SCAN

Contributing to SCAN

Thank you for your interest in contributing to SCAN! This guide will help you get started with contributing to the project, from setting up your development environment to submitting your first pull request.

🎯 Quick Start for Contributors

1. Fork the repository and clone it locally

2. Set up your development environment

3. Create a feature branch for your contribution

4. Make your changes and add tests

5. Submit a pull request with a clear description

Overview

SCAN (Sensitive Code Analyzer for Nerds) is an open-source Gradle plugin that helps developers detect secrets and sensitive information in their codebase. We welcome contributions from the community to make this tool even better.

Code of Conduct

This project adheres to a Code of Conduct ↗. By participating, you are expected to uphold this code.

Getting Started

Prerequisites

  • Java 21 or higher
  • Gradle 8.14+ (wrapper included)
  • Git for version control
  • IDE (IntelliJ IDEA recommended)

Fork and Clone

1. Fork the repository on GitHub

2. Clone your fork locally:

git clone https://github.com/theaniketraj/SCAN.git
cd SCAN

3. Add the upstream remote:

git remote add upstream https://github.com/theaniketraj/SCAN.git

Development Setup

Project Setup

1. Import the project into your IDE

2. Install dependencies:

./gradlew build

3. Run tests to ensure everything works:

./gradlew test

Project Structure

scan-gradle-plugin/
├── src/
│   ├── main/kotlin/com/scan/
│   │   ├── core/           # Core scanning logic
│   │   ├── detectors/      # Pattern and entropy detectors
│   │   ├── filters/        # File filtering logic
│   │   ├── patterns/       # Built-in pattern definitions
│   │   ├── plugin/         # Gradle plugin implementation
│   │   ├── reporting/      # Report generation
│   │   └── utils/          # Utility classes
│   ├── test/kotlin/        # Unit tests
│   └── functionalTest/kotlin/ # Integration tests
├── docs/                   # Documentation
├── config/                 # Configuration files
└── examples/               # Usage examples

Key Development Commands

Build & Test

./gradlew build - Build project

./gradlew test - Run tests

./gradlew functionalTest - Integration tests

Code Quality

./gradlew spotlessCheck - Check code style

./gradlew spotlessApply - Fix code style

./gradlew detekt - Static analysis

Types of Contributions

We welcome various types of contributions:

🐛 Bug Fixes

Fix issues in existing functionality

✨ Features

Add new capabilities and enhancements

🔍 Patterns

Add new secret detection patterns

📚 Documentation

Improve or expand documentation

⚡ Performance

Optimize scanning performance

🧪 Testing

Add or improve test coverage

Before You Start

  1. Check existing issues to see if your contribution is already being worked on
  2. Create an issue to discuss major changes before implementing
  3. Follow the coding standards outlined below

Code Standards

Kotlin Style Guidelines

We follow the Kotlin Coding Conventionswith project-specific guidelines:

Code Formatting

  • Line length: 120 characters maximum
  • Indentation: 4 spaces (no tabs)
  • Import order: Standard Kotlin import ordering
  • Trailing commas: Enabled for multiline constructs

Naming Conventions

// Classes: PascalCase
class SecretDetector

// Functions and properties: camelCase
fun detectSecrets()
val patternMatches: List<Match>

// Constants: SCREAMING_SNAKE_CASE
const val DEFAULT_ENTROPY_THRESHOLD = 4.5

Documentation

Use KDoc for public APIs:

/**
 * Detects potential secrets in the given text using pattern matching.
 *
 * @param text The text to analyze for secrets
 * @param patterns List of regex patterns to apply
 * @return List of detected secrets with metadata
 */
fun detectSecrets(
    text: String,
    patterns: List<Pattern>
): List<SecretMatch>

Testing Guidelines

Test Structure

We maintain high test coverage with different types of tests:

Unit Tests

class SecretDetectorTest {
    private val detector = SecretDetector()
    
    @Test
    fun `should detect AWS access key`() {
        // Given
        val text = "aws_access_key_id=AKIAIOSFODNN7EXAMPLE"
        
        // When
        val matches = detector.detectSecrets(text)
        
        // Then
        assertThat(matches).hasSize(1)
        assertThat(matches[0].type).isEqualTo(SecretType.AWS_ACCESS_KEY)
    }
}

Integration Tests

@Test
fun `should integrate with Gradle build lifecycle`() {
    // Given
    val projectDir = createTestProject()
    addSecretToFile(projectDir, "Config.kt", "API_KEY=secret123")
    
    // When
    val result = runGradleTask(projectDir, "build")
    
    // Then
    assertThat(result.task(":scanForSecrets")?.outcome)
        .isEqualTo(TaskOutcome.FAILED)
}

Test Coverage Goals

  • Target: 80% line coverage minimum
  • Critical paths: 100% coverage for security-critical code
  • Edge cases: Test boundary conditions and error scenarios

Documentation

Types of Documentation

📝 Code Documentation

KDoc comments for public APIs and complex logic

📖 User Documentation

Guides, tutorials, and reference documentation

💡 Examples

Practical usage examples and code samples

📋 Changelog

Record of changes and version history

Documentation Standards

  • Clear examples: Provide working code examples
  • Step-by-step guides: Break down complex procedures
  • Common use cases: Cover typical scenarios
  • Troubleshooting: Address common issues

Pull Request Process

Before Submitting

1. Update your branch with the latest changes:

git checkout develop
git pull upstream develop
git checkout your-feature-branch
git rebase develop

2. Run all checks:

./gradlew build
./gradlew test
./gradlew functionalTest
./gradlew spotlessCheck
./gradlew detekt

PR Guidelines

Title Format

type(scope): Brief description

Examples:
feat(patterns): Add support for Slack API tokens
fix(entropy): Correct entropy calculation for Unicode strings
docs(user-guide): Add CI/CD integration examples

Description Template

Your PR should include:

  • • Clear description of the change and why it's needed
  • • Type of change (bug fix, feature, breaking change, docs)
  • • Testing information
  • • Checklist confirmation

Review Process

  1. Automated checks must pass
  2. Code review by maintainers
  3. Testing on different environments
  4. Documentation review if applicable
  5. Approval by project maintainers

Issue Reporting

Bug Reports

When reporting bugs, please include:

  • • Clear description of the bug
  • • Steps to reproduce the behavior
  • • Expected vs actual behavior
  • • Environment details (OS, Java version, Gradle version)
  • • Additional context or error messages

Feature Requests

For feature requests, please describe:

  • • The problem you're trying to solve
  • • Your proposed solution
  • • Alternative solutions you've considered
  • • Additional context or use cases

Community

Getting Help

💬 GitHub Discussions

For questions and general discussion

🐛 Issues

For bug reports and feature requests

📖 Documentation

Check the docs for answers first

Recognition

Contributors are recognized in:

  • Release notes: Major contributions acknowledged
  • Contributors file: All contributors listed
  • Special thanks: Outstanding contributions highlighted

🎉 Ready to Contribute?

Start by exploring the open issues or proposing a new feature.

Join our community and help make codebases more secure for everyone! 🔒✨