Expand description
Core types shared across all KeyHog crates.
Defines the Source trait for pluggable input backends, DetectorSpec
for TOML-based pattern definitions, RawMatch and VerifiedFinding for
scanner output, DedupedMatch for grouped findings, and Reporter for
structured result formatting.
Re-exports§
pub use credential::Credential;pub use credential::SensitiveString;pub use allowlist::*;pub use config::*;pub use report::*;
Modules§
- allowlist
- Credential/path allowlist parsing and matching.
Allowlist support:
.keyhogignorefile parsing for suppressing known false positives by path glob, detector ID, or credential hash. - auto_
fix - Auto-fix suggestion logic for SARIF output.
Auto-fix suggestions: turn each finding into “replace this credential
with
${ENV_VAR_NAME}” advice. - banner
- ANSI-colored CLI startup banner with detector counts.
- calibration
- Bayesian confidence calibration for detectors. Bayesian Beta(α, β) calibration per detector.
- config
- Configuration system for KeyHog scanning options. Configuration for KeyHog scanning and verification.
- credential
- Secure credential storage and redaction. Opaque, zeroize-on-drop credential bytes.
- encoding
- Shared standard Base64 decode (wire / K8s), bounded for DoS safety. Standard Base64 (RFC 4648) decode for wire formats and structured data.
- hardening
- Security hardening: memory zeroization and process isolation helpers. Process-level memory protections.
- merkle_
index - Incremental scan state via BLAKE3 Merkle index. Incremental scan support via a persisted file-content index.
- registry
- Global registry for sources and verifiers. Global registry for pluggable components (Sources, Verifiers). This allows adding new features in a single file without modifying the core.
- report
- Structured reporting (JSON, SARIF, Text). Reporting logic for scan results.
- safe_
bin - Safe absolute-path resolution for external binaries. Safe absolute-path resolution for external binaries we shell out to.
- serde_
arc_ str - serde_
arc_ str_ opt
Structs§
- Chunk
- A scannable chunk of text with metadata about where it came from.
- Chunk
Metadata - Metadata that tracks the source location for a scanned chunk.
- Companion
Spec - Secondary pattern used to confirm a primary match or provide extra context.
- Deduped
Match - A group of related raw matches representing a single distinct secret finding.
- Detector
File - Wrapping struct for a detector TOML file.
- Detector
Spec - A complete detector definition loaded from a TOML file.
- Header
Spec - Custom HTTP header specification.
- Match
Location - Where a credential was found: file path, line number, commit, and author.
- Metadata
Spec - Metadata field specification for verification results.
- OobSpec
- Out-of-band callback verification configuration.
- Pattern
Spec - A regex pattern with optional capture group and description.
- RawMatch
- A raw pattern match before verification or deduplication.
- Redacted
Finding - Redacted, disk-safe view of a
RawMatch. Carries only the SHA-256 hash and a “first4…last4” preview, never the plaintext credential. This is the only finding shape that should ever leave keyhog’s process boundary. - Step
Spec - A single step in a multi-step verification flow.
- Success
Spec - Criteria for a successful verification response.
- Verified
Finding - A finding after verification — the final output.
- Verify
Spec - Live verification configuration for a detector.
Enums§
- Auth
Spec - Authentication scheme for verification requests.
- Dedup
Scope - Deduplication scope for grouping findings.
- Http
Method - HTTP method for verification requests.
- OobPolicy
- How OOB observation combines with HTTP success criteria.
- OobProtocol
- Out-of-band callback protocol expected from a successful exfil.
- Quality
Issue - Quality issue found in a detector spec.
- Severity
- Severity level for a finding.
- Source
Error - Errors returned by input sources while enumerating or reading content.
- Spec
Error - Errors returned while loading or validating detector specifications.
- Verification
Result - Result of live verification: whether the credential is active, revoked, or untested.
Traits§
- Source
- Produces chunks of text for the scanner to process. Each implementation handles a different input source.
Functions§
- dedup_
cross_ detector - Cross-detector dedup at emit time.
- dedup_
matches - Deduplicate raw matches according to the given
DedupScope. - embedded_
detector_ count - Number of embedded detector specs (authoritative for banners and tests).
- embedded_
detector_ tomls - Load detectors from embedded data (compiled into the binary). Returns detector TOML strings that can be parsed by the spec loader.
- load_
detector_ cache - Load detectors from a JSON cache file. Returns None if cache is stale or missing.
- load_
detectors - Load all detector specs from a directory of TOML files. Runs quality gate on each detector. Rejects detectors with errors, warns on issues.
- load_
detectors_ from_ str - Load a set of detectors from a TOML string.
- load_
detectors_ with_ gate - Load detectors with optional quality gate enforcement.
When
enforce_gateistrue, detectors with quality errors are skipped. - redact
- Redact a sensitive credential string for safe display.
- save_
detector_ cache - Save detectors to a JSON cache file for fast subsequent loads.
- validate_
detector - Validate a detector spec against the quality gate.