Skip to content

Commit 54738ca

Browse files
tduhamel42tduhamel42
committed
fix: Add benchmark results files to git
- Added exception in .gitignore for benchmark results directory - Force-added comparison_report.md and comparison_results.json - These files contain benchmark metrics, not actual secrets - Fixes broken link in README to benchmark results
1 parent 2edcc40 commit 54738ca

File tree

3 files changed

+423
-0
lines changed

3 files changed

+423
-0
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -238,6 +238,7 @@ yarn-error.log*
238238
!test_projects/secret_detection_benchmark/
239239
!test_projects/secret_detection_benchmark/**
240240
!**/secret_detection_benchmark_GROUND_TRUTH.json
241+
!**/secret_detection/results/
241242

242243
secret*
243244
secrets/

backend/benchmarks/by_category/secret_detection/results/comparison_report.md

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
# Secret Detection Tools Comparison
2+
3+
**Target**: secret_detection_benchmark
4+
**Tools**: Gitleaks, TruffleHog, LLM (gpt-4o-mini), LLM (gpt-5-mini)
5+
6+
7+
## Summary
8+
9+
| Tool | Secrets | Files | Avg/File | Time (s) |
10+
|------|---------|-------|----------|----------|
11+
| Gitleaks | 12 | 10 | 1.2 | 5.18 |
12+
| TruffleHog | 1 | 1 | 1.0 | 5.06 |
13+
| LLM (gpt-4o-mini) | 30 | 15 | 2.0 | 296.85 |
14+
| LLM (gpt-5-mini) | 41 | 16 | 2.6 | 618.55 |
15+
16+
## Agreement Analysis
17+
18+
Secrets found by different numbers of tools:
19+
20+
- **3 tools agree**: 6 secrets
21+
- **2 tools agree**: 22 secrets
22+
- **Only 1 tool found**: 22 secrets
23+
24+
## Tool Agreement Matrix
25+
26+
Number of common secrets found by tool pairs:
27+
28+
| Tool | Gitleaks | TruffleHog | gpt-4o-mini | gpt-5-mini |
29+
|------|------|------|------|------|
30+
| Gitleaks | 12 | 0 | 7 | 11 |
31+
| TruffleHog | 0 | 1 | 0 | 0 |
32+
| gpt-4o-mini | 7 | 0 | 30 | 22 |
33+
| gpt-5-mini | 11 | 0 | 22 | 41 |
34+
35+
## Per-File Detailed Comparison
36+
37+
Secrets found per file by each tool:
38+
39+
| File | Gitleaks | TruffleHog | gpt-4o-mini | gpt-5-mini | Total |
40+
|------|------|------|------|------|------|
41+
| `src/obfuscated.py` | 2 | 0 | 6 | 7 | **15** |
42+
| `src/advanced.js` | 0 | 0 | 5 | 7 | **12** |
43+
| `src/config.py` | 1 | 0 | 0 | 6 | **7** |
44+
| `.env` | 1 | 0 | 2 | 2 | **5** |
45+
| `config/keys.yaml` | 1 | 0 | 2 | 2 | **5** |
46+
| `config/oauth.json` | 1 | 0 | 2 | 2 | **5** |
47+
| `config/settings.py` | 2 | 0 | 0 | 3 | **5** |
48+
| `scripts/deploy.sh` | 1 | 0 | 2 | 2 | **5** |
49+
| `config/legacy.ini` | 0 | 0 | 2 | 2 | **4** |
50+
| `src/Crypto.go` | 0 | 0 | 2 | 2 | **4** |
51+
| `config/app.properties` | 1 | 0 | 1 | 1 | **3** |
52+
| `config/database.yaml` | 0 | 1 | 1 | 1 | **3** |
53+
| `src/Main.java` | 1 | 0 | 1 | 1 | **3** |
54+
| `id_rsa` | 1 | 0 | 1 | 0 | **2** |
55+
| `scripts/webhook.js` | 0 | 0 | 1 | 1 | **2** |
56+
| ... and 2 more files | ... | ... | ... | ... | ... |
57+
58+
## File Type Breakdown
59+
60+
| Type | Gitleaks | TruffleHog | gpt-4o-mini | gpt-5-mini |
61+
|------|------|------|------|------|
62+
| `.env` | 1 files | 0 files | 1 files | 1 files |
63+
| `.go` | 0 files | 0 files | 1 files | 1 files |
64+
| `.ini` | 0 files | 0 files | 1 files | 1 files |
65+
| `.java` | 1 files | 0 files | 1 files | 1 files |
66+
| `.js` | 0 files | 0 files | 2 files | 2 files |
67+
| `.json` | 1 files | 0 files | 1 files | 1 files |
68+
| `.properties` | 1 files | 0 files | 1 files | 1 files |
69+
| `.py` | 3 files | 0 files | 2 files | 4 files |
70+
| `.sh` | 1 files | 0 files | 1 files | 1 files |
71+
| `.sql` | 0 files | 0 files | 1 files | 1 files |
72+
| `.yaml` | 1 files | 1 files | 2 files | 2 files |
73+
| `[no extension]` | 1 files | 0 files | 1 files | 0 files |
74+
75+
## Files Analyzed
76+
77+
**Total unique files with secrets**: 17
78+
79+
80+
### Gitleaks
81+
82+
Found secrets in **10 files**:
83+
84+
- `config/settings.py`: 2 secrets (lines: 6, 9)
85+
- `src/obfuscated.py`: 2 secrets (lines: 7, 17)
86+
- `.env`: 1 secrets (lines: 3)
87+
- `config/app.properties`: 1 secrets (lines: 6)
88+
- `config/keys.yaml`: 1 secrets (lines: 6)
89+
- `id_rsa`: 1 secrets (lines: 1)
90+
- `config/oauth.json`: 1 secrets (lines: 4)
91+
- `scripts/deploy.sh`: 1 secrets (lines: 5)
92+
- `src/Main.java`: 1 secrets (lines: 5)
93+
- `src/config.py`: 1 secrets (lines: 7)
94+
95+
### TruffleHog
96+
97+
Found secrets in **1 files**:
98+
99+
- `config/database.yaml`: 1 secrets (lines: 6)
100+
101+
### LLM (gpt-4o-mini)
102+
103+
Found secrets in **15 files**:
104+
105+
- `src/obfuscated.py`: 6 secrets (lines: 7, 10, 13, 18, 20...)
106+
- `src/advanced.js`: 5 secrets (lines: 4, 7, 10, 12, 17)
107+
- `src/Crypto.go`: 2 secrets (lines: 6, 10)
108+
- `.env`: 2 secrets (lines: 3, 4)
109+
- `config/keys.yaml`: 2 secrets (lines: 6, 12)
110+
- `config/oauth.json`: 2 secrets (lines: 3, 4)
111+
- `config/legacy.ini`: 2 secrets (lines: 4, 7)
112+
- `scripts/deploy.sh`: 2 secrets (lines: 6, 9)
113+
- `src/app.py`: 1 secrets (lines: 7)
114+
- `scripts/webhook.js`: 1 secrets (lines: 4)
115+
- ... and 5 more files
116+
117+
### LLM (gpt-5-mini)
118+
119+
Found secrets in **16 files**:
120+
121+
- `src/obfuscated.py`: 7 secrets (lines: 7, 10, 13, 14, 17...)
122+
- `src/advanced.js`: 7 secrets (lines: 4, 7, 9, 10, 13...)
123+
- `src/config.py`: 6 secrets (lines: 7, 10, 13, 14, 15...)
124+
- `config/settings.py`: 3 secrets (lines: 6, 9, 20)
125+
- `src/Crypto.go`: 2 secrets (lines: 10, 15)
126+
- `.env`: 2 secrets (lines: 3, 4)
127+
- `config/keys.yaml`: 2 secrets (lines: 6, 12)
128+
- `config/oauth.json`: 2 secrets (lines: 3, 4)
129+
- `config/legacy.ini`: 2 secrets (lines: 3, 7)
130+
- `scripts/deploy.sh`: 2 secrets (lines: 5, 10)
131+
- ... and 6 more files
132+
133+
## Overlap Analysis
134+
135+
136+
**No files were found by all tools**
137+
138+
139+
## Ground Truth Analysis
140+
141+
**Expected secrets**: 32 (documented in ground truth)
142+
143+
### Tool Performance vs Ground Truth
144+
145+
| Tool | Found | Expected | Recall | Extra Findings |
146+
|------|-------|----------|--------|----------------|
147+
| Gitleaks | 12 | 32 | 37.5% | 0 |
148+
| TruffleHog | 1 | 32 | 0.0% | 1 |
149+
| LLM (gpt-4o-mini) | 30 | 32 | 56.2% | 12 |
150+
| LLM (gpt-5-mini) | 41 | 32 | 84.4% | 14 |
151+
152+
### LLM Extra Findings Explanation
153+
154+
LLMs may find more than 30 secrets because they detect:
155+
156+
- **Split secret components**: Each part of `DB_PASS_PART1 + PART2 + PART3` counted separately
157+
- **Join operations**: Lines like `''.join(AWS_SECRET_CHARS)` flagged as additional exposure
158+
- **Decoding functions**: Code that reveals secrets (e.g., `base64.b64decode()`, `codecs.decode()`)
159+
- **Comment identifiers**: Lines marking secret locations without plaintext values
160+
161+
These are *technically correct* detections of secret exposure points, not false positives.
162+
The ground truth documents 30 'primary' secrets, but the codebase has additional derivative exposures.
163+
164+
165+
## Performance Summary
166+
167+
- **Most secrets found**: LLM (gpt-5-mini) (41 secrets)
168+
- **Most files covered**: LLM (gpt-5-mini) (16 files)
169+
- **Fastest**: TruffleHog (5.06s)

0 commit comments

Comments
 (0)