Skip to content

feat: AI-powered secret scanning and auto-fix with Dagger LLM agent #195

Description

@patrick-hermann-sva

Summary

Add a Dagger AI agent to the linting module that uses dag.LLM() to intelligently analyze and fix secret findings by adding pragma: allowlist secret comments.

Motivation

Secret scanning tools (detect-secrets via pre-commit) flag lines containing keywords like password, secret, token as potential secrets. The codebase already uses // pragma: allowlist secret comments extensively (20+ files) to suppress false positives. Automating this with an AI agent saves manual effort and ensures consistency.

Proposed Changes

New functions in the linting module

  1. ScanSecrets — Runs detect-secrets scan and returns a structured JSON report
  2. AutoFixSecrets — AI agent using dag.LLM() that reads the findings and adds appropriate pragma comments per file type

Implementation Details

  • Upgrade linting module engine to v0.19.7 (required for dag.LLM())
  • Create secrets.go with both functions
  • Uses dag.Env() with container input/output for the AI agent
  • Comment style adapted per file type: // for Go, # for YAML/Python/Shell/Terraform
  • Skips .json files (no comment syntax) and lines already containing the pragma

CLI Usage

# Scan for secrets
dagger call -m linting scan-secrets --src . export --path=/tmp/findings.json

# AI-powered auto-fix
dagger call -m linting auto-fix-secrets --src . export --path=/tmp/fixed/

Acceptance Criteria

  • ScanSecrets returns valid JSON findings from detect-secrets
  • AutoFixSecrets correctly adds pragma comments to flagged lines
  • README updated with usage examples

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions