Crate keyhog_core 

Core types shared across all KeyHog crates.

Defines the Source trait for pluggable input backends, DetectorSpec for TOML-based pattern definitions, [Finding] for scanner output, DedupedMatch for grouped findings, and [Report] for structured result formatting.

Modules

allowlist

Credential/path allowlist parsing and matching. Allowlist support: .keyhogignore file parsing for suppressing known false positives by path glob, detector ID, or credential hash.

banner

Animated ASCII-art banner with true-color gradient rendering. Braille-dot keyhole banner with true-color gradient rendering.

Structs

Chunk

A scannable chunk of text with metadata about where it came from.

ChunkMetadata

Metadata that tracks the source location for a scanned chunk.

CompanionSpec

A secondary pattern that must appear near the primary match. Example: AWS secret key found within 5 lines of an access key.

DedupedMatch

A group of raw matches with the same (detector_id, credential), collapsed into a single finding with one primary location and zero or more additional locations.

DetectorFile

A single detector specification, parsed from a TOML file. Each file in the detectors/ directory produces one of these.

DetectorSpec

Full detector definition loaded from TOML.

HeaderSpec

One extra request header to attach during verification.

JsonReporter

Full JSON array output.

JsonlReporter

One JSON object per line (JSONL).

MatchLocation

Where a credential was found: file path, line number, commit, and author.

MetadataSpec

Metadata extraction rule applied to a verification response.

PatternSpec

One regex pattern entry inside a detector.

RawMatch

A credential match found by the scanner, before verification.

SarifReporter

SARIF v2.1.0 reporter for integration with GitHub, Azure DevOps, and IDEs.

SuccessSpec

Conditions that must ALL be true for verification to succeed. All fields are optional; present fields form an implicit AND.

TextReporter

Human-readable text output with gradient banner and styled findings.

VerifiedFinding

A finding after verification — the final output.

VerifySpec

Verification HTTP request and success criteria for a detector.

Enums

AuthSpec

How to attach the credential to the verification request. The field values are interpolation references:

DedupScope

Deduplication scope controlling how raw matches are grouped into findings.

HttpMethod

HTTP methods supported by detector verification specs.

QualityIssue

Quality issue found in a detector spec.

ReportError

Errors emitted while writing scanner reports.

Severity

Severity level attached to detector matches.

SourceError

Errors returned by input sources while enumerating or reading content.

SpecError

Errors that occur while loading detector specs from disk.

VerificationResult

Result of live verification: whether the credential is active, revoked, or untested.

Traits

Reporter

Trait implemented by all finding reporters.

Source

Produces chunks of text for the scanner to process. Each implementation handles a different input source.

Functions

dedup_matches

Deduplicate raw matches according to the given DedupScope.

load_detector_cache

Load detectors from a JSON cache file. Returns None if cache is stale or missing.

load_detectors

Load all detector specs from a directory of TOML files. Runs quality gate on each detector. Rejects detectors with errors, warns on issues.

load_detectors_with_gate

Load detectors with optional quality gate enforcement. When enforce_gate is true, detectors with quality errors are skipped.

make_custom_reporter

Build a previously registered custom reporter by name.

redact

Redact a credential for safe display without leaking type prefixes or exact length.

register_reporter

Register a named reporter factory for custom output formats.

save_detector_cache

Save detectors to a JSON cache file for fast subsequent loads.

validate_detector

Validate a detector spec against the quality gate.

Type Aliases

ReporterFactory

Factory used to build dynamically registered reporters.