leaktor 0.3.0

A secrets scanner with pattern matching, entropy analysis, and live validation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

pub mod anthropic;
pub mod aws;
pub mod datadog;
pub mod github;
pub mod gitlab;
pub mod http;
pub mod huggingface;
pub mod openai;
pub mod sendgrid;
pub mod slack;
pub mod stripe;

pub use anthropic::AnthropicValidator;
pub use aws::AwsValidator;
pub use datadog::DatadogValidator;
pub use github::GitHubValidator;
pub use gitlab::GitLabValidator;
pub use http::HttpValidator;
pub use huggingface::HuggingFaceValidator;
pub use openai::OpenAiValidator;
pub use sendgrid::SendGridValidator;
pub use slack::SlackValidator;
pub use stripe::StripeValidator;

use crate::models::{Secret, SecretType};
use anyhow::Result;

/// Trait for validating secrets
#[async_trait::async_trait]
pub trait Validator {
    async fn validate(&self, secret: &Secret) -> Result<bool>;
    fn supports(&self, secret_type: &SecretType) -> bool;
}

/// Create the full list of all available validators
fn all_validators() -> Vec<Box<dyn Validator + Send + Sync>> {
    vec![
        Box::new(AwsValidator::new()),
        Box::new(GitHubValidator::new()),
        Box::new(GitLabValidator::new()),
        Box::new(SlackValidator::new()),
        Box::new(StripeValidator::new()),
        Box::new(OpenAiValidator::new()),
        Box::new(AnthropicValidator::new()),
        Box::new(SendGridValidator::new()),
        Box::new(DatadogValidator::new()),
        Box::new(HuggingFaceValidator::new()),
    ]
}

/// Validate a secret using the appropriate validator
pub async fn validate_secret(secret: &mut Secret) -> Result<()> {
    let validators = all_validators();

    for validator in validators {
        if validator.supports(&secret.secret_type) {
            match validator.validate(secret).await {
                Ok(is_valid) => {
                    secret.validated = Some(is_valid);
                    return Ok(());
                }
                Err(_) => {
                    // Validation failed (network error, etc.), mark as unknown
                    secret.validated = None;
                }
            }
        }
    }

    Ok(())
}

/// Validate multiple secrets in parallel using tokio tasks
pub async fn validate_secrets_parallel(secrets: &mut [Secret]) -> Result<()> {
    use tokio::task::JoinSet;

    let validators = all_validators();

    // Build a list of (index, secret_clone) pairs that have a matching validator
    let mut tasks: JoinSet<(usize, Option<bool>)> = JoinSet::new();

    for (idx, secret) in secrets.iter().enumerate() {
        // Find which validator supports this secret type
        let mut found_validator = false;
        for v in &validators {
            if v.supports(&secret.secret_type) {
                found_validator = true;
                break;
            }
        }

        if !found_validator {
            continue;
        }

        let secret_clone = secret.clone();
        tasks.spawn(async move {
            // Re-create validators inside the task (they're cheap)
            let validators = all_validators();

            for validator in &validators {
                if validator.supports(&secret_clone.secret_type) {
                    match validator.validate(&secret_clone).await {
                        Ok(is_valid) => return (idx, Some(is_valid)),
                        Err(_) => return (idx, None),
                    }
                }
            }

            (idx, None)
        });
    }

    // Collect results
    while let Some(result) = tasks.join_next().await {
        if let Ok((idx, validated)) = result {
            secrets[idx].validated = validated;
        }
    }

    Ok(())
}