pub fn default_config_toml(minimal: bool) -> &'static str {
if minimal {
MINIMAL_CONFIG
} else {
FULL_CONFIG
}
}
const MINIMAL_CONFIG: &str = r#"# Secretrace Configuration (Minimal)
# See https://github.com/yourusername/secretrace for full documentation
[scoring]
# Sensitivity preset: paranoid, high, balanced, low, minimal
sensitivity = "balanced"
[scope_filter]
ignore_tests = true
ignore_examples = true
"#;
const FULL_CONFIG: &str = r#"# Secretrace Configuration
# See https://github.com/yourusername/secretrace for full documentation
[general]
# Files/directories to always ignore (glob patterns)
ignore_paths = [
"**/target/**",
"**/vendor/**",
"**/.git/**",
]
# File extensions to scan
extensions = ["rs"]
# Maximum file size to scan (bytes)
max_file_size = 1000000
# Follow symlinks
follow_symlinks = false
[scoring]
# Sensitivity preset: paranoid, high, balanced, low, minimal
# - paranoid: Report everything suspicious (threshold: 30)
# - high: High sensitivity, some false positives acceptable (threshold: 50)
# - balanced: Balanced detection (threshold: 70) [default]
# - low: Low sensitivity, prefer precision (threshold: 85)
# - minimal: Only report obvious secrets (threshold: 95)
sensitivity = "balanced"
# Override threshold (takes precedence over preset)
# threshold_override = 70
# Base scores
base_comparison_score = 50
base_definition_score = 30
[name_filter]
# Add company-specific benign terms
# additional_benign_terms = [
# { term = "feature_flag", score = -80, mode = "contains" },
# { term = "experiment_", score = -60, mode = "prefix" },
# ]
# Add company-specific suspicious terms
# additional_suspicious_terms = [
# { term = "prod_api_key", score = 40, mode = "contains" },
# ]
# Exact names to always ignore
ignore_names = [
"CARGO_PKG_VERSION",
"RUST_VERSION",
]
# Regex patterns to ignore
# ignore_patterns = []
[scope_filter]
# Ignore test functions and test modules
ignore_tests = true
# Ignore example files (examples/)
ignore_examples = true
# Ignore benchmark files (benches/)
ignore_benchmarks = true
# Additional paths to ignore
ignore_paths = [
"**/fixtures/**",
"**/testdata/**",
]
[consequence]
# Additional logging functions specific to your project
# additional_logging_functions = [
# "custom_logger",
# "telemetry",
# ]
# Additional auth functions to flag
# additional_auth_functions = [
# "grant_access",
# "verify_jwt",
# ]
[rhs]
# Additional command-like variable names (reduce suspicion)
# additional_command_names = [
# "subcommand",
# "handler",
# ]
# Additional auth-like variable names (increase suspicion)
# additional_auth_names = []
[output]
# Default output format: text, json, sarif, markdown, github
format = "text"
# Include score breakdown in output
show_scores = false
# Include remediation suggestions
show_remediation = true
# Color output
color = true
# Custom rules
# [[rules]]
# id = "aws-key"
# description = "AWS Access Key ID pattern"
# value_pattern = "^AKIA[0-9A-Z]{16}$"
# score = 50
# severity = "critical"
# [[rules]]
# id = "stripe-key"
# description = "Stripe API Key pattern"
# name_pattern = "(?i)stripe"
# value_pattern = "^sk_(live|test)_[a-zA-Z0-9]{24,}$"
# score = 50
# severity = "critical"
"#;
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_minimal_config_parses() {
let config: crate::config::Config = toml::from_str(default_config_toml(true)).unwrap();
assert_eq!(
config.scoring.sensitivity,
crate::config::SensitivityPreset::Balanced
);
}
#[test]
fn test_full_config_parses() {
let config: crate::config::Config = toml::from_str(default_config_toml(false)).unwrap();
assert_eq!(
config.scoring.sensitivity,
crate::config::SensitivityPreset::Balanced
);
assert!(config.scope_filter.ignore_tests);
}
}