feat(js): expand secret rule bank with provider-prefixed and structural rules#361
Open
TBX3D wants to merge 2 commits into
Open
feat(js): expand secret rule bank with provider-prefixed and structural rules#361TBX3D wants to merge 2 commits into
TBX3D wants to merge 2 commits into
Conversation
…al rules the 8-rule bank covered aws/github/slack/stripe/google/pem plus a generic keyword=value fallback, missing entire categories real recon tooling (trufflehog, gitleaks) treats as table stakes: git hosting PATs beyond github, ai provider keys, payment/messaging provider tokens, and anything requiring more than shape matching. adds ~19 near-zero-FP provider-prefixed rules (gitlab, npm, pypi, anthropic, openai, stripe restricted/webhook, square, sendgrid, mailgun, discord bot/webhook, slack webhook, new relic, cloudinary, github fine-grained pat), plus two rules that need real validation logic instead of just a regex shape: a jwt rule that decodes the header segment and confirms it's actually jwt json (not just three dotted base64 blobs), and a db connection-string rule that filters out placeholder passwords (password/changeme/example/...) so docs and .env.example files don't flood findings.
pr summary2 files changed (+353 -2)
|
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #361 +/- ##
=======================================
Coverage ? 54.75%
=======================================
Files ? 81
Lines ? 6891
Branches ? 0
=======================================
Hits ? 3773
Misses ? 2846
Partials ? 272 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
the existing 8-rule bank covered aws/github/slack/stripe/google/pem plus a generic keyword=value fallback, missing entire categories real recon tooling (trufflehog, gitleaks) treats as table stakes: git hosting pats beyond github, ai provider keys, payment/messaging provider tokens, and anything requiring more than shape matching.
adds ~19 near-zero-fp provider-prefixed rules (gitlab, npm, pypi, anthropic, openai, stripe restricted/webhook, square, sendgrid, mailgun, discord bot/webhook, slack webhook, new relic, cloudinary, github fine-grained pat), plus two rules with real validation logic instead of just a regex shape: a jwt rule that decodes the header segment and confirms it's actually jwt json, and a db connection-string rule that filters out placeholder passwords so docs/.env.example files don't flood findings.
overlaps slightly with #344 (also open): both add a github-fine-grained-pat rule, and both touch stripe restricted-key handling but structure it differently (a separate rule here vs folded into the stripe secret key rule there). whichever lands second should drop or reconcile the duplicate rule rather than keep both.