Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR switches the redaction engine’s pattern-based secret scanning from gitleaks to betterleaks, and extends redaction coverage (and tests) for credentialed URIs and private key blocks to ensure the new detector catches previously missed cases.
Changes:
- Replace gitleaks detector usage with betterleaks in
redact.String. - Add always-on redaction for credentialed URIs (
scheme://user:password@host...) plus new unit tests covering common DSN/URL variants. - Add a regression test ensuring betterleaks initialization doesn’t leak git-related environment variables into subsequent subprocesses; update docs and license allowlist accordingly.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
redact/redact.go |
Switches detector import to betterleaks and adds credentialed-URI regex redaction. |
redact/redact_test.go |
Adds coverage for credentialed URIs and OpenSSH private key block redaction (including JSONL). |
redact/betterleaks_env_test.go |
Adds regression test to ensure betterleaks usage doesn’t poison git environment variables. |
go.mod |
Adds github.com/betterleaks/betterleaks and removes direct gitleaks/v8 dependency. |
go.sum |
Updates dependency checksums after the detector/library switch. |
docs/security-and-privacy.md |
Updates documentation to reference Betterleaks and credentialed-URI redaction. |
.allowed-licenses |
Adds 0BSD to accommodate the new dependency’s license. |
Entire-Checkpoint: 9d5605c135fd
Entire-Checkpoint: f8d603dd2f7b
Entire-Checkpoint: af9e61f1f149
Entire-Checkpoint: 63c9ce749c49
Soph
force-pushed
the
soph/switch-to-betterleaks
branch
from
23787c8 to
f0c2ea9
Compare
pjbgf
approved these changes
Apr 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://entire.io/gh/entireio/cli/trails/234
Note
Medium Risk
Updates the always-on secret redaction engine and dependency graph, which could change what gets redacted (or missed) in stored transcripts. Adds new URL credential redaction and regression tests to reduce the chance of false negatives and tooling side effects.
Overview
Switches transcript secret scanning from
gitleakstobetterleaks(new dependency + updatedgo.mod/go.sum) and updates security docs accordingly.Extends always-on redaction by also matching and redacting credentialed URLs (e.g.,
scheme://user:password@host) and adds coverage for private key blocks and these URLs inredacttests.Adds a regression test (
betterleaks_env_test.go) to ensure importing/using the redactor does not leak git-isolation environment variables into subsequent git subprocesses, and updates allowed licenses to include0BSD.Reviewed by Cursor Bugbot for commit 1843314. Configure here.