secretDetection method - BuiltInLifecycleHooks class - lifecycle_hooks library

secretDetection static method

ToolLifecycle secretDetection({

required void onSecretFound(
1. String warning
),

})

Secret detection lifecycle hooks.

Scans tool outputs for potential secrets (API keys, tokens, passwords) and emits warnings.

Implementation

static ToolLifecycle secretDetection({
  required void Function(String warning) onSecretFound,
}) {
  final secretPatterns = <RegExp>[
    RegExp(r'(?:api[_-]?key|apikey)\s*[=:]\s*\S+', caseSensitive: false),
    RegExp(r'(?:password|passwd|pwd)\s*[=:]\s*\S+', caseSensitive: false),
    RegExp(r'(?:secret|token)\s*[=:]\s*\S+', caseSensitive: false),
    RegExp(
      r'(?:access[_-]?key|aws[_-]?key)\s*[=:]\s*\S+',
      caseSensitive: false,
    ),
    RegExp(r'-----BEGIN (?:RSA |DSA |EC )?PRIVATE KEY-----'),
    RegExp(r'sk-[a-zA-Z0-9]{20,}'),
    RegExp(r'ghp_[a-zA-Z0-9]{36}'),
  ];

  return ToolLifecycle(
    onToolAfterExecution: (event) async {
      final output = event.output;
      for (final pattern in secretPatterns) {
        if (pattern.hasMatch(output)) {
          onSecretFound(
            'Potential secret detected in output of '
            '"${event.toolName}": pattern ${pattern.pattern}',
          );
          break;
        }
      }
      return null; // Do not modify output.
    },
  );
}