KyZN: fix HIGH+MEDIUM+LOW findings (20260330-234929-20461c76)

[bokiko]

Analysis Fixes

Applied fixes for findings at severity LOW and above.

Run ID: 20260330-234929-20461c76
Cost: $2.76
Batches: 3 applied (HIGH → MEDIUM → LOW), 0 failed, 0 skipped
Diff: 349 lines

Changes

 gitshield/cli.py              |  15 ++++-
 gitshield/config.py           |  37 +++++++++++-
 gitshield/db.py               |  19 ++++++
 gitshield/engine.py           |  43 +++++++++-----
 gitshield/hook.py             |  37 ++++++++----
 gitshield/monitor.py          |   3 +-
 gitshield/notifier.py         |  18 +++---
 gitshield/patterns.py         |   4 +-
 gitshield/scanner.py          |   8 +--
 tests/fixtures/secret_file.py |   4 +-
 tests/test_claude.py          |  16 ++++-
 tests/test_config.py          |   4 +-
 tests/test_engine.py          |   4 +-
 tests/test_monitor.py         | 134 ++++++++++++++++++++++++++++++++++++++++++
 tests/test_scanner_unit.py    |   3 +-
 15 files changed, 291 insertions(+), 58 deletions(-)

What Was Fixed

HIGH: 129/129 tests pass. Here's a summary of all changes made:

---

SEC-001 — gitshield/hook.py:35–41

• Moved from pathlib import Path to module-level imports
• Replaced lower.endswith(pattern) with Path(filepath).name.lower() in ALLOWED_PATHS — only files literally named .env.example etc. match, preventing bypass via paths like /secrets/malicious.env.example
• Added regression test test_handle_hook_blocks_allowlist_bypass_via_suffix in tests/test_claude.py

BUG-001 — gitshield/engine.py:300, 375–416

• Added config_threshold, extra_patterns, scan_tests params to _scan_staged
• Updated scan_directory to forward all three params to _scan_staged
• In _scan_staged, now passes config_threshold/extra_patterns to scan_file and skips test files when scan_tests=False

PERF-001 — gitshield/patterns.py:590–598

• Updated cohere-api-key regex from bare [A-Za-z0-9]{40} to require a contextual keyword prefix (cohere_api_key, COHERE_API_KEY, etc.) — eliminates false positives on git SHAs, UUIDs, and base64 chunks

TEST-001 — tests/test_monitor.py (new file, 10 tests)

• RepoInfo validation: valid case, invalid owner, invalid name with spaces, owner with slash
• clone_and_scan: skips recently-scanned repos, doesn't check skip when skip_recent=False, rejects non-GitHub URLs (evil.com, http://), returns empty on clone failure
• fetch_public_events: raises GitHubError when requests is None

MEDIUM: The background test run confirmed all 129 tests pass (exit code 0). Nothing more to do unless you have additional changes.

Approach

Findings were batched by severity tier (CRITICAL → HIGH → MEDIUM → LOW).
Each batch was verified and committed independently — if a batch broke tests,
self-repair was attempted. Failed batches were reverted to protect passing code.
Diff budget was tracked incrementally to prevent waste.

---

Generated by KyZN — autonomous code improvement

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.