Getting Started

Get up and running with SCAN in minutes. This guide will help you install, configure, and run your first security scan.

Introduction

SCAN (Sensitive Code Analyzer for Nerds) is a powerful Gradle plugin designed to automatically detect secrets, API keys, and other sensitive information in your codebase. It integrates seamlessly into your build process and helps prevent accidental exposure of sensitive data.

Key Features

🔍 Comprehensive pattern detection for various secret types
⚡ Fast scanning with minimal performance impact
🛠️ Highly configurable with custom patterns
📊 Multiple output formats (console, JSON, HTML)
🔧 CI/CD integration ready

Requirements

Before installing SCAN, ensure your environment meets these requirements:

System Requirements

Java: JDK 17 or higher
Gradle: 7.0 or higher
Operating System: Windows, macOS, or Linux
Memory: Minimum 1GB RAM (2GB+ recommended for large projects)

You can check your current versions:

# Check Java version
java -version

# Check Gradle version
gradle --version

# Or using Gradle wrapper
./gradlew --version

Installation

Add the SCAN plugin to your build.gradle.kts or build.gradle file:

Kotlin DSL (build.gradle.kts)

plugins {
    id("io.github.theaniketraj.scan") version "2.0.0"
}

Groovy DSL (build.gradle)

plugins {
    id 'io.github.theaniketraj.scan' version '2.0.0'
}

Legacy Plugin Application

If you're using an older Gradle version, you can use the legacy plugin syntax:

buildscript {
    repositories {
        gradlePluginPortal()
    }
    dependencies {
        classpath "io.github.theaniketraj:scan-gradle-plugin:2.0.0"
    }
}

apply plugin: "io.github.theaniketraj.scan"

💡 Pro Tip

Always use the latest version for the best security patterns and performance improvements. Check the releases page for updates.

First Scan

Once the plugin is installed, you can run your first security scan:

# Run a basic scan
./gradlew scanForSecrets

# Run with verbose output
./gradlew scanForSecrets --info

# Run with debug information
./gradlew scanForSecrets --debug

The scan will:

🔍 Analyze all source files in your project
🎯 Apply built-in patterns to detect common secrets
📝 Generate a detailed report
⚠️ Display findings in the console

Understanding the Output

A typical scan output looks like this:

> Task :scanForSecrets
Starting security scan...
Scanning 127 files...

🔍 SCAN Results:
┌─────────────────────────────────────────────────┐
│ Found 2 potential secrets in 1 file(s)          │
├─────────────────────────────────────────────────┤
│ File: src/main/java/Config.java                 │
│ Line: 15                                        │
│ Type: API Key                                   │
│ Match: sk_test_51H...                           │
├─────────────────────────────────────────────────┤
│ File: src/main/java/Config.java                 │
│ Line: 23                                        │
│ Type: Database Password                         │
│ Match: password=secret123                       │
└─────────────────────────────────────────────────┘

BUILD FAILED

Basic Configuration

Customize SCAN's behavior by adding a configuration block to your build file:

Essential Configuration

scan {
    // Fail the build when secrets are detected
    failOnDetection = true
    
    // Choose output format: "console", "json", "html"
    reportFormat = "console"
    
    // Specify output directory
    outputDir = "scan-results"
    
    // Set scan sensitivity: "low", "medium", "high"
    sensitivity = "medium"
}

Advanced Configuration

scan {
    failOnDetection = true
    reportFormat = "json"
    outputDir = "security-reports"
    
    // Exclude specific files or directories
    excludePaths = [
        "**/test/**",
        "**/build/**",
        "**/*.min.js"
    ]
    
    // Include only specific file types
    includePaths = [
        "**/*.java",
        "**/*.kt",
        "**/*.properties"
    ]
    
    // Custom patterns file
    customPatternsFile = "config/custom-patterns.yml"
    
    // Enable parallel processing
    parallel = true
    
    // Set maximum file size (in MB)
    maxFileSize = 10
}

⚠️ Important

Setting failOnDetection = true will cause your build to fail when secrets are detected. This is recommended for CI/CD pipelines to prevent deployment of code with secrets.

Understanding Results

SCAN provides detailed information about detected secrets to help you understand and address security issues.

Result Components

📁 File Path

Exact location of the file containing the potential secret

📍 Line Number

Specific line where the secret was detected

🏷️ Secret Type

Classification of the detected secret (API Key, Password, etc.)

🎯 Match Pattern

Partial match showing the detected pattern (sensitive parts redacted)

Report Formats

Choose the format that best suits your workflow:

Console: Human-readable output for development
JSON: Machine-readable for CI/CD integration
HTML: Detailed web-based report with navigation

Next Steps

Now that you have SCAN running, explore these topics to get the most out of the plugin:

📖 Comprehensive Guide

Learn advanced features, best practices, and troubleshooting tips.

Read User Guide →

⚙️ Advanced Configuration

Customize patterns, exclusions, and output formats for your needs.

View Configuration →

🔍 Pattern Reference

Understand built-in patterns and create custom detection rules.

Explore Patterns →

🔧 CI/CD Integration

Integrate SCAN into your automated build and deployment pipelines.

Setup CI/CD →

🚀 Quick Start Checklist

Plugin installed and configured First scan completed successfully Build failure configured for CI/CD Exclusions configured for test files Team notified of new security checks