feat(EXPOSED_SECRETS): expand secret coverage and stop leaking matched secrets in evidence#38
Open
dmchaledev wants to merge 1 commit into
Open
feat(EXPOSED_SECRETS): expand secret coverage and stop leaking matched secrets in evidence#38dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
The secret scanner only recognized 4 credential formats and, notably,
could not detect Anthropic API keys — the legacy `sk-[a-zA-Z0-9]{20,}`
pattern never matches `sk-ant-api03-…` because of the embedded hyphens.
It also echoed up to 57 chars of the raw secret into a finding's
`evidence`, which is written to SARIF and frequently uploaded to GitHub
Code Scanning, re-exposing the very credential the rule exists to catch.
- Add high-confidence, vendor-specific signatures: Anthropic, OpenAI
(incl. `sk-proj-`), GitHub fine-grained PATs and classic `gh*_` tokens,
AWS (AKIA/ASIA), Google API keys, Slack, Stripe live keys, and PEM
private-key blocks. Anthropic is matched before the broader OpenAI
`sk-` pattern so keys are attributed to the right vendor.
- Label each match by credential type and redact the value in evidence
(short prefix + length) so reports no longer leak the secret.
- Add EXPOSED_SECRETS test coverage (previously none), including an
Anthropic-key regression and an evidence-redaction assertion.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01M1zsQVC8kHrLpQw5UtjZoS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related correctness/safety fixes to the core
EXPOSED_SECRETSrule (src/rules/runtime-rules.ts).1. Coverage gap — common secrets (including Anthropic keys) go undetected
The rule shipped with only 4 signatures (
sk-…,ghp_…,AKIA…,password=…). Most notably, it cannot detect Anthropic API keys — ironic for a tool in the Anthropic/MCP ecosystem. The legacy OpenAI patternsk-[a-zA-Z0-9]{20,}never matchessk-ant-api03-…because of the embedded hyphens:Newly recognized, high-confidence vendor signatures:
sk-ant-api…/sk-ant-admin…) — matched before the broader OpenAIsk-pattern so keys are attributed to the right vendorsk-proj-…)github_pat_…) and classicgh[oprsu]_…tokensAKIA/ASIA)AIza…)xox[baprs]-…)sk_live_…/rk_live_…)-----BEGIN … PRIVATE KEY-----)2. The scanner leaked the secret it flagged
evidenceechoed up to 57 characters of the raw secret. That evidence is written into SARIF output, which is routinely uploaded to GitHub Code Scanning — re-exposing the exact credential the rule exists to catch. Matched values are now labelled by type and redacted to a short non-sensitive prefix plus length:Tests
EXPOSED_SECRETSpreviously had no test coverage. Added a parametrized detection test for every signature, an Anthropic-key regression (the case the legacy pattern missed), an evidence-redaction assertion, and a no-false-positive check on ordinary config strings.npm run typecheck✅npm run lint✅npm test✅ (133 passed, up from 118)npm run build✅Notes
ghp_entry was dropped as redundant — thegh[oprsu]_pattern already coversghp_/gho_/ghr_/ghs_/ghu_.🤖 Generated with Claude Code
https://claude.ai/code/session_01M1zsQVC8kHrLpQw5UtjZoS
Generated by Claude Code