Source code for nvflare.fuel.utils.job_secret_scanner

# Copyright (c) 2026, NVIDIA CORPORATION.  All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""Secret validation for generated NVFlare job configuration files."""

import json
import os
from typing import List, Optional

from nvflare.fuel.utils.secret_utils import SecretFinding, warn_on_potential_secrets

_GENERATED_JOB_CONFIG_FILES = frozenset(
    {
        "config_fed_client.json",
        "config_fed_server.json",
        "meta.json",
    }
)


[docs] def warn_on_potential_secrets_in_job_dir( job_dir: str, job_name: Optional[str] = None, context: str = "generated job file", ) -> List[SecretFinding]: """Warn about potential secrets in generated job JSON files. This is a last-line, best-effort scan of the artifact that will be exported, simulated, or submitted. User code under ``custom/`` is intentionally excluded. Args: job_dir: Export root or the generated job directory itself. job_name: Optional job name when ``job_dir`` is an export root. context: Description used to identify a scanned file in warning messages. Returns: All potential-secret findings emitted while scanning the job. """ job_root = os.path.join(job_dir, job_name) if job_name else job_dir if not os.path.isdir(job_root): job_root = job_dir findings = [] for root, dirs, files in os.walk(job_root): dirs[:] = [directory for directory in dirs if directory != "custom"] for file_name in files: if file_name not in _GENERATED_JOB_CONFIG_FILES: continue path = os.path.join(root, file_name) try: with open(path, encoding="utf-8") as file: data = json.load(file) except (OSError, UnicodeError, ValueError): # Job generation owns the validity of these files. Secret scanning is # best-effort and must not mask a more useful error from that layer. continue # Only use the allow-listed basename in warning context. Job and app directory names # are user-controlled and could themselves contain credential material. findings.extend(warn_on_potential_secrets(data, context=f"{context} '{file_name}'")) return findings