Skip to content

fix(ci): bump secret-scanner SHA pin + scanner-allow pragma on test fixture#377

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/shell-secrets-false-positives
May 28, 2026
Merged

fix(ci): bump secret-scanner SHA pin + scanner-allow pragma on test fixture#377
hyperpolymath merged 1 commit into
mainfrom
fix/shell-secrets-false-positives

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 28, 2026

Summary

  • Bumps secret-scanner-reusable.yml pin from 3e4bd4c28fdf19 (standards#236).
  • Adds # scanner-allow: shell-secrets pragma above export ARANGODB_PASSWORD="testpassword" in integration/run-tests.sh.
  • hooks/lib/cache.sh line 22 (CICD_CACHE_PASSWORD="${CICD_CACHE_PASSWORD:-}") now passes automatically via the new param-expansion exemption — no code change needed there.

What changed in standards#236

The shell-secrets scanner job in the reusable gained four exemption layers:

  1. Inline pragma (# scanner-allow: shell-secrets or # hypatia: allow security_errors/secret_detected) on same or preceding line.
  2. .shell-secrets-ignore file support (gitignore-style path globs).
  3. Automatic param-expansion skip (${VAR:-}, ${VAR:?}, $VAR — not literals).
  4. Comment-line skip (lines starting with # cannot hold real secrets).

Test plan

  • Local smoke: all three false-positive lines skip cleanly with the new scanner logic.
  • CI green on this PR (shell-secrets job should now pass on main).

🤖 Generated with Claude Code

@hyperpolymath @claude
fix(ci): bump secret-scanner SHA pin + add scanner-allow pragma on te…
06ff8ff 
…st fixture

Bumps the secret-scanner-reusable.yml pin from 3e4bd4c to 28fdf19
(standards#236: adds pragma + param-expansion + comment-line exemptions).

Adds `# scanner-allow: shell-secrets` pragma above the
`export ARANGODB_PASSWORD="testpassword"` line in integration/run-tests.sh.
The pragma makes the intent machine-readable; the param-expansion in
hooks/lib/cache.sh (CICD_CACHE_PASSWORD="${CICD_CACHE_PASSWORD:-}") now
passes automatically via the scanner's new RHS-detection logic.

Fixes: scan / shell-secrets persistent red on main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 28, 2026 13:32
@hyperpolymath hyperpolymath merged commit c9fd28f into main May 28, 2026
32 checks passed
@hyperpolymath hyperpolymath deleted the fix/shell-secrets-false-positives branch May 28, 2026 13:32
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

🔍 Hypatia Security Scan

Findings: 102 issues detected

Severity Count
🔴 Critical 0
🟠 High 0
🟡 Medium 102
View findings 
[
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in clusterfuzzlite.yml",
    "type": "unknown",
    "file": "clusterfuzzlite.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in clusterfuzzlite.yml",
    "type": "unknown",
    "file": "clusterfuzzlite.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

hyperpolymath added a commit that referenced this pull request May 28, 2026
@hyperpolymath
merge main: pick up shell-secrets scanner fix (#377) so this PR's CI …
583b355 
…passes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath