Merge pull request #4 from epilande/secrets

feat: Add Automatic Secret Detection and Redaction

Author: epilande

README.md

@@ -29,6 +29,7 @@ to your clipboard, ready for LLM processing.
 - 📋 **Clipboard Integration**: Copy content or output file directly to your clipboard
 - 🌲 **Directory Tree View**: Display a tree-style view of your project structure
 - 🧮 **Token Estimation**: Get estimated token count for LLM context windows
+- 🛡️ **Secret Detection & Redaction**: Uses [gitleaks](https://github.com/gitleaks/gitleaks) to identify potential secrets and prevent sharing sensitive information
 
 ## 📦 Installation
 
@@ -98,6 +99,8 @@ grab [options] [directory]
 | `-t, --temp`            | Use system temporary directory for output file                                          |
 | `-g, --glob pattern`    | Include/exclude files and directories (e.g., `--glob="*.{ts,tsx}" --glob="!*.spec.ts"`) |
 | `-f, --format format`   | Output format (available: markdown, text, xml)                                          |
+| `-S, --skip-redaction`  | Skip automatic secret redaction (WARNING: This may expose sensitive information)        |
+|                         |
 | `--theme`               | Set the UI theme                                                                        |
 
 ### 📖 Examples
@@ -169,12 +172,13 @@ grab [options] [directory]
 
 ### Selection & Output
 
-| Action               | Key                                | Description                                                  |
-| :------------------- | :--------------------------------- | :----------------------------------------------------------- |
-| Select/deselect item | <kbd>tab</kbd> or <kbd>space</kbd> | Toggle selection of the current file or directory            |
-| Copy to clipboard    | <kbd>y</kbd>                       | Copy the generated output to clipboard                       |
-| Generate output file | <kbd>g</kbd>                       | Generate the output file with selected content               |
-| Cycle output formats | <kbd>F</kbd>                       | Cycle through available output formats (markdown, text, xml) |
+| Action                  | Key                                | Description                                                  |
+| :---------------------- | :--------------------------------- | :----------------------------------------------------------- |
+| Select/deselect item    | <kbd>tab</kbd> or <kbd>space</kbd> | Toggle selection of the current file or directory            |
+| Copy to clipboard       | <kbd>y</kbd>                       | Copy the generated output to clipboard                       |
+| Generate output file    | <kbd>g</kbd>                       | Generate the output file with selected content               |
+| Cycle output formats    | <kbd>F</kbd>                       | Cycle through available output formats (markdown, text, xml) |
+| Toggle Secret Redaction | <kbd>S</kbd>                       | Enable/disable automatic secret redaction (Default: On)      |
 
 ### View Options
 
@@ -185,6 +189,14 @@ grab [options] [directory]
 | Toggle help screen         | <kbd>?</kbd> | Show or hide the help screen                      |
 | Quit                       | <kbd>q</kbd> | Exit the application                              |
 
+## 🛡️ Secret Detection & Redaction
+
+CodeGrab automatically scans the content of selected files for potential secrets using [gitleaks](https://github.com/gitleaks/gitleaks) with its default rules. This helps prevent accidental exposure of sensitive credentials like API keys, private tokens, and passwords.
+
+- **Enabled by Default**: Secret scanning and redaction are active unless explicitly disabled.
+- **Redaction Format**: Detected secrets are replaced with `[REDACTED_RuleID]`, where `RuleID` indicates the type of secret found (e.g., `[REDACTED_generic-api-key]`).
+- **Skipping Redaction**: You can disable this feature using the `-S` / `--skip-redaction` flag when running the command, or by pressing `S` in the interactive TUI. Use this option with caution, as it may expose sensitive information in the output.
+
 ## 🎨 Themes
 
 CodeGrab comes with several built-in themes:

cmd/grab/main.go

@@ -39,6 +39,7 @@ func main() {
 	var useTempFile bool
 	var themeName string
 	var formatName string
+	var skipRedaction bool
 
 	flag.BoolVar(&showHelp, "help", false, "Display help information")
 	flag.BoolVar(&showHelp, "h", false, "Display help information (shorthand)")
@@ -67,6 +68,9 @@ func main() {
 	flag.StringVar(&formatName, "format", "markdown", formatUsage)
 	flag.StringVar(&formatName, "f", "markdown", formatUsage+" (shorthand)")
 
+	flag.BoolVar(&skipRedaction, "skip-redaction", false, "Skip automatic secret redaction (WARNING: this may expose secrets)")
+	flag.BoolVar(&skipRedaction, "S", false, "Skip automatic secret redaction (shorthand)")
+
 	flag.Parse()
 
 	if showHelp {
@@ -111,14 +115,15 @@ func main() {
 	}
 
 	if nonInteractive {
-		runNonInteractive(root, filterMgr, outputPath, useTempFile, formatName)
+		runNonInteractive(root, filterMgr, outputPath, useTempFile, formatName, skipRedaction)
 	} else {
 		config := model.Config{
-			RootPath:    root,
-			FilterMgr:   filterMgr,
-			OutputPath:  outputPath,
-			UseTempFile: useTempFile,
-			Format:      formatName,
+			RootPath:      root,
+			FilterMgr:     filterMgr,
+			OutputPath:    outputPath,
+			UseTempFile:   useTempFile,
+			Format:        formatName,
+			SkipRedaction: skipRedaction,
 		}
 
 		m := model.NewModel(config)
@@ -131,7 +136,7 @@ func main() {
 }
 
 // runNonInteractive processes files and generates output without user interaction
-func runNonInteractive(rootPath string, filterMgr *filesystem.FilterManager, outputPath string, useTempFile bool, formatName string) {
+func runNonInteractive(rootPath string, filterMgr *filesystem.FilterManager, outputPath string, useTempFile bool, formatName string, skipRedaction bool) {
 	gitIgnoreMgr, err := filesystem.NewGitIgnoreManager(rootPath)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Error reading .gitignore: %v\n", err)
@@ -146,6 +151,7 @@ func runNonInteractive(rootPath string, filterMgr *filesystem.FilterManager, out
 	gen := generator.NewGenerator(rootPath, gitIgnoreMgr, filterMgr, outputPath, useTempFile)
 	format := formats.GetFormat(formatName)
 	gen.SetFormat(format)
+	gen.SetRedactionMode(!skipRedaction)
 
 	// Automatically select all non-directory files
 	selectedFiles := make(map[string]bool)
@@ -157,10 +163,16 @@ func runNonInteractive(rootPath string, filterMgr *filesystem.FilterManager, out
 
 	gen.SelectedFiles = selectedFiles
 
-	outputFilePath, tokenCount, err := gen.Generate()
+	outputFilePath, tokenCount, secretCount, err := gen.Generate()
 	if err != nil {
 		log.Fatalf("Error generating output: %v\n", err)
 	}
 
-	fmt.Printf("✅ %s generated: %s (%d tokens)\n", formatName, outputFilePath, tokenCount)
+	fmt.Printf("✅ Generated %s (%d tokens)\n", outputFilePath, tokenCount)
+
+	if secretCount > 0 && skipRedaction {
+		fmt.Fprintf(os.Stderr, "⚠️ WARNING: %d secrets detected in the output and redaction was skipped!\n", secretCount)
+	} else if secretCount > 0 && !skipRedaction {
+		fmt.Fprintf(os.Stderr, "ℹ️ INFO: %d secrets detected and redacted in the output.\n", secretCount)
+	}
 }

go.mod

@@ -8,22 +8,61 @@ require (
 	github.com/charmbracelet/bubbletea v1.2.4
 	github.com/charmbracelet/lipgloss v1.0.0
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
+	github.com/zricethezav/gitleaks/v8 v8.24.2
 )
 
 require (
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/BobuSumisu/aho-corasick v1.0.3 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/charmbracelet/x/ansi v0.4.5 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/fatih/semgroup v1.2.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/gitleaks/go-gitdiff v0.9.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/h2non/filetype v1.1.3 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/magiconair/properties v1.8.9 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	golang.org/x/sync v0.9.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/text v0.3.8 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/rs/zerolog v1.33.0 // indirect
+	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.12.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.19.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	github.com/tetratelabs/wazero v1.9.0 // indirect
+	github.com/wasilibs/go-re2 v1.9.0 // indirect
+	github.com/wasilibs/wazero-helpers v0.0.0-20240620070341-3dff1577cd52 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.35.0 // indirect
+	golang.org/x/exp v0.0.0-20250218142911-aa4b98e5adaa // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )