opena2a protect
Single command to fix all auto-fixable findings. Migrate credentials, fix .gitignore, exclude AI configs from git, sign config files, and show before/after security score.
Usage
opena2a protect [options]Description
After opena2a init diagnoses your project, run opena2a protect to fix everything fixable in one step: migrate hardcoded credentials to vault, fix .gitignore to exclude .env files, add AI config files (CLAUDE.md, .cursorrules) to .git/info/exclude, sign config files for tamper detection, and display a before/after security score.
Options
| Flag | Description |
|---|---|
--dir <path> | Target directory. |
--dry-run | Preview changes without modifying files. |
--report <path> | Write interactive HTML report. |
--skip-verify | Skip verification re-scan after migration. |
--skip-liveness | Skip drift liveness verification (offline/CI). |
--skip-sign | Skip config signing phase. |
--skip-git | Skip git hygiene fixes (.gitignore, .git/info/exclude). |
--format <text|json> | Output format. |
--ci | CI mode. |
--verbose | Verbose output. |
Detected Credential Patterns
| ID | Pattern | Severity |
|---|---|---|
CRED-001 | Anthropic API Key (sk-ant-api*) | Critical |
CRED-002 | OpenAI API Key (sk-*, sk-proj-*) | Critical |
CRED-003 | GitHub Token (ghp_*, ghs_*) | High |
CRED-004 | Generic API Key in assignment | Medium |
DRIFT-001 | Google API Key with Gemini drift (AIza*) | High |
DRIFT-002 | AWS Access Key with Bedrock drift (AKIA*) | High |
Language-Aware Replacements
Credentials are replaced with the appropriate environment variable syntax for each language:
| Language | Replacement Format |
|---|---|
| JavaScript / TypeScript | process.env.VAR_NAME |
| Python | os.environ.get('VAR_NAME') |
| Go | os.Getenv("VAR_NAME") |
| Ruby | ENV['VAR_NAME'] |
| Java / Kotlin | System.getenv("VAR_NAME") |
| Rust | std::env::var("VAR_NAME").unwrap_or_default() |
| YAML / TOML / JSON | ${VAR_NAME} |
| Shell | $VAR_NAME |
What Protect Fixes
- Credentials -- Scan, vault, replace with env var references, register broker policies
- Drift liveness -- Verify if scope drift findings are active (DRIFT-001, DRIFT-002)
- .env.example -- Add migrated variable names
- AI tool configs -- Update CLAUDE.md with secretless instructions
- .gitignore -- Create or update to exclude .env files
- AI config exclusion -- Add CLAUDE.md, .cursorrules, etc. to .git/info/exclude
- Config signing -- Sign config files for tamper detection
- Verification -- Re-scan and display before/after security score
Examples
opena2a protectopena2a protect --dry-runopena2a protect --report security-report.htmlopena2a protect --dry-run --ci --format jsonInteractive HTML Report
The --report flag generates a self-contained HTML file with an interactive dashboard, severity filtering, text search, audience toggle (Executive / Engineering views), and SVG donut chart. No external dependencies -- open it directly in any browser.