Hi,
Short note in case you'd like to weigh in before publication.
I'm shipping a blog post in the next day or two about how I scanned 20
public AI-starter repos with a secret-scanning tool I work on
(getdebug), expected to find
leaked API keys, and instead found that every single one of my
scanner's findings was a false positive — including 7 critical
"findings" against stackitcloud/rag-template.
The post quotes your repo by name. The framing is that your repo
was correct and my scanner was wrong: the 7 hits were all
placeholder values in .env.template files (STACKIT_VLLM_API_KEY= your-stackit-vllm-api-key, etc.) and import.meta.env.X env-var
name reads — none of them were real credentials. The point of the
post is that I had to fix three detector rules in my own tool
(broader env-template matching + doc-context suppression + env-var-
read skip in entropy) to stop generating that noise.
Draft is here (unlisted Gist, ~5 min read):
https://gist.github.com/onfafanutifafa/a8643f15e6f2fc07102db7a853b5f55e
The section that mentions you is "What we expected vs. what we found".
Two asks:
-
Want me to anonymize the repo name? I can swap it for "a
popular RAG template" if you'd rather not be a named example in a
post about a scanner being wrong. I default to naming because it
makes the post more credible (readers can verify), but I'd
rather have your blessing than the credibility.
-
Anything factually off? I checked the findings against the
current main branch but a fresh second pair of eyes is welcome.
Either way, thanks for shipping your scaffold publicly — it's the
exact kind of mid-popularity real-world code that exposes detector
noise floors. The fixes that came out of this scan are in the
linked blog post.
— Fafa (nutifafadav@gmail.com)
Hi,
Short note in case you'd like to weigh in before publication.
I'm shipping a blog post in the next day or two about how I scanned 20
public AI-starter repos with a secret-scanning tool I work on
(getdebug), expected to find
leaked API keys, and instead found that every single one of my
scanner's findings was a false positive — including 7 critical
"findings" against
stackitcloud/rag-template.The post quotes your repo by name. The framing is that your repo
was correct and my scanner was wrong: the 7 hits were all
placeholder values in
.env.templatefiles (STACKIT_VLLM_API_KEY= your-stackit-vllm-api-key, etc.) andimport.meta.env.Xenv-varname reads — none of them were real credentials. The point of the
post is that I had to fix three detector rules in my own tool
(broader env-template matching + doc-context suppression + env-var-
read skip in entropy) to stop generating that noise.
Draft is here (unlisted Gist, ~5 min read):
https://gist.github.com/onfafanutifafa/a8643f15e6f2fc07102db7a853b5f55e
The section that mentions you is "What we expected vs. what we found".
Two asks:
Want me to anonymize the repo name? I can swap it for "a
popular RAG template" if you'd rather not be a named example in a
post about a scanner being wrong. I default to naming because it
makes the post more credible (readers can verify), but I'd
rather have your blessing than the credibility.
Anything factually off? I checked the findings against the
current
mainbranch but a fresh second pair of eyes is welcome.Either way, thanks for shipping your scaffold publicly — it's the
exact kind of mid-popularity real-world code that exposes detector
noise floors. The fixes that came out of this scan are in the
linked blog post.
— Fafa (nutifafadav@gmail.com)