b"integrity") && (ci_find(bytes, b"sha256-") || ci_find(bytes, b"sha512-"))
}

fn is_configmap_binary_data_context(lines: &[&str], line_idx: usize, line_bytes: &[u8]) -> bool {
    is_configmap_binary_data_bytes(line_bytes)
        || nearby_lines_contain(lines, line_idx, 8, |candidate| {
            is_configmap_binary_data_bytes(candidate.trim().as_bytes())
        })
}

fn is_configmap_binary_data_bytes(bytes: &[u8]) -> bool {
    ci_find(bytes, b"binarydata:")
}

fn is_git_lfs_pointer_context_with_lines(
    lines: &[&str],
    line_idx: usize,
    line_bytes: &[u8],
) -> bool {
    is_git_lfs_pointer_context_bytes(line_bytes)
        || nearby_lines_contain(lines, line_idx, 3, |candidate| {
            is_git_lfs_pointer_context_bytes(candidate.as_bytes())
        })
}

fn is_git_lfs_pointer_context_bytes(bytes: &[u8]) -> bool {
    ci_find(bytes, b"oid sha256:") || ci_find(bytes, b"git-lfs")
}

fn is_renovate_digest_context_with_lines(
    lines: &[&str],
    line_idx: usize,
    line_bytes: &[u8],
) -> bool {
    is_renovate_digest_context_bytes(line_bytes)
        || surrounding_lines_contain(lines, line_idx, 2, |candidate| {
            is_renovate_digest_context_bytes(candidate.as_bytes())
        })
}

fn is_renovate_digest_context_bytes(bytes: &[u8]) -> bool {
    ci_find(bytes, b"renovate/") && contains_hex_sequence_bytes(bytes)
}

fn is_cors_header_bytes(bytes: &[u8]) -> bool {
    ci_find(bytes, b"access-control-")
}

fn is_http_cache_header_context(lines: &[&str], line_idx: usize, line_bytes: &[u8]) -> bool {
    is_http_cache_header_bytes(line_bytes)
        || surrounding_lines_contain(lines, line_idx, 1, |candidate| {
            is_http_cache_header_bytes(candidate.as_bytes())
        })
}

fn is_http_cache_header_bytes(bytes: &[u8]) -> bool {
    let trimmed_start = bytes
        .iter()
        .position(|b| !b.is_ascii_whitespace())
        .unwrap_or(bytes.len());
    let trimmed = &bytes[trimmed_start..];
    trimmed
        .get(..4)
        .is_some_and(|p| p.eq_ignore_ascii_case(b"etag"))
        || has_token_bytes(bytes, b"etag")
}

fn has_token_bytes(text: &[u8], token: &[u8]) -> bool {
    let n = token.len();
    if n == 0 {
        return true;
    }
    let mut start = 0usize;
    for (i, &b) in text.iter().enumerate() {
        if !b.is_ascii_alphanumeric() {
            if i - start == n && text[start..i].eq_ignore_ascii_case(token) {
                return true;
            }
            start = i + 1;
        }
    }
    text.len() - start == n && text[start..].eq_ignore_ascii_case(token)
}

fn contains_hex_sequence_bytes(bytes: &[u8]) -> bool {
    let mut run = 0usize;
    for &b in bytes {
        if b.is_ascii_hexdigit() {
            run += 1;
            if run >= 8 {
                return true;
            }
        } else {
            run = 0;
        }
    }
    false
}

fn nearby_lines_contain(
    lines: &[&str],
    line_idx: usize,
    lookback_lines: usize,
    predicate: impl Fn(&str) -> bool,
) -> bool {
    let start = line_idx.saturating_sub(lookback_lines);
    lines
        .iter()
        .take(line_idx + 1)
        .skip(start)
        .copied()
        .any(predicate)
}

fn surrounding_lines_contain(
    lines: &[&str],
    line_idx: usize,
    radius: usize,
    predicate: impl Fn(&str) -> bool,
) -> bool {
    let start = line_idx.saturating_sub(radius);
    let end = (line_idx + radius + 1).min(lines.len());
    lines[start..end].iter().copied().any(predicate)
}