Skip to content

fix(core): secure secret exclusions, language states, and memory bounded caches#47

Merged
DivyamTalwar merged 2 commits into
mainfrom
fix/vulnerability-state-cache
Mar 26, 2026
Merged

fix(core): secure secret exclusions, language states, and memory bounded caches#47
DivyamTalwar merged 2 commits into
mainfrom
fix/vulnerability-state-cache

Conversation

@DivyamTalwar

Copy link
Copy Markdown
Owner

Description

This PR introduces 3 critical production-ready fixes identified during deep architecture & security audits across the codebase:

  1. Security Vulnerability Fix (False Negatives) 🛡️
    Removed test and config zones from the global _EXCLUDED_SECURITY_ZONES. Developers often accidentally leak API keys, credentials, and secure passwords into test fixtures or configuration files. The scanner will now aggressively look for secrets in these areas while correctly ignoring generated blocks and vendor dependencies.

  2. Platform Reliability & Multi-Lang State Handling 🥷
    Fixed a highly disruptive condition where parallel language scans (like a Python backend and TypeScript frontend) in the same project repeatedly corrupted and overwrote a shared plan.json queue. Refactored the path binding to properly branch state plans respectively (e.g. plan-python.json, plan-typescript.json).

  3. Architecture Memory Overload Mitigation (OOM Fix) 💻
    The FileTextCache service in the core scan engine persisted string representations of read files into an unbounded dictionary. Scanning ultra-large enterprise mono-repos resulted in scaling memory leaks causing eventual system OOM (Out-of-memory) shutdown. This component has been updated with a bounded, LRU-like caching mechanism (max_entries).

Validations

  • Unit tests run & confirmed.
  • Updated rules for security coverage verification.

1. Security: Remove test/config files from security detector exclusion list to prevent leaked secrets.
2. State: Make plan file paths language-specific (e.g., plan-python.json) to prevent multi-language run collisions.
3. Cache: Add LRU eviction policy to FileTextCache to prevent OOM errors on large repos.
@DivyamTalwar DivyamTalwar merged commit 15958a0 into main Mar 26, 2026
13 checks passed
@DivyamTalwar DivyamTalwar deleted the fix/vulnerability-state-cache branch March 26, 2026 09:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant