Add a static check for detectors that don't set SecretParts#4913
Add a static check for detectors that don't set SecretParts#4913mcastorina wants to merge 1 commit intosecret-parts-rename-draftfrom
Conversation
Introduces a small Go tool under hack/checksecretparts that finds detector packages which construct detectors.Result without populating the new SecretParts field. The check runs in CI as warning-only (continue-on-error) so the ~900 unmigrated detectors don't block unrelated PRs while they're being migrated; it can be flipped to a hard failure by dropping continue-on-error and passing -fail once all detectors populate the field. Covers composite and pointer literals, ignores test files on both sides (construction and reference), and suppresses findings for any package that mentions SecretParts anywhere in its non-test source so that detectors setting the field via later assignment (x.SecretParts = ...) are not flagged.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9843976. Configure here.
| } | ||
|
|
||
| if len(findings) > 0 { | ||
| fmt.Fprintf(os.Stderr, "checksecretparts: %d package(s) construct detectors.Result without SecretParts\n", len(findings)) |
There was a problem hiding this comment.
Summary message miscounts findings as packages
Low Severity
The summary line reports len(findings) as the number of "package(s)", but findings contains one entry per construction site, not per package. A single package with multiple detectors.Result{} literals produces multiple Finding values (confirmed by the "multiple construction sites reported individually" test case yielding wantLen: 2). This makes the summary overcount packages — e.g. 825 findings might come from far fewer distinct packages.
Reviewed by Cursor Bugbot for commit 9843976. Configure here.
1 participant
Summary
Adds a small static-analysis tool under
hack/checksecretparts/that scanspkg/detectors/and warns about detector packages that constructdetectors.Resultvalues without ever populating the newSecretPartsfield.It's wired into the
Lintworkflow as warning-only (continue-on-error: true): findings show up in CI but don't block merges. The intent is to land the check before every detector is migrated — otherwise the ~900 unmigrated packages would fail every unrelated PR.Stacked on #4911 (the rename that introduces
SecretParts); that needs to land first.Why
SecretPartsreplaces the oldAnalysisInfofield and is expected to be populated by every detector going forward. Today only ~11 detectors set it. Rather than wait for a big-bang migration, this PR adds the enforcement mechanism first so each incremental migration PR gets immediate feedback, and so the flip from warning to hard-fail becomes a one-line workflow change once the migration is complete.What it does
pkg/detectors/, finds composite literals of the formdetectors.Result{...}or&detectors.Result{...}in non-test.gofiles.SecretPartsin any non-test source (neither in the literal nor in a laterx.SecretParts = ...assignment), emits one warning per construction site._test.gofiles on both sides — some tests zero the field for cmp comparisons (e.g.pkg/detectors/gitlab/v1/gitlab_integration_test.go) and those references would otherwise mask real findings.No new module dependencies — just
go/astandgo/parser.How to run
Full instructions for flipping warning → hard-fail are in
hack/checksecretparts/README.md.Verification
go test ./hack/checksecretparts/— 8 cases covering missing-field, literal-populated, later-assigned, pointer literal, multiple sites, test-file-only references (must not suppress), and no-op packages.SecretParts(postmark, databricks, figma, ngrok, monday, airbrake, digitalocean, datadog, tableau) is correctly exempted.go vet ./...andgo build ./...are clean.Out of scope
SecretPartson any real detector — that's a separate migration.Note
Low Risk
Low risk: adds a standalone static-analysis helper and a non-gating CI job, with no runtime code-path changes to detectors themselves.
Overview
Introduces
hack/checksecretparts, a small Go-based static analysis tool that scanspkg/detectorsfordetectors.Result{...}/&detectors.Result{...}constructions in non-test files and warns when the package never referencesSecretParts.Wires the tool into the
LintGitHub Actions workflow as a warning-only job (continue-on-error: true), with docs and unit tests to support later flipping to a hard-fail mode.Reviewed by Cursor Bugbot for commit 9843976. Bugbot is set up for automated code reviews on this repo. Configure here.