Expand description
Core types shared across all KeyHog crates.
Defines the Source trait for pluggable input backends, DetectorSpec
for TOML-based pattern definitions, [Finding] for scanner output, and
[Report] for structured result formatting.
Modules§
- allowlist
- Credential/path allowlist parsing and matching.
Allowlist support:
.keyhogignorefile parsing for suppressing known false positives by path glob, detector ID, or credential hash. - banner
- Animated ASCII-art banner with true-color gradient rendering. Braille-dot keyhole banner with true-color gradient rendering.
Structs§
- Chunk
- A scannable chunk of text with metadata about where it came from.
- Chunk
Metadata - Metadata that tracks the source location for a scanned chunk.
- Companion
Spec - A secondary pattern that must appear near the primary match. Example: AWS secret key found within 5 lines of an access key.
- Detector
File - A single detector specification, parsed from a TOML file.
Each file in the
detectors/directory produces one of these. - Detector
Spec - Full detector definition loaded from TOML.
- Header
Spec - One extra request header to attach during verification.
- Json
Reporter - Full JSON array output.
- Jsonl
Reporter - One JSON object per line (JSONL).
- Match
Location - Where a credential was found: file path, line number, commit, and author.
- Metadata
Spec - Metadata extraction rule applied to a verification response.
- Pattern
Spec - One regex pattern entry inside a detector.
- RawMatch
- A credential match found by the scanner, before verification.
- Sarif
Reporter - SARIF v2.1.0 reporter for integration with GitHub, Azure DevOps, and IDEs.
- Success
Spec - Conditions that must ALL be true for verification to succeed. All fields are optional; present fields form an implicit AND.
- Text
Reporter - Human-readable text output with gradient banner and styled findings.
- Verified
Finding - A finding after verification — the final output.
- Verify
Spec - Verification HTTP request and success criteria for a detector.
Enums§
- Auth
Spec - How to attach the credential to the verification request.
The
fieldvalues are interpolation references: - Http
Method - HTTP methods supported by detector verification specs.
- Quality
Issue - Quality issue found in a detector spec.
- Report
Error - Errors emitted while writing scanner reports.
- Severity
- Severity level attached to detector matches.
- Source
Error - Errors returned by input sources while enumerating or reading content.
- Spec
Error - Errors that occur while loading detector specs from disk.
- Verification
Result - Result of live verification: whether the credential is active, revoked, or untested.
Traits§
- Reporter
- Trait implemented by all finding reporters.
- Source
- Produces chunks of text for the scanner to process. Each implementation handles a different input source.
Functions§
- load_
detector_ cache - Load detectors from a JSON cache file. Returns None if cache is stale or missing.
- load_
detectors - Load all detector specs from a directory of TOML files. Runs quality gate on each detector. Rejects detectors with errors, warns on issues.
- load_
detectors_ with_ gate - Load detectors with optional quality gate enforcement.
When
enforce_gateistrue, detectors with quality errors are skipped. - make_
custom_ reporter - Build a previously registered custom reporter by name.
- redact
- Redact a credential for safe display without leaking type prefixes or exact length.
- register_
reporter - Register a named reporter factory for custom output formats.
- save_
detector_ cache - Save detectors to a JSON cache file for fast subsequent loads.
- validate_
detector - Validate a detector spec against the quality gate.
Type Aliases§
- Reporter
Factory - Factory used to build dynamically registered reporters.