qa-secrets

Adversarial unifier of multi-scanner secrets output (gitleaks + TruffleHog + Kingfisher). Reads each scanner's JSON report; deduplicates by `(file, line, secret-class)` recording all scanners that flagged each finding (consensus signal); enforces `.secrets-waivers.yaml` waivers that require `expires:` + `approved_by:` + `reason:` (rejects malformed or expired waivers); classifies findings as Verified / Unverified / Inconclusive; emits a verdict table + BLOCK/PASS. Refuses to mark a PR pass if any unwaived verified finding remains. Use when any subset of the three scanner skills runs in CI and needs a single PR-ready gate. Use proactively after the qa-secrets plugin runs in a pipeline to combine scanner outputs into one actionable decision.

Configures and runs gitleaks - Go-based secret scanner with `gitleaks git` (scan local git via `git log -p`), `gitleaks dir` (filesystem), `gitleaks stdin` (pipe); 100+ built-in rules + custom rules in `.gitleaks.toml` ([[rules]] with regex / entropy / keywords / tags); allowlist via [[rules.allowlists]] (commits / paths / stopwords); pre-commit hook + GitHub Action integration; baseline file for legacy debt. Use when the team needs OSS secret scanning at commit time + CI gate.

Configures and runs Kingfisher - MongoDB-built Rust-based secret scanner combining Intel Hyperscan regex engine with language-aware parsing; ships 950 built-in detection rules with **live secret validation** and offline checksum verification; multi-target (local files / Git history / GitHub / GitLab / AWS S3 / Docker images); browser-based report viewer; suppression via `--skip-regex` / `--skip-word` / `--baseline-file` / inline `kingfisher:ignore`. Use when the team needs the broadest rule coverage + Hyperscan performance, or wants the modern alternative to gitleaks/trufflehog.

Builds and maintains a unified secrets baseline/allowlist across gitleaks (.gitleaksignore + --baseline-path), TruffleHog (--results=verified filter + trufflehog:ignore), and Kingfisher (--baseline-file + --exclude/--skip-* flags); adopts legacy findings without blocking PRs; enforces a waiver lifecycle (expires + approved_by + reason) stored in .secrets-waivers.yaml; prevents baseline rot via quarterly audit + expiry enforcement. Use when onboarding secrets scanning onto a repo that already has historical findings, or when per-scanner ignore configs have drifted out of sync and need consolidating into one governed allowlist.

Build-an-X for the secret-rotation workflow after detection - detect via gitleaks/trufflehog/kingfisher → identify provider via verifier → rotate via provider API (AWS IAM / GitHub PAT / Stripe / GCP / Azure / Twilio / Slack / etc.) → invalidate old secret → audit log via observability stack → post-mortem cross-ref. Use when a secret is detected in code (or proactively for periodic rotation) - assume git-history scrub does NOT prevent compromise.

Configures and runs TruffleHog v3 - secret scanner with **live verification** (validates discovered secrets against provider APIs to confirm actual exposure vs entropy false positive); supports per-source subcommands (`git`, `github`, `gitlab`, `filesystem`, `s3`, `docker`, `gcs`, `postman`); `--results=verified` filter for high-precision output; `--exclude-detectors=TYPE` for noise reduction; exits 183 on findings via `--fail`. Use when the team needs verified secret findings (low false-positive rate) or scans across cloud + repo + container surfaces.