Documentation Index Fetch the complete documentation index at: https://docs.kafkalabs.com/llms.txt
Use this file to discover all available pages before exploring further.
Report Structure A KafkaCode report consists of three main sections:
Scan Summary
High-level overview of the scan results
Issue Listings
Detailed findings grouped by severity
Recommendations
Actionable advice for each issue
Understanding the Scan Summary π― PRIVACY SCAN REPORT βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ π SCAN SUMMARY π Directory: ./src β° Timestamp: 2025-01-15 10:30:45 π Files Scanned: 25 π Total Issues: 3 π Privacy Grade: π‘ B- βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Key Metrics Explained Metric Meaning What to Look For Directory Path that was scanned Verify correct location Timestamp When scan was performed Track scan history Files Scanned Number of source files analyzed Ensure expected coverage Total Issues Count of all findings Lower is better Privacy Grade Overall grade (A+ to F) Target A- or better for production
Privacy Grade Interpretation
π’ A+ / A / A- Excellent β
Production-ready
Minimal to no issues
Safe to deploy
Maintain current practices
π΅ B+ / B / B- Good β οΈ Minor improvements needed
Generally safe
Address issues when convenient
Review before major releases
π‘ C+ / C / C- Moderate β οΈ Action required
Notable privacy concerns
Fix before production
Not recommended for deployment
π΄ D / F Critical β Must fix immediately
Security vulnerabilities
Block all deployments
Emergency response needed
Reading Issue Listings Issues are organized by severity level:
Critical Issues π΄ π΄ CRITICAL (1) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ π src/config.js:12 AWS Access Key detected aws_access_key_id = "AKIAIOSFODNN7EXAMPLE" π‘ Recommendation: Move to environment variables
What it means:
Severity : Critical (100 points)File : src/config.jsLine : 12Issue : Hardcoded AWS access keyCode : Actual problematic code shownAction : Move to environment variables immediately
Why itβs critical:
Exposed credentials can be exploited
Direct access to cloud resources
Potential for data breaches
Compliance violations
How to fix: // β Before (Critical) const aws_access_key_id = "AKIAIOSFODNN7EXAMPLE" ; // β
After (Fixed) const aws_access_key_id = process . env . AWS_ACCESS_KEY_ID ;
High Severity Issues π π HIGH (1) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ π src/auth.js:23 API key found in code const apiKey = "sk_live_abc123..." π‘ Recommendation: Use configuration management
What it means:
Severity : High (50 points)Issue : Hardcoded API key (Stripe, GitHub, etc.)Risk : Potential unauthorized accessPriority : Fix before next release
How to fix: // β Before (High) const apiKey = "sk_live_abc123..." ; // β
After (Fixed) const apiKey = process . env . STRIPE_API_KEY ;
Medium Severity Issues π‘ π‘ MEDIUM (2) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ π src/utils/validator.js:45 Email address found in code const adminEmail = "admin@company.com" π‘ Recommendation: Use configuration file π src/database/connection.js:8 Potential database connection string const dbUrl = "mongodb://localhost:27017/mydb" π‘ Recommendation: Use environment variables
What it means:
Severity : Medium (10 points each)Issue : PII or configuration data in codeRisk : Privacy compliance concernsPriority : Address when convenient
How to fix: // β Before (Medium) const adminEmail = "admin@company.com" ; const dbUrl = "mongodb://localhost:27017/mydb" ; // β
After (Fixed) const adminEmail = config . get ( 'ADMIN_EMAIL' ); const dbUrl = process . env . DATABASE_URL ;
Low Severity Issues π΅ π΅ LOW (3) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ π src/config.js:5 IP address detected const serverIP = "192.168.1.100" π‘ Recommendation: Use DNS names when possible
What it means:
Severity : Low (1 point)Issue : Minor configuration concernsRisk : MinimalPriority : Optional cleanup
How to fix: // β οΈ Before (Low) const serverIP = "192.168.1.100" ; // β
After (Better) const serverHost = "api.company.com" ;
Common Issue Types 1. Hardcoded Secrets Problem
Solution
Prevention
# β Critical: Exposed AWS credentials AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE" AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" # β High: Hardcoded API key STRIPE_KEY = "sk_live_51H..." # β Critical: Database password DB_PASSWORD = "mypassword123"
# β
Use environment variables import os AWS_ACCESS_KEY = os.getenv( 'AWS_ACCESS_KEY' ) AWS_SECRET_KEY = os.getenv( 'AWS_SECRET_KEY' ) STRIPE_KEY = os.getenv( 'STRIPE_KEY' ) DB_PASSWORD = os.getenv( 'DB_PASSWORD' ) # β
Or use a secrets manager from aws_secrets import get_secret credentials = get_secret( 'app-credentials' )
Best practices:
Never commit secrets to git
Use .env files (add to .gitignore)
Use secret management tools (AWS Secrets Manager, HashiCorp Vault)
Rotate secrets regularly
Use different secrets per environment
2. PII in Code Problem
Solution
Compliance
// β Medium: Email addresses const supportEmail = "support@company.com" ; const adminEmail = "admin@company.com" ; // β Medium: Phone numbers const helpline = "+1-555-123-4567" ; // β Critical: SSN in test data const testSSN = "123-45-6789" ;
// β
Use configuration const supportEmail = config . get ( 'SUPPORT_EMAIL' ); const adminEmail = config . get ( 'ADMIN_EMAIL' ); const helpline = config . get ( 'HELPLINE_NUMBER' ); // β
Use mock data generators for tests const testSSN = faker . ssn ();
GDPR/CCPA Considerations:
Email addresses are PII
Phone numbers are personal information
SSNs are sensitive personal data
Must have legal basis for processing
Users have right to access/deletion
3. Connection Strings Problem
Solution
Security
# β Critical: Full connection string with password DATABASE_URL = "postgresql://user:password@localhost:5432/db" # β High: MongoDB with credentials MONGO_URI = "mongodb://admin:pass123@localhost:27017/mydb" # β Medium: Redis URL REDIS_URL = "redis://localhost:6379"
# β
Use environment variables import os DATABASE_URL = os.getenv( 'DATABASE_URL' ) MONGO_URI = os.getenv( 'MONGO_URI' ) REDIS_URL = os.getenv( 'REDIS_URL' ) # β
Or build from separate env vars DB_HOST = os.getenv( 'DB_HOST' ) DB_USER = os.getenv( 'DB_USER' ) DB_PASS = os.getenv( 'DB_PASSWORD' ) DB_NAME = os.getenv( 'DB_NAME' ) DATABASE_URL = f "postgresql:// { DB_USER } : { DB_PASS } @ { DB_HOST } / { DB_NAME } "
Connection string risks:
Exposes database credentials
Shows infrastructure details
Can be extracted from version control
May grant unauthorized access
Mitigation:
Use environment-specific configs
Implement connection pooling with auth
Use IAM database authentication when possible
Encrypt connection strings at rest
4. High Entropy Strings π‘ MEDIUM π src/utils/crypto.js:15 High entropy string detected (potential secret ) const key = "x7K9mP2nQ8vL4wR6tY3zA1bC5dE0fG" π‘ Recommendation: If this is a secret, move to secure storage
What it means:
String has high randomness (entropy > 4.5)
Likely a generated secret or token
May be a legitimate random value
How to evaluate:
Is it a secret? β Move to env var or vaultIs it a hash? β OK to keep if publicIs it a test fixture? β Add comment explaining
Action Priority Matrix Grade Critical High Medium Low Action F 2+ Any Any Any π¨ Emergency fix D 1-2 2+ Any Any β οΈ Immediate action C- 1 1+ Any Any β οΈ Fix before deploy C/C+ 0 1-2 5+ Any β οΈ Address soon B-/B/B+ 0 0-1 1-5 Any βΉοΈ Plan fixes A-/A/A+ 0 0 0-1 1-10 β
Optional cleanup
False Positives Sometimes KafkaCode may flag non-issues:
Example 1: Test Data // β οΈ Flagged as Medium (email) const testEmail = "test@example.com" ; // β
Add context to reduce false positive const TEST_EMAIL = "test@example.com" ; // Test data only, not real PII
# β οΈ Flagged as Low (URL) PUBLIC_API = "https://api.example.com/public" # β
This is acceptable - public endpoint # No action needed
Example 3: Placeholder Values // β οΈ Flagged as High (API key pattern) String apiKey = "your-api-key-here" ; // Placeholder // β
Better: Use a clearly fake value String apiKey = "REPLACE_WITH_YOUR_API_KEY" ;
How to handle:
Review the context
Determine if itβs a real issue
If false positive, add a comment
Consider refactoring for clarity
Report Examples Clean Project (A+) π SCAN SUMMARY π Files Scanned: 50 π Total Issues: 0 π Privacy Grade: π’ A+ β
No privacy issues detected!
Interpretation: Perfect! Safe for production.Minor Issues (A-) π SCAN SUMMARY π Files Scanned: 50 π Total Issues: 2 π Privacy Grade: π’ A- π΅ LOW (2) π src/config.js:8 IP address: "192.168.1.1"
Interpretation: Very good. Optional cleanup of IP addresses.Moderate Concerns (C) π SCAN SUMMARY π Files Scanned: 50 π Total Issues: 15 π Privacy Grade: π‘ C π΄ CRITICAL (1) π src/db.js:5 Database password π HIGH (2) π API keys detected π‘ MEDIUM (8) π Multiple PII leaks π΅ LOW (4) π Various configuration issues
Interpretation: Not production-ready. Fix critical/high issues immediately.Critical Problems (F) π SCAN SUMMARY π Files Scanned: 50 π Total Issues: 25 π Privacy Grade: π΄ F π΄ CRITICAL (5) π Multiple exposed secrets π HIGH (8) π Extensive API key exposure π‘ MEDIUM (10) π Widespread PII issues π΅ LOW (2)
Interpretation: Emergency. Complete security audit needed. Block all deployments.Next Steps
CI/CD Integration Automate scanning in your pipeline
Privacy Grading Deep dive into the grading system
Detection Methods Understand whatβs being detected
Examples See real-world examples
