feat(EXPOSED_SECRETS): broaden secret detection and stop leaking matched values#35
Open
dmchaledev wants to merge 1 commit into
Open
feat(EXPOSED_SECRETS): broaden secret detection and stop leaking matched values#35dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
…hed values Expand the EXPOSED_SECRETS rule from 4 to 9 high-confidence credential patterns and stop echoing the matched secret into the finding. New patterns: PEM private keys (RSA/EC/OPENSSH/DSA), Slack tokens, Google API keys, Stripe live secret keys, scoped GitHub tokens (gho_/ghu_/ghs_/ ghr_) and fine-grained PATs (github_pat_), and AWS temporary access keys (ASIA) alongside the existing AKIA. Patterns remain prefix-anchored to keep the false-positive rate low — a JWT-shaped auth.token is not flagged. The finding evidence previously truncated and printed the matched secret, re-exposing it in CI logs and uploaded SARIF. It now names the secret *types* detected instead (e.g. "Detected 2 likely secret type(s): OpenAI API key, PEM private key"). Adds the first test coverage for EXPOSED_SECRETS: per-pattern positive cases, the no-leak evidence guarantee, type de-duplication, and false-positive guards (JWT token, ordinary config strings, absent input). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NYU6nnRkj9cM4yobBvUKwG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the
EXPOSED_SECRETSrule — the scanner's CRITICAL "hardcoded secret" check — on two fronts: it caught too little, and it re-exposed what it did catch.1. Broader detection (false-negative fix)
EXPOSED_SECRETSmatched only 4 credential formats (OpenAIsk-, classic GitHubghp_, AWSAKIA,password:). It silently missed several of the most common things people hardcode into MCP configs. Detection is now 9 high-confidence patterns, adding:-----BEGIN … PRIVATE KEY-----(RSA/EC/OPENSSH/DSA/PGP)xox[baprs]-…AIza…[sr]k_live_…gho_/ghu_/ghs_/ghr_) and fine-grained PATs (github_pat_…)ASIA…(alongside existing long-termAKIA…)All patterns stay prefix-/structure-anchored to keep the false-positive rate low — a JWT-shaped
transport.auth.token(which the auth rules treat as valid auth) is not flagged, and the bundledexamples/secure-config.jsonstays clean.2. No longer leaks the matched secret (security fix)
The finding's
evidencepreviously printed a truncated copy of the matched credential — which then flows into CI logs and uploaded SARIF, re-exposing the very secret the rule exists to catch. It now reports the secret types detected instead:Tests
Adds the first test coverage for
EXPOSED_SECRETS(it had none): a per-pattern positive case for each format, the no-leak evidence guarantee, type de-duplication, and false-positive guards (JWT token, ordinary config strings, absent input). Full suite: 135 passing (was 118).buildandlintclean.Scope
Localized to
src/rules/runtime-rules.tsplus tests and a CHANGELOG entry. No public API or output-schema changes; the only behavioral change to existing findings is thatevidencenow names the secret type rather than echoing the value.🤖 Generated with Claude Code
Generated by Claude Code