fix(review): tighten hyphenated secret placeholder scan#3673
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-06 02:03:41 UTC
⏸️ Suggested Action - Manual Review
Review summary Nits — 3 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3673 +/- ##
=======================================
Coverage 93.20% 93.20%
=======================================
Files 313 313
Lines 31910 31910
Branches 11677 11677
=======================================
Hits 29741 29741
Misses 1517 1517
Partials 652 652
🚀 New features to boost your workflow:
|
) PR #5346 (a resubmission of #5341) was auto-closed over two inert test-fixture strings that matched the generic_secret_assignment keyword-plus-quoted-value SHAPE but weren't real credentials -- the same heuristic has now caused at least eight prior false-positive incidents (#2613, #3178, #3673, #3866, #4587, #4733, plus several fixture-rewording commits), each patched by narrowing an allowlist rather than fixing the underlying design. REES's own copy of this rule already rates it "medium confidence" ("catches real keys but also the occasional long opaque non-secret"), and content-lane/security-scan.ts's own header states the design principle this violated: a gate that auto-closes with no human queue may only hard-close on a signal unambiguous enough that a false positive is essentially impossible. Split generic_secret_assignment out of HARD_SECRET_KINDS into a new ADVISORY_ONLY_SECRET_KINDS: it still surfaces (a warning-severity possible_secret_assignment finding / a "manual" content-lane verdict), but never auto-blocks or auto-closes on its own. Concrete credential formats (github_token, aws_access_key, private_key_block, ...) are unaffected and remain unconditional hard blockers. Also add a structural placeholder heuristic (looksLikeDescriptive PlaceholderPhrase, mirrored in REES): a value with 5+ lowercase-only hyphen/underscore segments containing an English function word reads as written prose describing the value, not a credential or a chosen passphrase -- this independently resolves both PR #5346 literals without weakening detection of a genuine human-chosen passphrase like "correct-horse-battery-secret" (no function words, by design).
Motivation
generic_secret_assignmentmatches, which incorrectly allowed plausible passphrase-style credentials (e.g.password = "correct-horse-battery-staple") to bypass the hardsecret_leakgate.installation-token) while preserving hard-blocking behavior for sensitive keys such aspassword,passwd, andclient_secret.Description
mockto the placeholder pattern. (src/review/secrets-scan.ts).installation-token), and makeisPlaceholderSecretValueaccept(key, value)so password-like keys are not exempted. (src/review/secrets-scan.ts).hasGenericSecretAssignmentto use the key-aware placeholder check and preserve existing monotonic-run / placeholder checks so high-entropy tokens still block. (src/review/secrets-scan.ts).password/passwd/client_secret(and multi-segment tokens) are flagged, and add an advisory wiring test verifying a lowercase-hyphenated password assignment becomes asecret_leakwith file:line location. (test/unit/secrets-scan.test.ts,test/unit/safety-wiring.test.ts).Testing
npx vitest run test/unit/secrets-scan.test.ts test/unit/safety-wiring.test.ts, and all selected tests passed.npm run typecheckand it completed successfully.npm run test:coveragebut the repository-wide suite failed to complete due to unrelated long-running/timeouts in existing backfill tests and global coverage thresholds (existing unrelated tests caused the run to exceed time/thresholds).npm audit --audit-level=moderatebut the environment returned403 Forbiddenfor the npm audit endpoint so the dependency-audit step could not be completed here.Codex Task