High-performance secrets detection and redaction for MCP Gateway

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jonpspri from gravatar.com jonpspri Avatar for lucarlig from gravatar.com lucarlig

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Author: ContextForge Contributors
  • Requires: Python >=3.11
Classifiers
Report project as malware

Project description

Secrets Detection (Rust)

High-performance secrets detection and redaction for ContextForge and MCP Gateway.

Features

  • Rust-owned recursive scanning for strings, dicts, lists, and MCP payload containers
  • Built-in detection for high-signal credential formats such as AWS access keys and Slack tokens
  • Optional redaction or hard blocking on detection
  • Hook coverage for prompt input, tool output, and fetched resource content
  • Opt-in broad patterns for lower-confidence generic token assignments
  • Structured findings metadata with redacted match previews

Build

make install

Usage

The plugin scans data at these hook points:

  • prompt_pre_fetch
  • tool_post_invoke
  • resource_post_fetch

Typical uses:

  • redact secrets before they leave the gateway
  • block tool or resource payloads that contain leaked credentials
  • add lightweight findings metadata for downstream auditing

Configuration

Key settings include:

  • redact: replace detected secret values in the payload
  • redaction_text: replacement string for detected values
  • block_on_detection: stop processing instead of modifying payloads
  • min_findings_to_block: threshold before hard blocking
  • enabled: enable optional lower-confidence detectors when needed

Detection Notes

  • High-signal built-in patterns are enabled by default.
  • Broader generic assignment-style patterns are opt-in to avoid noisy false positives.
  • Findings include secret type labels such as aws_access_key_id or slack_token.
  • Redaction preserves surrounding structure when possible, for example replacing only the secret value inside a larger assignment string.

Returned Metadata

When detections occur, the plugin can return metadata such as:

  • count
  • secrets_redacted

Blocking responses use the SECRETS_DETECTED violation code.

Testing

make ci

Security Notes

  • Default detectors are intentionally biased toward high-confidence secret formats.
  • Broad token-like patterns should only be enabled when your environment benefits from higher recall and can tolerate extra review.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jonpspri from gravatar.com jonpspri Avatar for lucarlig from gravatar.com lucarlig

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache-2.0
  • Author: ContextForge Contributors
  • Requires: Python >=3.11
Classifiers

Release history Release notifications | RSS feed

0.2.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cpex_secrets_detection-0.1.0.tar.gz (31.9 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

cpex_secrets_detection-0.1.0-cp311-abi3-win_amd64.whl (735.9 kB view details)

Uploaded CPython 3.11+Windows x86-64

cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_x86_64.whl (815.0 kB view details)

Uploaded CPython 3.11+manylinux: glibc 2.34+ x86-64

cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_s390x.whl (856.4 kB view details)

Uploaded CPython 3.11+manylinux: glibc 2.34+ s390x

cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_ppc64le.whl (836.1 kB view details)

Uploaded CPython 3.11+manylinux: glibc 2.34+ ppc64le

cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_aarch64.whl (759.7 kB view details)

Uploaded CPython 3.11+manylinux: glibc 2.34+ ARM64

cpex_secrets_detection-0.1.0-cp311-abi3-macosx_11_0_arm64.whl (716.2 kB view details)

Uploaded CPython 3.11+macOS 11.0+ ARM64

File details

Details for the file cpex_secrets_detection-0.1.0.tar.gz.

File metadata

  • Download URL: cpex_secrets_detection-0.1.0.tar.gz
  • Upload date:
  • Size: 31.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cpex_secrets_detection-0.1.0.tar.gz
Algorithm Hash digest
SHA256 d2a12762f80bba8b4d4afbafb0850a9fa337b3a478a98a96d7ba2266913a1025
MD5 73171cd4a8566f45988281ce3d6da3f4
BLAKE2b-256 59e69bbedb5e2ebe74cf78124b6de710600d4b0fb15bd8b23c663833a4d9132f

See more details on using hashes here.

Provenance

The following attestation bundles were made for cpex_secrets_detection-0.1.0.tar.gz:

Publisher: release-rust-python-package.yaml on IBM/cpex-plugins

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cpex_secrets_detection-0.1.0-cp311-abi3-win_amd64.whl.

File metadata

File hashes

Hashes for cpex_secrets_detection-0.1.0-cp311-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 f1046587fffa4af2b1b4b0fba60f95f0a0a1988064c7f838261a28433b71ceb6
MD5 5c8f6a11baf3b62a8aabbbb081fc7427
BLAKE2b-256 f3653e68f346860c14d66b551937955364920b42260597af17275de3d3786220

See more details on using hashes here.

Provenance

The following attestation bundles were made for cpex_secrets_detection-0.1.0-cp311-abi3-win_amd64.whl:

Publisher: release-rust-python-package.yaml on IBM/cpex-plugins

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_x86_64.whl.

File metadata

File hashes

Hashes for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_x86_64.whl
Algorithm Hash digest
SHA256 4572a70bd0dd192c4acd7515ae793b0d81a31f58f9510e7218ee75539ee1baac
MD5 b35363188bf2edc7f84ee0bfa33d0197
BLAKE2b-256 b9b00b348d27b4eda710d0e5d9ce41e7d1e47c106d5e54e547df64487410105a

See more details on using hashes here.

Provenance

The following attestation bundles were made for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_x86_64.whl:

Publisher: release-rust-python-package.yaml on IBM/cpex-plugins

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_s390x.whl.

File metadata

File hashes

Hashes for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_s390x.whl
Algorithm Hash digest
SHA256 edf9ff439b28f43543c5a12b23b34c33cf7c408b1aba9733f146eb6347b201d5
MD5 fc5d8a4abff5fb1e9ea5d492d6c12c87
BLAKE2b-256 3e341c14de69e7dd68c5638fb5ca0734a4ebc7bccc98ec4ff9390b03f8fd4185

See more details on using hashes here.

Provenance

The following attestation bundles were made for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_s390x.whl:

Publisher: release-rust-python-package.yaml on IBM/cpex-plugins

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_ppc64le.whl.

File metadata

File hashes

Hashes for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_ppc64le.whl
Algorithm Hash digest
SHA256 2527cc33f28eb4449d092e2434855b2a95309f11de48de57b148123af1d4b118
MD5 ed43cce8549c73cf4103c5280f92f456
BLAKE2b-256 49a7ca20b6dfd91c7af810b10e91573e69f31dbe0737c6cbfb259b15a527e487

See more details on using hashes here.

Provenance

The following attestation bundles were made for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_ppc64le.whl:

Publisher: release-rust-python-package.yaml on IBM/cpex-plugins

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_aarch64.whl.

File metadata

File hashes

Hashes for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_aarch64.whl
Algorithm Hash digest
SHA256 bad46b1602b8c476604edbe4eb42101fd5564de2395d9a6595dbba54eb7ad222
MD5 440e8c6fc65b731feccca0a56e1c0f52
BLAKE2b-256 e3c22e62e95f31d1585a534ffff26227b79137ad0da6bfc02d4a6ee5666206ac

See more details on using hashes here.

Provenance

The following attestation bundles were made for cpex_secrets_detection-0.1.0-cp311-abi3-manylinux_2_34_aarch64.whl:

Publisher: release-rust-python-package.yaml on IBM/cpex-plugins

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cpex_secrets_detection-0.1.0-cp311-abi3-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for cpex_secrets_detection-0.1.0-cp311-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 55287a02d8ec4a31bdf5aa9d4e46dc93572b42a0090ead42664779fe67bc2940
MD5 cec9a6d84aa2ef0d797980c3ec24ae12
BLAKE2b-256 b24de0a749db3bb40634a509363290167f14931631551f29d25fc93b4a5253f6

See more details on using hashes here.

Provenance

The following attestation bundles were made for cpex_secrets_detection-0.1.0-cp311-abi3-macosx_11_0_arm64.whl:

Publisher: release-rust-python-package.yaml on IBM/cpex-plugins

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page