Skip to content

feat: add Yelp detect-secrets baseline as a material type#3181

Merged
javirln merged 2 commits into
chainloop-dev:mainfrom
javirln:detect-secrets
Jun 10, 2026
Merged

feat: add Yelp detect-secrets baseline as a material type#3181
javirln merged 2 commits into
chainloop-dev:mainfrom
javirln:detect-secrets

Conversation

@javirln

@javirln javirln commented Jun 10, 2026

Copy link
Copy Markdown
Member

Description

Adds support for Yelp detect-secrets as a first-class material type via the new YELP_DETECT_SECRETS_BASELINE kind.

Users can now attest detect-secrets baseline files as a dedicated evidence type. The crafter validates that the input is a genuine detect-secrets baseline (presence of the version, plugins_used and results fields) and records the tool name and version as material annotations, which the policy engine can read at evaluation time.

AI assistance disclosure

This contribution was produced with AI assistance (Claude Code), as disclosed in the commit Assisted-by: trailer.

Adds the YELP_DETECT_SECRETS_BASELINE material type so detect-secrets
baseline files can be attested as a first-class evidence type. The
crafter validates the baseline structure (version, plugins_used and
results fields) and records the tool name and version as material
annotations, which are available to the policy engine at evaluation
time.

Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: 9b2ede11-4681-46dc-bf3c-e7b9a8bc7e3f
@chainloop-platform

chainloop-platform Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟢 91% 1 ⚠️ 1 100% AI / 0% Human 7 +302 / -0 1h12m26s

🟢 91% — 100% AI — ⚠️ 1 policies failing

Jun 10, 2026 10:16 UTC · 1h12m26s · $23.82 · 63.2k in / 119.3k out · claude-code 2.1.170 (claude-opus-4-8)

View session details ↗

Change Summary

  • Adds YELP_DETECT_SECRETS_BASELINE as a first-class material kind in the workflow schema.
  • Adds a new DetectSecretsCrafter, dispatcher wiring, fixtures, and TDD coverage for clean and violation cases.
  • Records detect-secrets tool annotations and validates the policy path with a live policy develop eval run.

AI Session Overall Score

🟢 91% — Clean end-to-end feature work with strong verification and no visible scope drift.

AI Session Analysis Breakdown

🟢 93% · alignment

🟢 AI surfaced the disclosure conflict before committing instead of silently violating either instruction. · Medium Impact

🟢 92% · verification

🟢 The AI followed a fail-then-pass test cycle for the new crafter. · High Impact

🟢 It also ran full package tests, builds, and live policy evaluation. · High Impact

🟢 91% · solution-quality

No notes.

🟢 90% · user-trust-signal

No notes.

🟢 88% · context-and-planning

No notes.

🟢 85% · scope-discipline

No notes.


File Attribution

████████████████████ 100% AI / 0% Human

Status Attribution File Lines
created ai pkg/attestation/crafter/materials/detect_secrets_test.go +142 / -0
created ai pkg/attestation/crafter/materials/detect_secrets.go +92 / -0
created ai pkg/attestation/crafter/materials/testdata/detect-secrets-baseline-violations.json +38 / -0
created ai pkg/attestation/crafter/materials/testdata/detect-secrets-baseline-clean.json +25 / -0
modified ai app/controlplane/api/workflowcontract/v1/crafting_schema.proto +2 / -0
modified ai pkg/attestation/crafter/materials/materials.go +2 / -0
modified ai app/controlplane/api/workflowcontract/v1/crafting_schema_validations.go +1 / -0

Policies (4, 1 failing)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-9b2ede -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-9b2ede -
⚠️ Failed ai-config-no-secrets ai-coding-session-9b2ede Potential secret (Quoted API key/password) found in session content [turn=58, source=tool_result, line=1, value=APIKey ...0A0"]
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-9b2ede -

Powered by Chainloop and Chainloop Trace

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 21 files

Re-trigger cubic

Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln self-assigned this Jun 10, 2026
@javirln javirln requested a review from a team June 10, 2026 11:30

@migmartri migmartri left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did we add it to auto-detection? should we? I don't think so

@javirln

javirln commented Jun 10, 2026

Copy link
Copy Markdown
Member Author

did we add it to auto-detection? should we? I don't think so

No I didn't add it. I left the auto-detection as it is. I would say that we need to revisit it to include recently added types?

@javirln javirln merged commit 6cdb3b9 into chainloop-dev:main Jun 10, 2026
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants