Skip to content

feat(js): expand secret rule bank with provider-prefixed and structural rules#361

Open
TBX3D wants to merge 2 commits into
vmfunc:mainfrom
TBX3D:feat/js-secret-provider-coverage
Open

feat(js): expand secret rule bank with provider-prefixed and structural rules#361
TBX3D wants to merge 2 commits into
vmfunc:mainfrom
TBX3D:feat/js-secret-provider-coverage

Conversation

@TBX3D

@TBX3D TBX3D commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

the existing 8-rule bank covered aws/github/slack/stripe/google/pem plus a generic keyword=value fallback, missing entire categories real recon tooling (trufflehog, gitleaks) treats as table stakes: git hosting pats beyond github, ai provider keys, payment/messaging provider tokens, and anything requiring more than shape matching.

adds ~19 near-zero-fp provider-prefixed rules (gitlab, npm, pypi, anthropic, openai, stripe restricted/webhook, square, sendgrid, mailgun, discord bot/webhook, slack webhook, new relic, cloudinary, github fine-grained pat), plus two rules with real validation logic instead of just a regex shape: a jwt rule that decodes the header segment and confirms it's actually jwt json, and a db connection-string rule that filters out placeholder passwords so docs/.env.example files don't flood findings.

overlaps slightly with #344 (also open): both add a github-fine-grained-pat rule, and both touch stripe restricted-key handling but structure it differently (a separate rule here vs folded into the stripe secret key rule there). whichever lands second should drop or reconcile the duplicate rule rather than keep both.

…al rules

the 8-rule bank covered aws/github/slack/stripe/google/pem plus a generic
keyword=value fallback, missing entire categories real recon tooling
(trufflehog, gitleaks) treats as table stakes: git hosting PATs beyond
github, ai provider keys, payment/messaging provider tokens, and anything
requiring more than shape matching.

adds ~19 near-zero-FP provider-prefixed rules (gitlab, npm, pypi,
anthropic, openai, stripe restricted/webhook, square, sendgrid, mailgun,
discord bot/webhook, slack webhook, new relic, cloudinary, github
fine-grained pat), plus two rules that need real validation logic instead
of just a regex shape: a jwt rule that decodes the header segment and
confirms it's actually jwt json (not just three dotted base64 blobs), and
a db connection-string rule that filters out placeholder passwords
(password/changeme/example/...) so docs and .env.example files don't
flood findings.
@TBX3D
TBX3D requested a review from vmfunc as a code owner July 9, 2026 23:31
@github-actions github-actions Bot added size/l <500 lines changed scan changes to scan engine modules changes to scan modules tests test changes labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

pr summary

2 files changed (+353 -2)

category files
go source 2
tests 1

@codecov-commenter

codecov-commenter commented Jul 9, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 64.70588% with 6 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@7ea1cd2). Learn more about missing BASE report.

Files with missing lines Patch % Lines
internal/scan/js/secrets.go 64.70% 3 Missing and 3 partials ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files
@@           Coverage Diff           @@
##             main     #361   +/-   ##
=======================================
  Coverage        ?   54.75%           
=======================================
  Files           ?       81           
  Lines           ?     6891           
  Branches        ?        0           
=======================================
  Hits            ?     3773           
  Misses          ?     2846           
  Partials        ?      272           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

modules changes to scan modules scan changes to scan engine size/l <500 lines changed tests test changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants