Skip to content

[FEAT] Upgrade secrets backend to gitleaks subprocess — replace regex-only scanner #159

Description

@Wolfvin

Background

CodeLens's current secrets command is regex-only. This leads to:

  • High false-positive rate — generic patterns like password match test fixtures and comments
  • High miss rate — no entropy analysis, no Git history scan, no structured rule library
  • No ecosystem awareness — doesn't understand AWS key format, GitHub PAT format, Stripe key format, etc.

Gitleaks is a purpose-built secrets scanner with 600+ maintained rules, entropy scoring, structured JSON output, and active development. It is the de-facto standard for secrets detection in CI pipelines.

Goal

Upgrade codelens secrets to use gitleaks as its primary backend when available, with a graceful fallback to the existing regex scanner when gitleaks is not installed.

# Same interface, better results
codelens secrets .
codelens secrets . --format json
codelens secrets . --no-gitleaks   # force regex fallback

Implementation

# Detection
def _gitleaks_available() -> bool:
    return subprocess.run(['gitleaks', 'version'], capture_output=True).returncode == 0

# Invocation
subprocess.run([
    'gitleaks', 'detect',
    '--source', path,
    '--report-format', 'json',
    '--report-path', tmp_output,
    '--no-git',   # scan working tree, not git history (optional: add --git flag)
    '--exit-code', '0'   # don't fail on findings — we handle exit ourselves
])

Result normalizer: map gitleaks JSON output fields to CodeLens's existing findings schema:

  • gitleaks.RuleIDtype
  • gitleaks.Descriptionmessage
  • gitleaks.File + gitleaks.StartLinefile + line
  • gitleaks.Secret → redacted match (show first 4 chars + ***)
  • gitleaks.Tagscategory

Fallback behavior: if gitleaks not found, run existing regex scanner with a [warning] in output: gitleaks not found — using built-in regex scanner (lower accuracy). Install gitleaks for best results.

Definition of Done

  • _gitleaks_available() detection in scripts/commands/secrets.py
  • Gitleaks subprocess invocation with JSON output mode
  • Result normalizer: gitleaks JSON → CodeLens findings schema
  • Graceful fallback to existing regex scanner with warning message
  • --no-gitleaks flag to force regex fallback (useful for testing)
  • stats.backend field in output: "gitleaks" or "regex"
  • Installation hint in output when gitleaks not found
  • SKILL.md updated: note that gitleaks improves accuracy, link to install docs
  • Existing tests remain green (mock gitleaks subprocess in tests)
  • sync_command_count.py --apply run (count unchanged — same command, upgraded backend)

Source of Truth

Why not replace the regex scanner entirely

Some environments cannot install binaries (locked-down CI, read-only filesystems). The regex fallback ensures codelens secrets always works, everywhere, without setup — gitleaks is an opt-in upgrade, not a hard dependency.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions