Skip to content

fix(scan): tune js secret rules for false positives and missed formats#344

Open
TBX3D wants to merge 2 commits into
vmfunc:mainfrom
TBX3D:fix/secrets-rule-hardening
Open

fix(scan): tune js secret rules for false positives and missed formats#344
TBX3D wants to merge 2 commits into
vmfunc:mainfrom
TBX3D:fix/secrets-rule-hardening

Conversation

@TBX3D

@TBX3D TBX3D commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

two fixes to the js secret scanner: several rules had a trailing \b that
silently dropped a match whenever the key's last character (/, +, -) has
no word boundary there (aws secret keys, google api keys); and Stripe's
publishable pk_ keys and test-mode keys were being reported even though
neither is a live secret. the second commit adds detection for several
provider key formats that weren't covered at all (github fine-grained
PATs, gitlab PATs, anthropic keys, npm/google-oauth/stripe-webhook/
shopify/sendgrid tokens, slack incoming-webhook urls) plus a generic
apikey/secret/token="" pattern gated on entropy and requiring a
digit, to avoid flagging camelCase identifiers.

TBX3D added 2 commits July 9, 2026 14:58
drop stripe pk_ publishable keys (public by design) and require a digit in
the generic secret value so camelCase identifiers stop tripping the entropy
gate. add stripe rk_ restricted keys, github fine-grained pat (github_pat_),
encrypted pem headers and version-anchored slack xapp tokens; drop the
trailing word boundary on the aws-secret and google rules so keys ending in
/ + or - still match.

renames the "stripe live key" rule to "stripe secret key", which changes
the rule label in the json findings output.
add unique-prefix credential rules to the js secret bank: gitlab pat
(glpat-), anthropic api/admin keys (sk-ant-), npm tokens (npm_), google
oauth client secrets (GOCSPX-), stripe webhook secrets (whsec_), shopify
app tokens (shp[at|ss|pa|ca]_), sendgrid keys (SG.) and slack incoming
webhook urls. all ride the no-entropy slot since the prefix alone is
proof, so they carry near-zero false-positive risk.
@TBX3D TBX3D requested a review from vmfunc as a code owner July 9, 2026 21:59
@github-actions github-actions Bot added size/l <500 lines changed scan changes to scan engine modules changes to scan modules tests test changes labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

pr summary

2 files changed (+215 -18)

category files
go source 2
tests 1

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@7ea1cd2). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #344   +/-   ##
=======================================
  Coverage        ?   54.77%           
=======================================
  Files           ?       81           
  Lines           ?     6881           
  Branches        ?        0           
=======================================
  Hits            ?     3769           
  Misses          ?     2843           
  Partials        ?      269           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

modules changes to scan modules scan changes to scan engine size/l <500 lines changed tests test changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants