Crate keyhog_core 

Core types shared across all KeyHog crates.

Re-exports

pub use credential::Credential;

pub use credential::SensitiveString;

pub use rule_filter::RuleSuppressor;

pub use rule_filter::RuleSuppressorError;

pub use allowlist::*;

pub use config::*;

pub use report::*;

Modules

allowlist

Allowlist support: .keyhogignore file parsing for suppressing known false positives by path glob, detector ID, or credential hash.

auto_fix

Auto-fix suggestion logic for SARIF output. Auto-fix suggestions: turn each finding into “replace this credential with ${ENV_VAR_NAME}” advice.

aws

Offline AWS account-ID decode + canary-token classification (single source of truth shared by the scanner’s finding metadata and the verifier’s suppress-live-verification-for-canaries gate). Offline AWS account-ID recovery and canary-token classification.

banner

ANSI-colored CLI startup banner with detector counts.

calibration

Bayesian confidence calibration for detectors. Bayesian Beta(α, β) calibration per detector.

config

Configuration system for KeyHog scanning options. Configuration for KeyHog scanning and verification.

credential

Secure credential storage and redaction. Opaque, zeroize-on-drop credential bytes.

encoding

Shared standard Base64 decode (wire / K8s), bounded for DoS safety. Standard Base64 (RFC 4648) decode for wire formats and structured data.

hardening

Security hardening: memory zeroization and process isolation helpers. Process-level memory protections.

merkle_index

Incremental scan state via BLAKE3 Merkle index. Incremental scan support via a persisted file-content index.

registry

Global registry for sources and verifiers. Global registry for pluggable components (Sources, Verifiers). This allows adding new features in a single file without modifying the core.

report

Structured reporting (JSON, SARIF, Text). Reporting logic for scan results.

rule_filter

Declarative .keyhogignore.toml rule-based finding suppression. Wraps vyre’s CPU rule evaluator with a TOML schema scoped to keyhog’s finding shape (detector / service / severity / path / credential_hash predicates). Declarative rule-based finding suppression.

safe_bin

Safe absolute-path resolution for external binaries. Safe absolute-path resolution for external binaries we shell out to.

serde_arc_str

serde_arc_str_opt

serde_hash_hex

Serde adapter keeping the on-wire shape of credential_hash a 64-char lower-case hex string while the in-memory field is raw [u8; 32]. This preserves the documented JSON/JSONL/baseline/SARIF format (.credential_hash consumers, keyhogignore hash: entries) with zero heap on the hot path.

Structs

Chunk

A scannable chunk of text with metadata about where it came from.

ChunkMetadata

Metadata that tracks the source location for a scanned chunk.

CompanionSpec

Secondary pattern used to confirm a primary match or provide extra context.

DedupedMatch

A group of related raw matches representing a single distinct secret finding.

DetectorFile

Wrapping struct for a detector TOML file.

DetectorSpec

A complete detector definition loaded from a TOML file.

DetectorTestSpec

One inline detector self-test fixture ([[detector.tests]]).

HeaderSpec

Custom HTTP header specification.

MatchLocation

Where a credential was found: file path, line number, commit, and author.

MetadataSpec

Metadata field specification for verification results.

OobSpec

Out-of-band callback verification configuration.

PatternSpec

A regex pattern with optional capture group and description.

RawMatch

A raw pattern match before verification or deduplication.

RedactedFinding

Redacted, disk-safe view of a RawMatch. Carries only the SHA-256 hash and a “first4…last4” preview, never the plaintext credential. This is the only finding shape that should ever leave keyhog’s process boundary.

StepSpec

A single step in a multi-step verification flow.

SuccessSpec

Criteria for a successful verification response.

VerifiedFinding

A finding after verification - the final output.

VerifySpec

Live verification configuration for a detector.

Enums

AuthSpec

Authentication scheme for verification requests.

DedupScope

Deduplication scope for grouping findings.

HttpMethod

HTTP method for verification requests.

OobPolicy

How OOB observation combines with HTTP success criteria.

OobProtocol

Out-of-band callback protocol expected from a successful exfil.

QualityIssue

Quality issue found in a detector spec.

Severity

Severity level for a finding.

SourceError

Errors returned by input sources while enumerating or reading content.

SpecError

Errors returned while loading or validating detector specifications.

VerificationResult

Result of live verification: whether the credential is active, revoked, or untested.

Traits

Source

Produces chunks of text for the scanner to process. Each implementation handles a different input source.

Functions

compute_spec_hash

Compute a stable BLAKE3 digest over the canonical detector set so a later scan can detect that detectors changed.

dedup_cross_detector

Cross-detector dedup at emit time.

dedup_matches

Deduplicate raw matches according to the given DedupScope.

embedded_detector_count

Number of embedded detector specs (authoritative for banners and tests).

embedded_detector_tomls

Load detectors from embedded data (compiled into the binary). Returns detector TOML strings that can be parsed by the spec loader.

hex_encode

Lower-case hex of a 32-byte SHA-256 digest. The only place the hex string is materialized for a [u8; 32] credential_hash (reporters, Debug).

load_detector_cache

Load detectors from a JSON cache file. Returns None if cache is stale or missing.

load_detectors

Load all detector specs from a directory of TOML files. Runs quality gate on each detector. Rejects detectors with errors, warns on issues.

load_detectors_from_str

Load a set of detectors from a TOML string.

load_detectors_with_gate

Load detectors with optional quality gate enforcement. When enforce_gate is true, detectors with quality errors are skipped.

redact

Redact a sensitive credential string for safe display.

save_detector_cache

Save detectors to a JSON cache file for fast subsequent loads.

validate_detector

Validate a detector spec against the quality gate.