feat: Add secret detection workflows and comprehensive benchmarking (#15)

Add three production-ready secret detection workflows with full benchmarking infrastructure:

**New Workflows:**
- gitleaks_detection: Pattern-based secret scanning (13/32 benchmark secrets)
- trufflehog_detection: Entropy-based detection with verification (1/32 benchmark secrets)
- llm_secret_detection: AI-powered semantic analysis (32/32 benchmark secrets - 100% recall)

**Benchmarking Infrastructure:**
- Ground truth dataset with 32 documented secrets (12 Easy, 10 Medium, 10 Hard)
- Automated comparison tools for precision/recall testing
- SARIF output format for all workflows
- Performance metrics and tool comparison reports

**Fixes:**
- Set gitleaks default to no_git=True for uploaded directories
- Update documentation with correct secret counts and workflow names
- Temporarily deactivate AI agent command
- Clean up deprecated test files and GitGuardian workflow

**Testing:**
All workflows verified on secret_detection_benchmark and vulnerable_app test projects.
Workers healthy and system fully functional.
This commit is contained in:
tduhamel42
2025-10-16 11:21:24 +02:00
committed by GitHub
parent c3ce03e216
commit 2da986ebb0
28 changed files with 2505 additions and 648 deletions
@@ -0,0 +1,6 @@
"""LLM Secret Detection Workflow"""
from .workflow import LlmSecretDetectionWorkflow
from .activities import scan_with_llm
__all__ = ["LlmSecretDetectionWorkflow", "scan_with_llm"]
@@ -0,0 +1,112 @@
"""LLM Secret Detection Workflow Activities"""
from pathlib import Path
from typing import Dict, Any
from temporalio import activity
try:
from toolbox.modules.secret_detection.llm_secret_detector import LLMSecretDetectorModule
except ImportError:
from modules.secret_detection.llm_secret_detector import LLMSecretDetectorModule
@activity.defn(name="scan_with_llm")
async def scan_with_llm(target_path: str, config: Dict[str, Any]) -> Dict[str, Any]:
"""Scan code using LLM."""
activity.logger.info(f"Starting LLM secret detection: {target_path}")
workspace = Path(target_path)
llm_detector = LLMSecretDetectorModule()
llm_detector.validate_config(config)
result = await llm_detector.execute(config, workspace)
if result.status == "failed":
raise RuntimeError(f"LLM detection failed: {result.error}")
findings_dicts = [finding.model_dump() for finding in result.findings]
return {"findings": findings_dicts, "summary": result.summary}
@activity.defn(name="llm_secret_generate_sarif")
async def llm_secret_generate_sarif(findings: list, metadata: Dict[str, Any]) -> Dict[str, Any]:
"""
Generate SARIF report from LLM secret detection findings.
Args:
findings: List of finding dictionaries from LLM secret detector
metadata: Metadata including tool_name, tool_version
Returns:
SARIF 2.1.0 report dictionary
"""
activity.logger.info(f"Generating SARIF report from {len(findings)} findings")
# Basic SARIF 2.1.0 structure
sarif_report = {
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": metadata.get("tool_name", "llm-secret-detector"),
"version": metadata.get("tool_version", "1.0.0"),
"informationUri": "https://github.com/FuzzingLabs/fuzzforge_ai"
}
},
"results": []
}
]
}
# Convert findings to SARIF results
for finding in findings:
sarif_result = {
"ruleId": finding.get("id", finding.get("metadata", {}).get("secret_type", "unknown-secret")),
"level": _severity_to_sarif_level(finding.get("severity", "warning")),
"message": {
"text": finding.get("title", "Secret detected by LLM")
},
"locations": []
}
# Add description if present
if finding.get("description"):
sarif_result["message"]["markdown"] = finding["description"]
# Add location if file path is present
if finding.get("file_path"):
location = {
"physicalLocation": {
"artifactLocation": {
"uri": finding["file_path"]
}
}
}
# Add region if line number is present
if finding.get("line_start"):
location["physicalLocation"]["region"] = {
"startLine": finding["line_start"]
}
if finding.get("line_end"):
location["physicalLocation"]["region"]["endLine"] = finding["line_end"]
sarif_result["locations"].append(location)
sarif_report["runs"][0]["results"].append(sarif_result)
activity.logger.info(f"Generated SARIF report with {len(sarif_report['runs'][0]['results'])} results")
return sarif_report
def _severity_to_sarif_level(severity: str) -> str:
"""Convert severity to SARIF level"""
severity_map = {
"critical": "error",
"high": "error",
"medium": "warning",
"low": "note",
"info": "note"
}
return severity_map.get(severity.lower(), "warning")
@@ -0,0 +1,43 @@
name: llm_secret_detection
version: "1.0.0"
vertical: secrets
description: "AI-powered secret detection using LLM semantic analysis"
author: "FuzzForge Team"
tags:
- "secrets"
- "llm"
- "ai"
- "semantic"
workspace_isolation: "shared"
parameters:
type: object
properties:
agent_url:
type: string
default: "http://fuzzforge-task-agent:8000/a2a/litellm_agent"
llm_model:
type: string
default: "gpt-4o-mini"
llm_provider:
type: string
default: "openai"
max_files:
type: integer
default: 20
default_parameters:
agent_url: "http://fuzzforge-task-agent:8000/a2a/litellm_agent"
llm_model: "gpt-4o-mini"
llm_provider: "openai"
max_files: 20
required_modules:
- "llm_secret_detector"
supported_volume_modes:
- "ro"
@@ -0,0 +1,156 @@
"""LLM Secret Detection Workflow"""
from datetime import timedelta
from typing import Dict, Any, Optional
from temporalio import workflow
from temporalio.common import RetryPolicy
@workflow.defn
class LlmSecretDetectionWorkflow:
"""Scan code for secrets using LLM AI."""
@workflow.run
async def run(
self,
target_id: str,
agent_url: Optional[str] = None,
llm_model: Optional[str] = None,
llm_provider: Optional[str] = None,
max_files: Optional[int] = None,
timeout: Optional[int] = None,
file_patterns: Optional[list] = None
) -> Dict[str, Any]:
workflow_id = workflow.info().workflow_id
run_id = workflow.info().run_id
workflow.logger.info(
f"Starting LLM Secret Detection Workflow "
f"(workflow_id={workflow_id}, target_id={target_id}, model={llm_model})"
)
results = {
"workflow_id": workflow_id,
"target_id": target_id,
"status": "running",
"steps": [],
"findings": []
}
try:
# Step 1: Download target from MinIO
workflow.logger.info("Step 1: Downloading target from MinIO")
target_path = await workflow.execute_activity(
"get_target",
args=[target_id, run_id, "shared"],
start_to_close_timeout=timedelta(minutes=5),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=1),
maximum_interval=timedelta(seconds=30),
maximum_attempts=3
)
)
results["steps"].append({
"step": "download",
"status": "success",
"target_path": target_path
})
workflow.logger.info(f"✓ Target downloaded to: {target_path}")
# Step 2: Scan with LLM
workflow.logger.info("Step 2: Scanning with LLM")
config = {}
if agent_url:
config["agent_url"] = agent_url
if llm_model:
config["llm_model"] = llm_model
if llm_provider:
config["llm_provider"] = llm_provider
if max_files:
config["max_files"] = max_files
if timeout:
config["timeout"] = timeout
if file_patterns:
config["file_patterns"] = file_patterns
scan_results = await workflow.execute_activity(
"scan_with_llm",
args=[target_path, config],
start_to_close_timeout=timedelta(minutes=30),
retry_policy=RetryPolicy(
initial_interval=timedelta(seconds=2),
maximum_interval=timedelta(seconds=60),
maximum_attempts=2
)
)
findings_count = len(scan_results.get("findings", []))
results["steps"].append({
"step": "llm_scan",
"status": "success",
"secrets_found": findings_count
})
workflow.logger.info(f"✓ LLM scan completed: {findings_count} secrets found")
# Step 3: Generate SARIF report
workflow.logger.info("Step 3: Generating SARIF report")
sarif_report = await workflow.execute_activity(
"llm_generate_sarif", # Use shared LLM SARIF activity
args=[
scan_results.get("findings", []),
{
"tool_name": f"llm-secret-detector ({llm_model or 'gpt-4o-mini'})",
"tool_version": "1.0.0"
}
],
start_to_close_timeout=timedelta(minutes=2)
)
workflow.logger.info("✓ SARIF report generated")
# Step 4: Upload results to MinIO
workflow.logger.info("Step 4: Uploading results")
try:
results_url = await workflow.execute_activity(
"upload_results",
args=[workflow_id, scan_results, "json"],
start_to_close_timeout=timedelta(minutes=2)
)
results["results_url"] = results_url
workflow.logger.info(f"✓ Results uploaded to: {results_url}")
except Exception as e:
workflow.logger.warning(f"Failed to upload results: {e}")
results["results_url"] = None
# Step 5: Cleanup cache
workflow.logger.info("Step 5: Cleaning up cache")
try:
await workflow.execute_activity(
"cleanup_cache",
args=[target_path, "shared"],
start_to_close_timeout=timedelta(minutes=1)
)
workflow.logger.info("✓ Cache cleaned up")
except Exception as e:
workflow.logger.warning(f"Cache cleanup failed: {e}")
# Mark workflow as successful
results["status"] = "success"
results["findings"] = scan_results.get("findings", [])
results["summary"] = scan_results.get("summary", {})
results["sarif"] = sarif_report or {}
workflow.logger.info(
f"✓ Workflow completed successfully: {workflow_id} "
f"({findings_count} secrets found)"
)
return results
except Exception as e:
workflow.logger.error(f"Workflow failed: {e}")
results["status"] = "error"
results["error"] = str(e)
results["steps"].append({
"step": "error",
"status": "failed",
"error": str(e)
})
raise