fix: redact code evidence in scanner findings

[mldangelo-oai]

Summary

• redact JIT embedded Python code_snippet evidence before serialization
• redact JAX/Orbax restore_fn details while preserving detection on raw input
• add PyTorch ZIP/JIT and signed URL redaction regressions for raw-secret absence plus benign context guards

Validation

• New focused regressions: 6 passed
• Affected detector/scanner files: 550 passed, 5 warnings
• ruff format/check for touched files
• mypy for touched files
• git diff --check

[mldangelo-oai]

@codex review

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 12 shared benchmarks with a regression threshold of 15%.
Status: 1 regressions, 2 improved, 9 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 1.488s -> 1.314s (-11.7%).

Top regressions:

• tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64] +48.7% (483.0us -> 718.3us, nested-payload-review, nested_base64, size=98 B, files=1)

Top improvements:

• tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint -27.8% (147.56ms -> 106.52ms, clean-training-checkpoint, safe_large, size=278.2 KiB, files=1)
• tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream -26.9% (150.07ms -> 109.77ms, chunked-upload-stream, chunked_stream, size=278.2 KiB, files=1)

Workload	Benchmark	Target	Size	Files	Baseline	Current	Change	Status
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64]	nested_base64	98 B	1	483.0us	718.3us	+48.7%	regression
clean-training-checkpoint	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint	safe_large	278.2 KiB	1	147.56ms	106.52ms	-27.8%	improved
chunked-upload-stream	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream	chunked_stream	278.2 KiB	1	150.07ms	109.77ms	-26.9%	improved
duplicate-heavy-registry	tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot	registry-snapshot	915.2 KiB	13	417.43ms	364.90ms	-12.6%	stable
single-checkpoint-preflight	tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load	single_checkpoint.pkl	183.0 KiB	1	77.18ms	67.85ms	-12.1%	stable
suspicious-pickle-intake	tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake	suspicious-intake	183.8 KiB	4	146.05ms	136.01ms	-6.9%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex]	nested_hex	130 B	1	469.7us	496.9us	+5.8%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw]	nested_raw	78 B	1	479.7us	453.7us	-5.4%	stable
mixed-model-repository	tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository	release-candidate	547.3 KiB	32	473.66ms	452.11ms	-4.5%	stable
padded-multi-stream-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload	multi_stream_padded	4.1 KiB	1	2.18ms	2.19ms	+0.5%	stable
warm-cache-rescan	tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan	release-candidate	547.3 KiB	32	70.69ms	70.52ms	-0.2%	stable
direct-malicious-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload	malicious_reduce	52 B	1	2.10ms	2.10ms	+0.2%	stable

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1d441b08a2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[ianw-oai]

This looks materially heavier than the leak it is fixing; the benchmark comment shows a sizable warm-cache-rescan regression, so I am holding approval for now.

[ianw-oai]

Holding this for now: the shared redaction helper still has open review gaps, and the benchmark bot reports a +47.2% warm-cache regression on .

[ianw-oai]

Holding this for now: the shared redaction helper still has open review gaps, and the benchmark bot reports a +47.2% warm-cache regression on test_scan_warm_cached_repository_rescan.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8d45fb8ce5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 174dc0f46e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ae11704d6b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3851c7c1ef

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cd587b4e46

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a21815c65e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b573438660

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

modelaudit/modelaudit/scanners/_evidence_redaction.py

Lines 262 to 263 in 24182a7

	normalized_query = SEMICOLON_QUERY_SEPARATOR_RE.sub("&", HTML_QUERY_SEPARATOR_RE.sub("&", parsed.query))
	for key, value in parse_qsl(normalized_query, keep_blank_values=True):

Keep semicolon query tails inside redaction

When a sensitive query value itself contains a raw semicolon followed by =, for example https://example.com/hook?token=FIRSTSECRET;STILL=SECONDSECRET&ok=1, this normalization splits STILL=SECONDSECRET into a separate non-sensitive parameter before the token value is redacted. The serialized URL evidence then still contains SECONDSECRET; please avoid treating semicolons inside already-sensitive values as independent safe parameters, or fail closed on the remainder.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed82d6be32

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 47adbc4d8b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Reviewed, rebased onto current main, and pushed 9dd0028e.

QA fixes added during review:

• preserve R assignment redaction even when R syntax is also tokenizable as Python
• avoid Python false positives for return annotations and comparison/control near-matches
• redact dotted credential keys without broadening cache/count controls
• preserve structured containers while redacting nested secrets
• fail closed for deeply nested bounded evidence instead of returning only an ellipsis
• avoid consuming credentials dictionary openers as scalar values

Validation:

• 1,923 tests passed across the five affected test modules
• focused evidence-redaction suite: 100 passed
• Ruff format/check clean on all modified Python files
• targeted mypy clean on all modified Python files
• no unresolved review threads remain

CI is running on the updated head; moving on to the next review and will circle back.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9dd0028e08

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

QA update after syncing with current main and pushing 2156afc:\n\n- Fixed the long R rightward raw-assignment preview regression that failed Linux, Windows, and Python 3.13 CI.\n- Addressed all four new review threads: indented Python routing, sensitive identifier subscripts (scoped to key-bearing containers), embedded name/value dicts, and generic name/value calls.\n- Added adversarial coverage for quoted/backticked targets, exact lookahead boundaries, reversed arguments, duplicate/case-variant and byte-string fields, declaration/dynamic-index false positives, and bounded malformed inputs.\n- Removed two quadratic scans; stress QA is ~1.05s for 16,000 ordinary assignments, ~1ms for a long sensitive call, and ~0.22s for a long benign call.\n\nValidation:\n- 224 passed: evidence redaction + R serialized scanner modules\n- 45 passed, 1778 deselected: redaction-specific JIT/network/JAX/PyTorch consumer tests\n- Ruff lint and format clean\n- mypy clean for the changed helper and associated tests\n- git diff --check clean\n\nAll review threads are resolved. Fresh CI is now running; moving on without waiting per the review loop.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2156afca4a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

QA update for 9fd5e4f:

• Addressed and resolved all five fresh review threads.
• Closed non-operator comparison leaks for compare_digest, startswith/endswith, and match/case with benign near-match controls.
• Preserved Python annotations/block headers and dangerous eval/exec context.
• Covered exact generic credentials/API Key values, including NUL-framed evidence, without broadening credentials_manager/API Key Count.
• Preserved eval/exec/compile inside auth/cookie arguments while redacting literals; malformed call evidence remains fail-closed.
• Bounded Keras HDF5 reference redaction at MAX_HDF5_REFERENCE_TEXT_CHARS.

Focused validation:

• PROMPTFOO_DISABLE_TELEMETRY=1 .venv/bin/pytest -q tests/scanners/test_evidence_redaction.py (120 passed)
• PROMPTFOO_DISABLE_TELEMETRY=1 .venv/bin/pytest -q tests/scanners/test_keras_zip_scanner.py -k hdf5... (4 passed, 327 deselected)
• scoped Ruff format/check clean
• scoped mypy clean

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9fd5e4f1cc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[mldangelo-oai]

Reviewed and pushed 7fcf2eec after merging current main.

Addressed all four open review findings:

• redact opaque containers assigned to detail-sensitive names while preserving already-redacted structured context
• redact secret-shaped string annotations without mangling normal forward type annotations
• preserve eval/exec/compile call shape on sensitive assignment RHS while redacting literals
• redact simple cookie/cookies/session assignments with benign control-name negatives

Also corrected the failing Keras CI expectation to the actual bounded 12-character value (long_exte...).

Validation:

• shared evidence redactor: 124 passed
• changed JIT/network/JAX/Keras/PyTorch integration probes: 7 passed, 1 h5py-dependent skip
• Ruff, format check, mypy, and git diff --check: clean
• all review threads resolved

CI is running on the pushed head; moving on without waiting.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7fcf2eec10

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 311d47cf60

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 68aea213c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Redact const values for sensitive CLI options

When a sensitive argparse option uses const= instead of default=, for example parser.add_argument("--api-key", const="SECRETKEY1234567890", nargs="?"); eval("1"), this branch never selects that value because it only looks for the default keyword. The option name still identifies the literal as credential evidence, so the raw const can be serialized in JIT/Orbax code snippets; include argparse const in the value keywords for these sensitive option calls.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Redact numeric literals before right-side sensitive targets

When the sensitive value is written on the right side of a comparison or membership check, this branch only replaces left-hand STRING tokens. A snippet such as 123456789012345 == api_key; eval("1") or [123456789012345] in api_keys therefore keeps the numeric credential in serialized code_snippet/restore_fn evidence, even though the sensitive-left case already redacts numeric operands; include NUMBER tokens in this right-target path as well.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Stop lambda default targets at the parameter name

When a lambda restore hook or code snippet has a detail-only sensitive default like lambda credentials="SECRETKEY1234567890": eval("1"), _is_lambda_default_operator() is true but this backward scan never stops at the lambda keyword, so the target becomes lambda credentials instead of credentials. That misses _is_sensitive_detail_key() and leaves the raw default serialized in restore_fn/code_snippet; stop the target scan at lambda for lambda defaults before classifying the parameter name.

Useful? React with 👍 / 👎.