securegit 0.8.5

Zero-trust git replacement with 12 built-in security scanners, LLM redteam bridge, universal undo, durable backups, and a 50-tool MCP server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

# SecureGit Performance Analysis

## Built-in vs External Plugins

### Architecture Benefits

**Built-in Rust Plugins:**
- Zero startup overhead
- Memory-efficient (shared runtime)
- Sub-millisecond execution for most scans
- Compiled optimizations (LTO, native CPU features)
- Direct memory access to file contents

**External Plugins:**
- Language-agnostic (Python, Go, Bash, Node.js)
- Leverage existing security tools (gitleaks, bandit, semgrep)
- Community-maintainable without Rust knowledge
- Isolated execution (security boundary)
- ~20-50ms startup overhead per plugin

## Performance Benchmarks

### Single File Scan (19 lines Python)

| Plugin Type | Plugin Name | Findings | Duration | Notes |
|-------------|-------------|----------|----------|-------|
| Built-in | secrets | 2 | 2ms | Regex + Aho-Corasick |
| Built-in | patterns | 3 | 2ms | Pattern matching |
| Built-in | entropy | 1 | 0ms | Shannon entropy calc |
| External | todo-scanner | 3 | 23ms | Python subprocess |

**Total Scan Time: 28ms**

### Performance Characteristics

**Startup Overhead:**
- Built-in plugins: 0ms (already loaded)
- External Python plugin: ~20-25ms (interpreter startup)
- External compiled binary: ~5-10ms (process spawn)

**Scanning Speed:**
- Built-in plugins: ~1000-5000 files/sec
- External plugins: ~50-200 files/sec (depends on tool)

**Memory Usage:**
- Built-in plugins: Minimal (shared runtime)
- External plugins: 10-50MB per plugin instance

### Large Repository Scan

**Backstage Repository (274MB, 5000+ files):**
- Acquisition time: 2.5 seconds
- Extraction time: 1.8 seconds
- Security scan time: ~30 seconds (5 built-in plugins)
- Estimated with 10 external plugins: ~2-3 minutes

**Optimization Strategy:**
1. Use built-in plugins for high-frequency scans
2. Use external plugins for specialized/thorough analysis
3. Run external plugins in parallel (up to CPU cores)
4. Cache results for unchanged files

## When to Use Each Type

### Use Built-in Plugins When:
- Speed is critical (CI/CD pipelines, pre-commit hooks)
- Scanning large repositories (thousands of files)
- Memory constraints exist
- Common vulnerability patterns (secrets, dangerous functions)

### Use External Plugins When:
- Wrapping existing specialized tools (ClamAV, YARA, Semgrep)
- Language-specific deep analysis (Bandit for Python, Gosec for Go)
- Custom organizational policies
- Regulatory compliance scanning (license detection)
- Malware detection with signature databases

## Parallelization

SecureGit scans files sequentially but plugins run concurrently per file. For external plugins, parallelization provides significant speedup:

**Sequential (1 worker):**
- 1000 files × 50ms/file = 50 seconds

**Parallel (8 workers):**
- 1000 files × 50ms/file ÷ 8 = 6.25 seconds

Future enhancement: Add `--jobs N` flag to control parallelism.

## Resource Consumption

### Small Scan (< 100 files)
- CPU: 1 core, < 10% utilization
- Memory: < 50MB
- Disk I/O: Minimal (streaming reads)

### Large Scan (5000+ files)
- CPU: 1-4 cores, 40-80% utilization
- Memory: 100-500MB (depends on file sizes)
- Disk I/O: Sequential reads (SSD optimal)

### External Plugin Overhead
- Additional 10-50MB RAM per active plugin
- Additional CPU for process management
- Temporary file I/O for some tools

## Optimization Tips

1. **Skip Patterns:** Configure skip_paths to exclude node_modules, vendor, etc.
2. **File Type Filtering:** External plugins should check file extensions early
3. **Streaming:** Process files as they're found, don't load all in memory
4. **Plugin Selection:** Only enable plugins relevant to your stack
5. **Caching:** Future enhancement to cache scan results by file hash

## Comparison with Other Tools

### Gitleaks (Secrets Only)
- Speed: Very fast (~1000 files/sec)
- Scope: Secrets detection only
- SecureGit equivalent: Built-in secrets plugin + todo-scanner

### Semgrep (SAST)
- Speed: Moderate (~50-100 files/sec)
- Scope: Pattern-based static analysis
- SecureGit: Can wrap Semgrep as external plugin

### SonarQube (Comprehensive)
- Speed: Slow (~10-20 files/sec, deep analysis)
- Scope: Full SAST, quality, security
- SecureGit: Complementary (SecureGit = acquisition security layer)

## Performance Roadmap

### Planned Improvements

1. **Parallel File Processing**
   - Multi-threaded file walker
   - Concurrent plugin execution
   - Expected: 3-5x speedup on large repos

2. **Incremental Scanning**
   - Track file hashes
   - Only rescan changed files
   - Expected: 10-50x speedup on re-scans

3. **Plugin Result Caching**
   - Cache plugin outputs by file hash
   - Share cache across projects
   - Expected: Near-instant re-scans

4. **Streaming Archive Scanning**
   - Scan files as they extract (pipeline)
   - Reduce memory footprint
   - Expected: 50% memory reduction

5. **WASM Plugin Support**
   - Faster than subprocess spawning
   - Sandboxed execution
   - Expected: 30-50% faster than external plugins

## Benchmark Reproduction

Run these commands to reproduce benchmarks:

```bash
# Single file benchmark
time securegit scan /path/to/single-file.py

# Large repo benchmark
time securegit scan /path/to/large-repository

# With external plugins
mkdir -p ~/.config/securegit/plugins
cp examples/plugins/todo-scanner ~/.config/securegit/plugins/
chmod +x ~/.config/securegit/plugins/todo-scanner
time securegit scan /path/to/repository

# Memory profiling
/usr/bin/time -v securegit scan /path/to/repository
```

## Conclusion

SecureGit's hybrid plugin architecture provides:
- **Speed** via built-in Rust plugins for common patterns
- **Flexibility** via external plugins for specialized tools
- **Scalability** through parallelization and caching (roadmap)

For most use cases, the combination of 5 built-in plugins + 3-5 external plugins provides comprehensive coverage with acceptable performance (< 1 minute for repos up to 10,000 files).