fix(EXPOSED_SECRETS): redact matched secrets in finding evidence#28
Open
dmchaledev wants to merge 1 commit into
Open
fix(EXPOSED_SECRETS): redact matched secrets in finding evidence#28dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
The EXPOSED_SECRETS rule echoed the full matched secret verbatim into a finding's `evidence` field (e.g. "Matched value(s): sk-...full key..."), which is serialized into the JSON report. Scan reports are routinely written to CI logs, SARIF artifacts, and GitHub Code Scanning — surfaces that are typically more visible and longer-lived than the config file itself — so the scanner was re-exposing the very credential it asks the user to rotate. Evidence now surfaces the detected secret type, a short structural prefix (e.g. `sk-`, `ghp_`, `AKIA`, `password`), and the value's length — enough to locate the offending value without reproducing it. Adds regression tests asserting the raw secret never appears in evidence. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01FkLc6snp9a3yaJEYF5D6ni
This was referenced Jun 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The flagship
EXPOSED_SECRETSrule re-exposes the very secret it detects by echoing the full matched value into the finding'sevidencefield. That field is serialized into the JSON report (--format=json), which is exactly the output users pipe into CI logs, store as build artifacts, and feed to other tooling. For a scanner whose remediation is "rotate this credential," reproducing the raw secret in its own report — a surface that is typically more visible and longer-lived than the source config — is a self-inflicted leak.Repro (built CLI at current
main)The current code (
src/rules/runtime-rules.ts) only truncates at 60 chars (s.slice(0, 57) + '...'), which still reproduces the entire key for every realistic secret shape, and short passwords in full.Fix
Evidence now surfaces the detected secret type, a short structural prefix (
sk-,ghp_,AKIA, orpassword— a known indicator, not entropy), and the value's length — enough to locate the offending value without reproducing it:SECRET_PATTERNSgains a human-readablelabelper pattern.maskSecret()helper reveals only the leading ≤4 chars + length.The change is localized to the
EXPOSED_SECRETSrule; detection logic (which strings match) is unchanged.Verification
npm run typecheck✓ ·npm run lint(0 warnings) ✓ ·npm test— 102 passed, 4 suites ✓ ·npm run build✓grepfor the raw key in--format=jsonoutput: 0 matches (was the full key).Why this isn't a duplicate
None of the open issues (#27 URL scanning, #26 weak token, #19 YAML, #11
--rule) or open PRs touch secret redaction — they all concern detection/coverage. This is about not leaking what's already detected.Acceptance criteria
evidence(or any report field).🤖 Generated with Claude Code
https://claude.ai/code/session_01FkLc6snp9a3yaJEYF5D6ni
Generated by Claude Code