feat: add Yelp detect-secrets baseline as a material type#3181
Conversation
Adds the YELP_DETECT_SECRETS_BASELINE material type so detect-secrets baseline files can be attested as a first-class evidence type. The crafter validates the baseline structure (version, plugins_used and results fields) and records the tool name and version as material annotations, which are available to the policy engine at evaluation time. Assisted-by: Claude Code Signed-off-by: Javier Rodriguez <javier@chainloop.dev> Chainloop-Trace-Sessions: 9b2ede11-4681-46dc-bf3c-e7b9a8bc7e3f
AI Session Analysis
|
| Status | Attribution | File | Lines |
|---|---|---|---|
| created | ai | pkg/attestation/crafter/materials/detect_secrets_test.go |
+142 / -0 |
| created | ai | pkg/attestation/crafter/materials/detect_secrets.go |
+92 / -0 |
| created | ai | pkg/attestation/crafter/materials/testdata/detect-secrets-baseline-violations.json |
+38 / -0 |
| created | ai | pkg/attestation/crafter/materials/testdata/detect-secrets-baseline-clean.json |
+25 / -0 |
| modified | ai | app/controlplane/api/workflowcontract/v1/crafting_schema.proto |
+2 / -0 |
| modified | ai | pkg/attestation/crafter/materials/materials.go |
+2 / -0 |
| modified | ai | app/controlplane/api/workflowcontract/v1/crafting_schema_validations.go |
+1 / -0 |
Policies (4, 1 failing)
| Status | Policy | Material | Messages |
|---|---|---|---|
| ✅ Passed | ai-config-ai-agents-allowed |
ai-coding-session-9b2ede |
- |
| ✅ Passed | ai-config-no-dangerous-commands |
ai-coding-session-9b2ede |
- |
ai-config-no-secrets |
ai-coding-session-9b2ede |
Potential secret (Quoted API key/password) found in session content [turn=58, source=tool_result, line=1, value=APIKey ...0A0"] | |
| ✅ Passed | ai-config-mcp-servers-allowed |
ai-coding-session-9b2ede |
- |
Powered by Chainloop and Chainloop Trace
Assisted-by: Claude Code Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
migmartri
left a comment
There was a problem hiding this comment.
did we add it to auto-detection? should we? I don't think so
No I didn't add it. I left the auto-detection as it is. I would say that we need to revisit it to include recently added types? |
Description
Adds support for Yelp detect-secrets as a first-class material type via the new
YELP_DETECT_SECRETS_BASELINEkind.Users can now attest detect-secrets baseline files as a dedicated evidence type. The crafter validates that the input is a genuine detect-secrets baseline (presence of the
version,plugins_usedandresultsfields) and records the tool name and version as material annotations, which the policy engine can read at evaluation time.AI assistance disclosure
This contribution was produced with AI assistance (Claude Code), as disclosed in the commit
Assisted-by:trailer.