{"id":41353621,"url":"https://github.com/lvlcn-t/secret-detection-operator","last_synced_at":"2026-01-23T07:29:10.147Z","repository":{"id":275369360,"uuid":"925884522","full_name":"lvlcn-t/secret-detection-operator","owner":"lvlcn-t","description":"🔍 Detects hardcoded secrets in ConfigMaps and auto-remediates them via Kubernetes-native resources.","archived":false,"fork":false,"pushed_at":"2025-08-25T16:14:05.000Z","size":339,"stargazers_count":3,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-08-25T16:26:24.437Z","etag":null,"topics":["kubernetes","operator","secrets","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lvlcn-t.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-02T01:07:13.000Z","updated_at":"2025-08-25T14:27:33.000Z","dependencies_parsed_at":null,"dependency_job_id":"c4cbac53-8f2a-4f87-a8aa-927001db8d84","html_url":"https://github.com/lvlcn-t/secret-detection-operator","commit_stats":null,"previous_names":["lvlcn-t/secret-detection-operator"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/lvlcn-t/secret-detection-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvlcn-t%2Fsecret-detection-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvlcn-t%2Fsecret-detection-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvlcn-t%2Fsecret-detection-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvlcn-t%2Fsecret-detection-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lvlcn-t","download_url":"https://codeload.github.com/lvlcn-t/secret-detection-operator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lvlcn-t%2Fsecret-detection-operator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28683311,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-23T05:48:07.525Z","status":"ssl_error","status_checked_at":"2026-01-23T05:48:07.129Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes","operator","secrets","security"],"created_at":"2026-01-23T07:29:09.014Z","updated_at":"2026-01-23T07:29:10.131Z","avatar_url":"https://github.com/lvlcn-t.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🔐 Secret Detection Operator\u003c!-- omit from toc --\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"/../../commits/\" title=\"Last Commit\"\u003e\u003cimg alt=\"Last Commit\" src=\"https://img.shields.io/github/last-commit/lvlcn-t/secret-detection-operator?style=flat\"\u003e\u003c/a\u003e\n    \u003ca href=\"/../../issues\" title=\"Open Issues\"\u003e\u003cimg alt=\"Open Issues\" src=\"https://img.shields.io/github/issues/lvlcn-t/secret-detection-operator?style=flat\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n- [📖 Overview](#-overview)\n- [🚀 Quick Installation](#-quick-installation)\n  - [Kustomize](#kustomize)\n  - [Helm](#helm)\n- [🛠️ How it Works](#️-how-it-works)\n- [🛡️ Configuration with ScanPolicy](#️-configuration-with-scanpolicy)\n  - [Example ScanPolicy](#example-scanpolicy)\n  - [Default Settings](#default-settings)\n- [📌 Example Usage](#-example-usage)\n- [📊 Metrics](#-metrics)\n- [📃 Code of Conduct](#-code-of-conduct)\n- [📞 Support and Feedback](#-support-and-feedback)\n- [🧑‍💻 How to Contribute](#-how-to-contribute)\n- [🪪 Licensing](#-licensing)\n\n---\n\n## 📖 Overview\n\nThe **Secret Detection Operator** scans your Kubernetes ConfigMaps for sensitive data such as passwords or tokens. It can automatically remediate detected secrets by migrating them into secure Kubernetes Secret resources, or simply report them for manual action.\n\nIt leverages customizable policies (`ScanPolicy`) to tailor secret handling across namespaces, ensuring sensitive data remains secure and compliant with your organization's standards.\n\n---\n\n## 🚀 Quick Installation\n\nYou can deploy the operator quickly using either Kustomize or Helm.\n\n### Kustomize\n\nApply the latest configuration directly:\n\n```shell\nkubectl apply -k \"github.com/lvlcn-t/secret-detection-operator/config/default?ref=main\"\n```\n\n### Helm\n\nInstall via Helm chart:\n\n```shell\nVERSION=\"0.1.0\"\n\nhelm upgrade -i secret-detection-operator \\\n  oci://ghcr.io/lvlcn-t/charts/secret-detection-operator \\\n  --version $VERSION \\\n  --namespace secret-detection-system \\\n  --create-namespace\n```\n\n---\n\n## 🛠️ How it Works\n\nThe operator:\n\n1. Scans ConfigMaps across your cluster for secret-like data.\n2. Reports findings via the `ExposedSecret` custom resource.\n3. Remediates detected secrets automatically based on your configuration, moving sensitive values to secure Kubernetes Secrets.\n\nYou can define specific behaviors for reporting and remediation through customizable policies (`ScanPolicy`).\n\n---\n\n## 🛡️ Configuration with ScanPolicy\n\n`ScanPolicy` resources configure detection and remediation behaviors per namespace:\n\n- **Default Action:**\n  - `ReportOnly`: Logs detections without modifying ConfigMaps (default).\n  - `AutoRemediate`: Moves secrets to Kubernetes Secrets and optionally removes them from ConfigMaps.\n  - `Ignore`: Completely ignores detections.\n\n- **Severity Threshold:** Only secrets at or above this severity (`Low`, `Medium`, `High`, `Critical`) will trigger actions.\n\n- **Excluded Keys:** Ignore specific keys to avoid false positives.\n\n- **ConfigMap Mutation:** Optionally remove secret keys after migrating them.\n\n- **Scanner Engine:** Currently only `Gitleaks` is supported, but more engines may be added in the future.\n\n- **Hash Algorithm:** Select how detected secrets are reported (`sha256`, `sha512`, or `none`). Note that `none` will report the raw value in `base64` format, which may not be secure.\n\n### Example ScanPolicy\n\n```yaml\napiVersion: secretdetection.lvlcn-t.dev/v1alpha1\nkind: ScanPolicy\nmetadata:\n  name: default-policy\n  namespace: default\nspec:\n  action: AutoRemediate\n  minSeverity: Medium\n  excludedKeys:\n    - non-secret-token\n    - dummy-password\n  enableConfigMapMutation: true\n  scanner: Gitleaks\n  hashAlgorithm: sha256\n```\n\n### Default Settings\n\nThe operator will automatically use a default `ScanPolicy` if no configuration is provided. This policy applies to all namespaces unless overridden by a specific `ScanPolicy` in that namespace.\n\nThe default settings are as follows:\n\n```yaml\napiVersion: secretdetection.lvlcn-t.dev/v1alpha1\nkind: ScanPolicy\nmetadata:\n  name: default-policy\nspec:\n  action: ReportOnly\n  minSeverity: Medium\n  excludedKeys: []\n  enableConfigMapMutation: false\n  scanner: Gitleaks\n  hashAlgorithm: none\n```\n\nYou can customize this default policy by setting the `defaultScanPolicy` field in the operator's configuration.\n\n---\n\n## 📌 Example Usage\n\nWhen a secret-like value is detected in a ConfigMap, an `ExposedSecret` resource is created:\n\n```yaml\napiVersion: secretdetection.lvlcn-t.dev/v1alpha1\nkind: ExposedSecret\nmetadata:\n  name: example-config-map-example-key\n  namespace: default\nspec:\n  action: ReportOnly\n  severity: Critical\n  notes: Automatically reported by secret-detection-operator\nstatus:\n  ConfigMapRef:\n    Name: example-config-map\n  Key: example-key\n  Scanner: Gitleaks\n  DetectedValue: sha256:\u003chash\u003e\n  Phase: Detected\n  Message: Secret detected in ConfigMap 'example-config-map' for key 'example-key'\n  LastUpdateTime: \"2024-01-01T00:00:00Z\"\n  ObservedGeneration: 1\n```\n\nUpon remediation, the secret value is safely stored in a Kubernetes Secret and the ExposedSecret updated accordingly:\n\n```yaml\napiVersion: secretdetection.lvlcn-t.dev/v1alpha1\nkind: ExposedSecret\nmetadata:\n  name: example-config-map-example-key\n  namespace: default\nspec:\n  action: AutoRemediate\n  severity: Critical\n  notes: Automatically reported by secret-detection-operator\nstatus:\n  ConfigMapRef:\n    Name: example-config-map\n  Key: example-key\n  Scanner: Gitleaks\n  DetectedValue: sha256:\u003chash\u003e\n  SecretRef:\n    Name: example-config-map-example-key\n  Phase: Remediated\n  Message: Secret auto-remediated from ConfigMap 'example-config-map' for key 'example-key'\n  LastUpdateTime: \"2024-01-01T00:00:00Z\"\n  ObservedGeneration: 2\n```\n\n## 📊 Metrics\n\nThe Secret Detection Operator exports the following custom Prometheus metrics to help you monitor its performance and behavior:\n\n| Metric Name                  | Type      | Labels                  | Description                                                                                                                      |\n| ---------------------------- | --------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------- |\n| `configmap_reconciles_total` | Counter   | `namespace`             | Total number of ConfigMap reconcile loops executed.                                                                              |\n| `reconcile_duration_seconds` | Histogram | `namespace`             | Duration (seconds) of each reconcile loop.                                                                                       |\n| `keys_scanned`               | Histogram | `namespace`             | Number of data keys examined in each ConfigMap.                                                                                  |\n| `secrets_detected_total`     | Counter   | `namespace`, `severity` | Total secrets detected, broken down by severity (`Unknown`, `Low`, `Medium`, `High`, `Critical`).                                |\n| `secrets_remediated_total`   | Counter   | `namespace`             | Total secrets automatically remediated (migrated into Secrets).                                                                  |\n| `configmaps_mutated_total`   | Counter   | `namespace`             | Total ConfigMaps that were mutated to remove secret keys.                                                                        |\n| `reconcile_errors_total`     | Counter   | `namespace`, `stage`    | Total errors during reconciliation, labeled by stage:\u003cbr\u003e`load_policy`, `get_configmap`, `process_key`, `remediate_secret`, etc. |\n\n## 📃 Code of Conduct\n\nThis project has adopted the [Contributor Covenant](https://www.contributor-covenant.org/) in version 2.1 as our code of\nconduct. Please see the details in our [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md). All contributors must abide by the code\nof conduct.\n\n## 📞 Support and Feedback\n\nThe following channels are available for discussions, feedback, and support requests:\n\n| Type       | Channel                                                                                                                                     |\n| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------- |\n| **Issues** | [![General Discussion](https://img.shields.io/github/issues/lvlcn-t/secret-detection-operator?style=flat-square)](/../../issues/new/choose) |\n\n## 🧑‍💻 How to Contribute\n\nContribution and feedback is encouraged and always welcome. For more information about how to contribute, the project\nstructure, as well as additional contribution information, see our [Contribution Guidelines](./CONTRIBUTING.md). By\nparticipating in this project, you agree to abide by its [Code of Conduct](./CODE_OF_CONDUCT.md) at all times.\n\n## 🪪 Licensing\n\nCopyright (c) 2025 lvlcn-t.\n\nLicensed under the **MIT** (the \"License\"); you may not use this file except in compliance with\nthe License.\n\nYou may obtain a copy of the License at \u003chttps://www.mit.edu/~amini/LICENSE.md\u003e.\n\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on an \"\nAS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the [LICENSE](./LICENSE) for\nthe specific language governing permissions and limitations under the License.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flvlcn-t%2Fsecret-detection-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flvlcn-t%2Fsecret-detection-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flvlcn-t%2Fsecret-detection-operator/lists"}