CAP-003 — gitleaks-style secret scanner used by the post-generation
validation stage to reject AI-generated Playwright tests that embed
credentials harvested during crawl (Authorization headers, API keys,
JWTs, AWS access keys). Findings are always redacted before surfacing —
the raw match value is never echoed back into the issues list or
persisted on the test record.
Built-in detectors cover AWS access key IDs, JWTs, and Bearer tokens.
Additional rules are loaded best-effort from the repo's existing
.github/.gitleaks.toml so the CI ruleset is reused.
- Source:
Methods
(static) loadSecretRules() → {Array.<{id: string, description: string, regex: RegExp}>}
Load and cache the active secret-detection ruleset.
Returns the merged list of DEFAULT_RULES plus any custom rules parsed
best-effort from .github/.gitleaks.toml. Result is memoised in
module-level cachedRules for the lifetime of the process — config
changes require a server restart.
- Source:
Returns:
- Type
- Array.<{id: string, description: string, regex: RegExp}>
(static) scanForSecrets(code) → {Array.<{ruleId: string, description: string, match: string, message: string}>}
Scan a string of generated Playwright code for credential-like tokens.
Runs every active rule against the input and returns a redacted
findings array ({ ruleId, description, match, message }). All
occurrences of every rule are emitted so reviewers see the full set
of leaked credentials, not just the first match. Empty / non-string
input returns an empty array.
Parameters:
| Name | Type | Description |
|---|---|---|
code |
string | Generated Playwright source to scan. |
- Source:
Returns:
- Type
- Array.<{ruleId: string, description: string, match: string, message: string}>
(inner) redact(value) → {string}
Redact a matched secret value so it can be safely surfaced in logs,
issue strings, and persisted finding records. Values longer than 8
characters are shortened to <first4>…<last4>; shorter values are
fully replaced with [REDACTED]. The raw value never crosses the
scanner boundary.
Parameters:
| Name | Type | Description |
|---|---|---|
value |
string | Raw matched secret. |
- Source:
Returns:
Redacted, display-safe representation.
- Type
- string