Fix Anthropic API key detector shape#7
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR updates the Anthropic API key detector to match variable-length tokens instead of a fixed-length pattern. The regex pattern in ChangesAnthropic API Key Detector Pattern Expansion
🎯 1 (Trivial) | ⏱️ ~3 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@detectors/anthropic-api-key.toml`:
- Line 14: The current regex in detectors/anthropic-api-key.toml (the regex
entry matching "sk-ant-api03-[A-Za-z0-9_-]{80,120}") can match inside longer
tokens; update that regex to add non-token boundary anchors using negative
lookbehind and lookahead so the pattern only matches when not immediately
preceded or followed by URL-safe token characters (e.g., use (?<![A-Za-z0-9_-])
before the prefix and (?![A-Za-z0-9_-]) after the quantified class) to prevent
substring overmatching.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f08aed82-55e8-4995-be5e-b243127cc7f2
📒 Files selected for processing (2)
crates/scanner/tests/contracts/anthropic-api-key.tomldetectors/anthropic-api-key.toml
|
|
||
| [[detector.patterns]] | ||
| regex = 'sk-ant-api03-[A-Za-z0-9_-]{93}-[A-Za-z0-9_-]{6}AA' | ||
| regex = 'sk-ant-api03-[A-Za-z0-9_-]{80,120}' |
There was a problem hiding this comment.
Add token boundaries to avoid substring overmatching.
Line 14 can match inside longer URL-safe blobs, which increases false positives. Add non-token boundaries around the key pattern.
Proposed fix
-regex = 'sk-ant-api03-[A-Za-z0-9_-]{80,120}'
+regex = '(?<![A-Za-z0-9_-])sk-ant-api03-[A-Za-z0-9_-]{80,120}(?![A-Za-z0-9_-])'📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| regex = 'sk-ant-api03-[A-Za-z0-9_-]{80,120}' | |
| regex = '(?<![A-Za-z0-9_-])sk-ant-api03-[A-Za-z0-9_-]{80,120}(?![A-Za-z0-9_-])' |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@detectors/anthropic-api-key.toml` at line 14, The current regex in
detectors/anthropic-api-key.toml (the regex entry matching
"sk-ant-api03-[A-Za-z0-9_-]{80,120}") can match inside longer tokens; update
that regex to add non-token boundary anchors using negative lookbehind and
lookahead so the pattern only matches when not immediately preceded or followed
by URL-safe token characters (e.g., use (?<![A-Za-z0-9_-]) before the prefix and
(?![A-Za-z0-9_-]) after the quantified class) to prevent substring overmatching.
93ebdf4 to
7b598b0
Compare
Bump workspace version 0.5.35 -> 0.5.36 and the four pinned internal crate deps. Update README demo banner and the KEYHOG_VERSION / GitHub Action / pre-commit example pins to v0.5.36 so they match the tag. Ships: incremental never-cache-finding-bearing-files fix, hook fail-open, PR #7 anthropic-key shape + boundary tests, and the e2e lockdowns for hook/keyhogignore/UTF-16/incremental from the deep-coherence pass.
|
Hi eraminel01, Thank you for your contribution and welcome to the Team! Also, congrats on being the first external contributor to KeyHog. I will update with thanks for the contribution.md soon! -santh |
…h fixes
Clean-checkout CI was red for two structural reasons, both fixed here:
- keyhog-sources git source shared a gix 0.77 `Repository` (Send, NOT
Sync) across a Rayon `into_par_iter`, so a fresh
`cargo build -p keyhog-sources --features git` failed with 7
`RefCell<…> cannot be shared between threads` errors. Local builds only
passed on a cached artifact. Made the blob loop serial (correct; KH-58
re-parallelization via per-thread `gix::open` tracked as follow-up).
- Workspace-wide `cargo fmt` (the fmt gate was failing across many files).
Lean CI / embeddable build profile (`--no-default-features --features ci`):
- New cli `ci` feature: full 891-detector corpus + ML + entropy +
decode-through + multiline, but NO Hyperscan (kills the ~1.7s cold-start
-> ~0.85s and dropping), NO GPU/vyre drivers, NO live-verify, NO TUI,
NO Ghidra, NO git/web/cloud backends (filesystem + stdin cover `scan .`).
- keyhog-sources now declares `dashmap` directly (was only transitively
present, breaking reduced-feature builds) and sets `default-features =
false` at the WORKSPACE level so members' `default-features = false`
is actually honored (cargo ignores it otherwise).
- codewalk 0.2.5 `FileEntry { is_binary }` set in the explicit-include path.
Detection truth (all_tests: 32 -> 0 known failures):
- Boundary reassembly dedup is now detector-aware (offset+detector+hash),
so co-located findings from distinct detectors are no longer dropped on
the cross-chunk path (parity with in-chunk scan).
- Corpus de-duplication: shopify-access-token narrowed to shpca_ (admin/
storefront own shpat_/shpss_); cloudflare-workers WORKERS made mandatory
so plain cloudflare_api_token= belongs only to cloudflare-api-token.
- Concat reassembly: template-literal string interpolation (`${"x"}`),
Rust concat!(), and `${a}${b}` cross-line variable resolution.
- twilio-auth-token boundary test uses its required AccountSid companion;
heroku/homoglyph fixtures corrected to real-shape tokens.
Cold-start: HS DB cache moved from /tmp (wiped each reboot) to a persistent
XDG cache dir so the compile is paid once per machine, not once per boot.
Docs: README documents CI never needs a GPU + a concrete CI recipe;
CONTRIBUTING credits PR #7 (Edyard / @Eraminel01).
Applies the round 1 base64-protobuf FP-killer fixes from the investigator findings on the three owned files in this partition. shape_gates.rs::looks_like_standard_base64_blob: drop the strict +/-required clause; admit pure-alphanumeric mult-of-4 base64 in [40, 80] when alphabet diversity is >= 32 distinct alnum chars, and admit padded-no-punct base64 ending in = or ==. Covers cause #1 (25 FPs from pure-alnum) and cause #4 (6 FPs from padded-no-punct shapes). decode_structure.rs::looks_like_uniform_base64_blob: lower window floor from 60 to 44 (cause #7), add high-diversity admit (cause #2). Adds decoded_is_base64_blob helper for k8s data: double-base64 wrapper detection (cause #6) - decodes outer once and checks whether the inner bytes are themselves all-base64-alphabet of length >= 32. confidence/penalties.rs::apply_post_ml_penalties: wire decoded_is_base64_blob into the generic-* (non-named) arm with the same 0.02 slam as the uniform-blob and encoded-binary gates. Named detectors continue to bypass. Expected FP delta on base64-protobuf category: -52 (collapses the v32 surviving cluster). Each fix paired with positive truth + negative twin inline tests in the same file. Builds clean under both default and lean (no-default-features --features ml,entropy,decode,multiline) flags.
Bump workspace version 0.5.35 -> 0.5.36 and the four pinned internal crate deps. Update README demo banner and the KEYHOG_VERSION / GitHub Action / pre-commit example pins to v0.5.36 so they match the tag. Ships: incremental never-cache-finding-bearing-files fix, hook fail-open, PR #7 anthropic-key shape + boundary tests, and the e2e lockdowns for hook/keyhogignore/UTF-16/incremental from the deep-coherence pass.
…h fixes
Clean-checkout CI was red for two structural reasons, both fixed here:
- keyhog-sources git source shared a gix 0.77 `Repository` (Send, NOT
Sync) across a Rayon `into_par_iter`, so a fresh
`cargo build -p keyhog-sources --features git` failed with 7
`RefCell<…> cannot be shared between threads` errors. Local builds only
passed on a cached artifact. Made the blob loop serial (correct; KH-58
re-parallelization via per-thread `gix::open` tracked as follow-up).
- Workspace-wide `cargo fmt` (the fmt gate was failing across many files).
Lean CI / embeddable build profile (`--no-default-features --features ci`):
- New cli `ci` feature: full 891-detector corpus + ML + entropy +
decode-through + multiline, but NO Hyperscan (kills the ~1.7s cold-start
-> ~0.85s and dropping), NO GPU/vyre drivers, NO live-verify, NO TUI,
NO Ghidra, NO git/web/cloud backends (filesystem + stdin cover `scan .`).
- keyhog-sources now declares `dashmap` directly (was only transitively
present, breaking reduced-feature builds) and sets `default-features =
false` at the WORKSPACE level so members' `default-features = false`
is actually honored (cargo ignores it otherwise).
- codewalk 0.2.5 `FileEntry { is_binary }` set in the explicit-include path.
Detection truth (all_tests: 32 -> 0 known failures):
- Boundary reassembly dedup is now detector-aware (offset+detector+hash),
so co-located findings from distinct detectors are no longer dropped on
the cross-chunk path (parity with in-chunk scan).
- Corpus de-duplication: shopify-access-token narrowed to shpca_ (admin/
storefront own shpat_/shpss_); cloudflare-workers WORKERS made mandatory
so plain cloudflare_api_token= belongs only to cloudflare-api-token.
- Concat reassembly: template-literal string interpolation (`${"x"}`),
Rust concat!(), and `${a}${b}` cross-line variable resolution.
- twilio-auth-token boundary test uses its required AccountSid companion;
heroku/homoglyph fixtures corrected to real-shape tokens.
Cold-start: HS DB cache moved from /tmp (wiped each reboot) to a persistent
XDG cache dir so the compile is paid once per machine, not once per boot.
Docs: README documents CI never needs a GPU + a concrete CI recipe;
CONTRIBUTING credits PR #7 (Edyard / @Eraminel01).
Applies the round 1 base64-protobuf FP-killer fixes from the investigator findings on the three owned files in this partition. shape_gates.rs::looks_like_standard_base64_blob: drop the strict +/-required clause; admit pure-alphanumeric mult-of-4 base64 in [40, 80] when alphabet diversity is >= 32 distinct alnum chars, and admit padded-no-punct base64 ending in = or ==. Covers cause #1 (25 FPs from pure-alnum) and cause #4 (6 FPs from padded-no-punct shapes). decode_structure.rs::looks_like_uniform_base64_blob: lower window floor from 60 to 44 (cause #7), add high-diversity admit (cause #2). Adds decoded_is_base64_blob helper for k8s data: double-base64 wrapper detection (cause #6) - decodes outer once and checks whether the inner bytes are themselves all-base64-alphabet of length >= 32. confidence/penalties.rs::apply_post_ml_penalties: wire decoded_is_base64_blob into the generic-* (non-named) arm with the same 0.02 slam as the uniform-blob and encoded-binary gates. Named detectors continue to bypass. Expected FP delta on base64-protobuf category: -52 (collapses the v32 surviving cluster). Each fix paired with positive truth + negative twin inline tests in the same file. Builds clean under both default and lean (no-default-features --features ml,entropy,decode,multiline) flags.
Updates the Anthropic API key detector to match current observed sk-ant-api03- key shapes.
The previous regex required one fixed segment layout:
sk-ant-api03-[A-Za-z0-9_-]{93}-[A-Za-z0-9_-]{6}AA`n
That misses revoked real-world keys whose body length/segment layout differs. This keeps the distinctive sk-ant-api03- prefix and allows a variable URL-safe token body:
sk-ant-api03-[A-Za-z0-9_-]{80,120}`n
Also updates the Anthropic contract fixtures with revoked real key shapes.
Summary by CodeRabbit