Files
keyhunter/.planning/phases/07-import-cicd/07-01-SUMMARY.md
2026-04-05 23:55:58 +03:00

3.9 KiB

phase, plan, subsystem, tags, requires, provides, affects, tech-stack, key-files, decisions, metrics
phase plan subsystem tags requires provides affects tech-stack key-files decisions metrics
07-import-cicd 01 importer
importer
trufflehog
json
adapters
pkg/engine/finding.go
pkg/importer.Importer interface
pkg/importer.TruffleHogImporter (v3 JSON)
pkg/importer (new package)
added patterns
Adapter interface per external scanner format
Regex + alias map name normalization
Raw json.RawMessage for polymorphic SourceMetadata
created modified
pkg/importer/importer.go
pkg/importer/trufflehog.go
pkg/importer/trufflehog_test.go
pkg/importer/testdata/trufflehog-sample.json
SourceMetadata decoded lazily via json.RawMessage then a second pass into a priority struct — tolerates unknown source types without breaking the import
Records with empty Raw are skipped silently (no usable key material)
Verified=true -> Confidence=high, VerifyStatus=live; otherwise medium/unverified
duration completed tasks files commits
~6 min 2026-04-05 1 4 1

Phase 07 Plan 01: Importer Interface and TruffleHog v3 JSON Adapter Summary

One-liner: New pkg/importer package with Importer interface plus TruffleHogImporter that decodes v3 JSON into engine.Finding with detector-name normalization and SourceMetadata path extraction.

What Was Built

  • pkg/importer/importer.goImporter interface with Name() string and Import(r io.Reader) ([]engine.Finding, error). Stateless contract reusable across future scanner formats.
  • pkg/importer/trufflehog.goTruffleHogImporter struct, trufflehogRecord mirror of the v3 schema, normalizeTruffleHogName (lowercases, strips v\d+$, applies alias map for aws/gcp/openai/anthropic/huggingface/github), and extractSourcePath walking SourceMetadata.Data.{Git,Filesystem,Github} in priority order.
  • pkg/importer/testdata/trufflehog-sample.json — Realistic 3-record fixture: verified OpenAI key with Git file+line, unverified AnthropicV2 on Filesystem, verified AWS key with Github link.
  • pkg/importer/trufflehog_test.go — 5 tests: Name, full Import fixture roundtrip, table-driven NormalizeName (7 cases incl. unknown detector fall-through), empty array, invalid JSON error.

Mapping Rules

TruffleHog field engine.Finding field
DetectorName (normalized) ProviderName
Raw KeyValue (+ KeyMasked via engine.MaskKey)
Verified true Confidence=high, VerifyStatus=live, Verified=true
Verified false Confidence=medium, VerifyStatus=unverified
SourceMetadata.Data.Git.File / line Source, LineNumber
SourceMetadata.Data.Filesystem.File Source
SourceMetadata.Data.Github.{File,Link,Repository} Source
fallback SourceName Source
constant SourceType = "import:trufflehog"

Verification

  • go build ./pkg/importer/... — clean
  • go vet ./pkg/importer/... — clean
  • go test ./pkg/importer/... -run TruffleHog -v — 5/5 PASS in ~3ms

Note: the package also contains untracked scaffolding (gitleaks_test.go) awaiting plan 07-02. To verify this plan in isolation the scaffolding was temporarily moved out of the package during the vet/test run, then restored. No tracked files outside this plan were touched.

Deviations from Plan

None — plan executed exactly as written.

Deferred Issues

  • Pre-existing untracked pkg/importer/gitleaks_test.go references GitleaksImporter/GitleaksCSVImporter, which are scheduled for plan 07-02. Out of scope for this plan; tracked by phase roadmap.

Commits

  • 46eec32 — feat(07-01): Importer interface and TruffleHog v3 JSON adapter

Self-Check: PASSED

  • FOUND: pkg/importer/importer.go
  • FOUND: pkg/importer/trufflehog.go
  • FOUND: pkg/importer/trufflehog_test.go
  • FOUND: pkg/importer/testdata/trufflehog-sample.json
  • FOUND commit: 46eec32