fix(scan): tune js secret rules for false positives and missed formats#344
Open
TBX3D wants to merge 2 commits into
Open
fix(scan): tune js secret rules for false positives and missed formats#344TBX3D wants to merge 2 commits into
TBX3D wants to merge 2 commits into
Conversation
drop stripe pk_ publishable keys (public by design) and require a digit in the generic secret value so camelCase identifiers stop tripping the entropy gate. add stripe rk_ restricted keys, github fine-grained pat (github_pat_), encrypted pem headers and version-anchored slack xapp tokens; drop the trailing word boundary on the aws-secret and google rules so keys ending in / + or - still match. renames the "stripe live key" rule to "stripe secret key", which changes the rule label in the json findings output.
add unique-prefix credential rules to the js secret bank: gitlab pat (glpat-), anthropic api/admin keys (sk-ant-), npm tokens (npm_), google oauth client secrets (GOCSPX-), stripe webhook secrets (whsec_), shopify app tokens (shp[at|ss|pa|ca]_), sendgrid keys (SG.) and slack incoming webhook urls. all ride the no-entropy slot since the prefix alone is proof, so they carry near-zero false-positive risk.
pr summary2 files changed (+215 -18)
|
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #344 +/- ##
=======================================
Coverage ? 54.77%
=======================================
Files ? 81
Lines ? 6881
Branches ? 0
=======================================
Hits ? 3769
Misses ? 2843
Partials ? 269 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
two fixes to the js secret scanner: several rules had a trailing \b that
silently dropped a match whenever the key's last character (/, +, -) has
no word boundary there (aws secret keys, google api keys); and Stripe's
publishable pk_ keys and test-mode keys were being reported even though
neither is a live secret. the second commit adds detection for several
provider key formats that weren't covered at all (github fine-grained
PATs, gitlab PATs, anthropic keys, npm/google-oauth/stripe-webhook/
shopify/sendgrid tokens, slack incoming-webhook urls) plus a generic
apikey/secret/token="" pattern gated on entropy and requiring a
digit, to avoid flagging camelCase identifiers.