Skip to main content

SecretPattern

Trait SecretPattern 

Source
pub trait SecretPattern: Send + Sync {
    // Required methods
    fn id(&self) -> &str;
    fn display_name(&self) -> &str;
    fn format_regex(&self) -> &Regex;
    fn severity(&self) -> Severity;

    // Provided methods
    fn metadata(&self) -> Option<&PatternMetadata> { ... }
    fn rotation(&self) -> Option<&RotationSpec> { ... }
    fn liveness(&self) -> Option<&LivenessSpec> { ... }
}
Expand description

One kind of secret in the catalogue.

Implementors are usually zero-sized types (one per pattern); the catalogue (epic phase P2.2) holds them behind &'static dyn SecretPattern references.

Thread-safety. The trait requires Send + Sync because the secret store and the OTLP sanitizer both consume patterns from concurrent contexts.

Layering. The mandatory accessors (id, display_name, format_regex, severity) cover the OTLP-sanitizer / scan use case. The three optional layers (metadata, rotation, liveness) cover the secret-store use case; patterns may implement all, some, or none of them. The default impl returns None so a minimal pattern only has to write four method bodies.

Required Methods§

Source

fn id(&self) -> &str

Stable identifier (lowercase, kebab-case). Used as a foreign key from the global index entry’s pattern_id (ADR-020 §3) and as a join key with other tools that consume the catalogue.

Source

fn display_name(&self) -> &str

Human-readable name shown in secrets describe and in scan-tool reports.

Source

fn format_regex(&self) -> &Regex

Regular expression matching valid values of this kind.

Returned by reference so implementors can lazy-compile and cache the Regex (e.g. via OnceLock) without paying the cost on every match. The catalogue is hot-path: every secret resolution and every OTLP attribute walk hits this method.

Source

fn severity(&self) -> Severity

Severity to attach to a leak finding for this pattern.

Provided Methods§

Source

fn metadata(&self) -> Option<&PatternMetadata>

Optional descriptive metadata (provider, retrieval URL, expiry, scopes).

Default returns None; consumers that only need format/severity (the sanitizer and scan tools) ignore this layer.

Source

fn rotation(&self) -> Option<&RotationSpec>

Optional rotation hint (manual vs provider-driven).

Default returns None.

Source

fn liveness(&self) -> Option<&LivenessSpec>

Optional liveness probe specification.

Default returns None. Patterns that ship a probe let the secrets validate flow check whether a candidate value is currently accepted by the upstream.

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§