fix(enrichment): detect GitHub fine-grained PATs in secret-scan#3117
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-04 15:08:36 UTC
⏸️ Suggested Action - Manual Review Review summary Nits — 4 non-blocking
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Summary
The secret scanner's
RULESinreview-enrichment/src/analyzers/secret-scan.tsdetects the classic GitHubtoken family but not GitHub fine-grained personal access tokens — which are now GitHub's recommended
default token type. The existing GitHub rule:
only matches the
ghp_/gho_/ghu_/ghs_/ghr_prefixes. A fine-grained PAT has the shapegithub_pat_+ 82 base62/underscore characters — the lettersg-i-t-h-u-b…never contain agh[pousr]_pair, so that rule never matches it, and no other rule has a
github_pat_prefix.Concrete false negative (a leaked token in a PR diff, as
scanPatchreceives it):only fires on a
keyword = "quoted value"shape and would at best report a low-value generic "verify",never a GitHub credential; a bare
KEY=github_pat_…env/CI line is missed entirely.Fix: add one rule for
github_pat_+ 82[0-9A-Za-z_]chars — the standard fine-grained-PAT shape,mirroring the existing fixed-length format rules (
npm_{36},hf_{34},glpat-{20}). Zero false-positiverisk: the 11-char literal prefix followed by exactly 82 token chars is not a shape ordinary prose, base64
blobs, or hex hashes produce, and it cannot collide with the existing
github_tokenrule.No linked issue: small, self-evident detection-coverage fix (one additive rule) closing a false-negative
for the current GitHub-recommended credential format, alongside the token families already covered; no
schema/config/deploy change — fits the repo's
preferred(not required) linked-issue policy.Scope
type(scope): short summaryConventional Commit format, for examplefix(api): restore profile access checks.CONTRIBUTING.mdand does not reintroduce GitHub Pages, VitePress,site/, orCNAME.Validation
git diff --checknpm run typechecknpm run rees:test— the review-enrichment build + analyzer suite (see note below)npm run test:coverage(N/A — this file is inreview-enrichment/, outside thesrc/**Codecov scope)npm run ui:buildnpm audit --audit-level=moderateIf any required check was skipped, explain why:
git diff --check(clean), the review-enrichment TypeScript build (npm --prefix review-enrichment run build, clean), and the secret-scan analyzer test vianode --test— 21/21 testspass, including the new fine-grained-PAT case (asserts
kind: "github_pat",confidence: "high", singlefinding). The change is confined to
review-enrichment/, outside thesrc/**Codecov scope, sotest:coveragedoes not apply. The fixture is assembled from fragments so it is never a contiguous secretliteral in source.
metadata:checkstep ofrees:test.metadata:checkcompares the committed
analyzer-metadata.json(generated on CI/Linux) against a local regeneration andreports a spurious byte difference on this Windows dev box (it fails identically on unmodified
main);this change adds a scan rule, not any analyzer descriptor, so the committed metadata is unchanged and
metadata:checkpasses on CI (Linux).analyzer-metadata.jsonwas NOT modified.Safety
UI Evidencesection below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.Notes
existing rule, so it cannot alter current findings; no analyzer descriptor changes, so
analyzer-metadata.jsonis intentionally untouched. The regression fixture is built from string fragments(never a contiguous secret literal), matching the convention the test file already uses.
review-enrichment/test/secret-scan.test.ts: agithub_pat_+ 82-char token isnow flagged
kind: "github_pat"at high confidence. All existing token-format assertions are unchanged.