Skip to content

feat: implement no_secret_disclosure assertion (fixes #24)#155

Open
mayank-dev-15 wants to merge 2 commits into
OWASP:mainfrom
mayank-dev-15:feature/no-secret-disclosure-assertion
Open

feat: implement no_secret_disclosure assertion (fixes #24)#155
mayank-dev-15 wants to merge 2 commits into
OWASP:mainfrom
mayank-dev-15:feature/no-secret-disclosure-assertion

Conversation

@mayank-dev-15

Copy link
Copy Markdown

Detects when protected secrets appear in agent traces.

Config styles:

  • secrets: list of {name, value} pairs where value is the literal string to detect
  • orbidden_outputs: list of literal strings that must not appear

How it works:

  • Serializes full trace to JSON and checks for substring matches
  • Evidence uses SHA-256 digests to avoid leaking actual secret values
  • Supports secrets in messages, tool calls, and events

Tests: 7 new tests covering clean traces, secrets in messages/tool calls, forbidden outputs, and evidence digesting.

Fixes #24

Detects when protected secrets appear in agent traces. Supports two config
styles:
- secrets: list of {name, value} pairs
- forbidden_outputs: list of literal strings

Evidence uses SHA-256 digests to avoid leaking actual secret values in
test output.

Added 7 tests covering clean traces, secrets in messages/tool calls,
forbidden outputs, and evidence digesting.
- New --sarif-out flag writes SARIF output for code scanning integration
- sarif.py: builds SARIF v2.1.0 with rule IDs, severity mapping, evidence
- Maps pass/fail/error/not_run to SARIF levels
- 8 tests covering version, tool driver, assertion levels, dedup, empty results

Fixes OWASP#82
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement no_secret_disclosure assertion

1 participant