Evidence Model & Audit Traceability

SecretScan is not limited to pattern detection. Each scan generates a structured record stored in a persistent audit-backed database layer.

Execution Flow

POST /api/scanners/trivy/scan
→ authenticate(actor)
→ validate(input)
→ detect(secrets)
→ persist(record)
→ return(scanId)

Every invocation produces a structured record tied to a specific authenticated actor and timestamp.

What Is Stored

scan_id (UUID)
actor_sub (Keycloak subject)
artifact_ref (string)
secrets_found (JSONB)
secrets_count (integer)
severity_summary (JSONB)
created_at (timestamp)

The database layer is PostgreSQL-backed. Records are immutable once written. Updates require explicit new entries rather than silent mutation.

Actor Attribution

All scan activity is bound to a Keycloak-authenticated identity. This creates defensible linkage between artifact submission and detection results.

actor_sub → artifact_ref → detection_result → timestamp

Traceability & Integrity

  • Persistent storage of every scan event.
  • Request correlation IDs for log traceability.
  • Rate-limited authenticated execution.
  • Structured JSONB storage for evidence preservation.
  • No silent overwrites of detection results.

The objective is not merely to detect exposure, but to produce defensible audit artifacts during compliance or incident review.

Governance Positioning

Most secret scanners operate as transient utilities. SecretScan operates as a governed execution layer — detection coupled with structured evidence retention.

This enables control mapping alignment, operational reporting, and historical reconstruction of exposure events.

Detection without evidence is incomplete.

Start Monitoring