fix(core): secure secret exclusions, language states, and memory bounded caches#47
Merged
Merged
Conversation
1. Security: Remove test/config files from security detector exclusion list to prevent leaked secrets. 2. State: Make plan file paths language-specific (e.g., plan-python.json) to prevent multi-language run collisions. 3. Cache: Add LRU eviction policy to FileTextCache to prevent OOM errors on large repos.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces 3 critical production-ready fixes identified during deep architecture & security audits across the codebase:
Security Vulnerability Fix (False Negatives) 🛡️
Removed
testandconfigzones from the global_EXCLUDED_SECURITY_ZONES. Developers often accidentally leak API keys, credentials, and secure passwords into test fixtures or configuration files. The scanner will now aggressively look for secrets in these areas while correctly ignoring generated blocks and vendor dependencies.Platform Reliability & Multi-Lang State Handling 🥷
Fixed a highly disruptive condition where parallel language scans (like a Python backend and TypeScript frontend) in the same project repeatedly corrupted and overwrote a shared
plan.jsonqueue. Refactored the path binding to properly branch state plans respectively (e.g.plan-python.json,plan-typescript.json).Architecture Memory Overload Mitigation (OOM Fix) 💻
The
FileTextCacheservice in the core scan engine persisted string representations of read files into an unbounded dictionary. Scanning ultra-large enterprise mono-repos resulted in scaling memory leaks causing eventual system OOM (Out-of-memory) shutdown. This component has been updated with a bounded, LRU-like caching mechanism (max_entries).Validations