Merged
Conversation
git remote get-url returns whatever is in .git/config, which can include personal access tokens embedded as userinfo. These were being printed verbatim in the JSON, text and markdown reports, and were also being passed to the scorecard API during enrichment. Remote URLs now go through redactURL before they reach the report. Any password component is stripped, and bare usernames that look like tokens (known github_pat_/ghp_/glpat- prefixes, or 24+ char alphanumeric blobs) are replaced with REDACTED. Ordinary ssh git@ remotes and short real usernames are left untouched. Also stop echoing the raw clone URL in remote.cloneURL errors; git's own stderr already prints a credential-safe failure message.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
git remote get-urlreturns whatever is stored in.git/config, which can include personal access tokens embedded in the userinfo section of HTTPS URLs. brief was printing these verbatim in JSON, text and markdown output, and passing them to the scorecard API during enrichment.Remote URLs now go through
redactURLbefore reaching the report. Any password component is stripped, and bare usernames that look like tokens (knowngithub_pat_/ghp_/glpat-style prefixes, or 24+ character alphanumeric blobs) are replaced withREDACTED. Ordinarygit@SSH remotes and short real usernames are left untouched so the common case isn't mangled.Also stops echoing the raw clone URL in
remote.cloneURLerrors, since git's own stderr already prints a credential-safe failure message.Test fixtures are built with
strings.Repeatso they don't trip GitHub secret scanning on this repo.