Skip to content

feat(EXPOSED_SECRETS): expand secret detection from 4 to 13 patterns + add tests#49

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-5ikzsi
Open

feat(EXPOSED_SECRETS): expand secret detection from 4 to 13 patterns + add tests#49
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-5ikzsi

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

EXPOSED_SECRETS is a CRITICAL rule, but it only matched 4 secret formats — OpenAI keys, classic GitHub PATs (ghp_), AWS access key IDs, and password assignments. Many common, high-signal credential shapes leaked through undetected, and the rule had no dedicated unit tests.

This PR widens coverage to 13 prefix-anchored patterns and adds a full test suite for the rule.

What's added

New detections in SECRET_PATTERNS (src/rules/runtime-rules.ts):

Secret Pattern
Anthropic API key sk-ant-…
GitHub OAuth/server/user/refresh token gho_ / ghs_ / ghu_ / ghr_
GitHub fine-grained PAT github_pat_…
GitLab PAT glpat-…
Google API key AIza…
Slack token xox[baprs]-…
Stripe live secret / restricted key sk_live_… / rk_live_…
npm token npm_…
PEM private key block -----BEGIN … PRIVATE KEY-----

The original 4 patterns (OpenAI, ghp_, AWS AKIA, password assignment) are retained.

False-positive safety

All patterns are prefix-anchored to distinctive, structured markers, so precision stays high. In particular, a JWT-shaped auth token — as used by the bundled examples/secure-config.json — is not flagged (verified by test and by scanning the example config: 0 EXPOSED_SECRETS findings).

Tests

Adds a dedicated EXPOSED_SECRETS suite (16 cases) covering:

  • each new pattern fires and is CRITICAL,
  • the JWT false-positive guard,
  • benign config strings produce no finding,
  • multiple secrets still report a single finding (dedup).

Synthetic test tokens are assembled from split literals so they can't be mistaken for live credentials by push protection.

Test Suites: 5 passed, 5 total
Tests:       134 passed, 134 total   (was 118)

npm run lint and npm run build are clean.

Verification

$ node dist/cli.js leaky.json --format=table   # config with a ghp_ token + AIza key
CRITICAL | EXPOSED_SECRETS | Potential Secret Exposed in Configuration
FAILED

$ node dist/cli.js examples/secure-config.json --format=json | grep -c EXPOSED_SECRETS
0                                               # JWT token → no false positive

Scoped to src/rules/runtime-rules.ts + tests + CHANGELOG; no behavior change to any other rule.

🤖 Generated with Claude Code

https://claude.ai/code/session_01QJfFuGXGPxiQzpfCP21SCv


Generated by Claude Code

The EXPOSED_SECRETS rule (CRITICAL) only matched 4 secret formats — OpenAI
keys, classic GitHub PATs, AWS access key IDs, and password assignments — so
many common, high-signal credential shapes leaked through undetected, and the
rule had no dedicated unit tests.

Expand SECRET_PATTERNS to 13 prefix-anchored patterns, adding:
- Anthropic API keys (sk-ant-)
- GitHub OAuth/server/user/refresh tokens (gho_/ghs_/ghu_/ghr_) and
  fine-grained PATs (github_pat_)
- GitLab PATs (glpat-)
- Google API keys (AIza...)
- Slack tokens (xox[baprs]-)
- Stripe live secret/restricted keys (sk_live_/rk_live_)
- npm tokens (npm_)
- PEM private-key blocks

Patterns stay prefix-anchored to keep false positives low: a JWT-shaped auth
token (as used by examples/secure-config.json) is not flagged.

Add a dedicated EXPOSED_SECRETS test suite (16 cases) covering each new
pattern, the JWT false-positive guard, benign strings, and single-report
dedup. Update CHANGELOG.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01QJfFuGXGPxiQzpfCP21SCv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants