fix(review): detect cross-line split credentials in gate secret scan (#2454)#2877
fix(review): detect cross-line split credentials in gate secret scan (#2454)#2877RealDiligent wants to merge 1 commit into
Conversation
…SONbored#2454) The unconditional secret_leak hard blocker scanned added lines in isolation, so credentials split across adjacent added string literals evaded every per-line regex while REES enrichment already joined them (JSONbored#2454). Add scanPrDiffForSecretKinds with bounded cross-line literal join, hunk/context boundaries, consecutive-run generic assignment detection, and in-hunk +++ content handling. Wire secretLeakFinding through the new walker. Co-authored-by: Cursor <cursoragent@cursor.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2877 +/- ##
=======================================
Coverage 96.02% 96.03%
=======================================
Files 259 259
Lines 28360 28421 +61
Branches 10312 10325 +13
=======================================
+ Hits 27233 27294 +61
Misses 491 491
Partials 636 636
🚀 New features to boost your workflow:
|
|
Caution 🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥 🛑 Gittensory review result - reject/close recommendedReview updated: 2026-07-04 03:46:31 UTC
🛑 Suggested Action - Reject/Close
Review summary Blockers
Nits — 6 non-blocking
Why this is blocked
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
|
Gittensory is closing this pull request on the maintainer's behalf (AI reviewers agree on a likely critical defect: src/review/secrets-scan.ts:164-173 sets `matched` for any scanner kind, so a split credential whose second added line also matches only a non-hard heuristic skips the adjacent-literal join and then gets filtered out in src/review/safety.ts:103, allowing that real introduced secret to pass unblocked.). This is an automated maintenance action — to pursue this change, please open a new pull request with the issues resolved. Closed PRs are re-reviewed automatically, so an inaccurate close may be reopened, but that does not guarantee it can merge (e.g. if conflicts or failing CI remain). |
…SONbored#2454) The unconditional secret_leak hard blocker scanned added lines in isolation, so credentials split across adjacent added string literals evaded every per-line regex while REES enrichment already joined them (JSONbored#2454). Add scanPrDiffForSecretKinds with bounded cross-line literal join, hunk/context boundaries, consecutive-run generic assignment detection, and in-hunk +++ content handling. Wire secretLeakFinding through the new walker. Only skip the cross-line join when the current line matched a gate-blocking kind on its own — a soft heuristic alone (e.g. coldkey:) must not suppress joining literals that complete a split concrete credential (JSONbored#2877 review blocker). Export GATE_BLOCKING_SECRET_KINDS as the single source of truth shared between the diff walker and secretLeakFinding filter. Supersedes closed JSONbored#2877. Co-authored-by: Cursor <cursoragent@cursor.com>
…SONbored#2454) The unconditional secret_leak hard blocker scanned added lines in isolation, so credentials split across adjacent added string literals evaded every per-line regex while REES enrichment already joined them (JSONbored#2454). Add scanPrDiffForSecretKinds with bounded cross-line literal join, hunk/context boundaries, consecutive-run generic assignment detection, and in-hunk +++ content handling. Wire secretLeakFinding through the new walker. Only skip the cross-line join when the current line matched a gate-blocking kind on its own — a soft heuristic alone (e.g. coldkey:) must not suppress joining literals that complete a split concrete credential (JSONbored#2877 review blocker). Export GATE_BLOCKING_SECRET_KINDS as the single source of truth shared between the diff walker and secretLeakFinding filter. Supersedes closed JSONbored#2877. Co-authored-by: Cursor <cursoragent@cursor.com>
…SONbored#2454) The unconditional secret_leak hard blocker scanned added lines in isolation, so credentials split across adjacent added string literals evaded every per-line regex while REES enrichment already joined them (JSONbored#2454). Add scanPrDiffForSecretKinds with bounded cross-line literal join, hunk/context boundaries, consecutive-run generic assignment detection, and in-hunk +++ content handling. Wire secretLeakFinding through the new walker. Only skip the cross-line join when the current line matched a gate-blocking kind on its own — a soft heuristic alone (e.g. coldkey:) must not suppress joining literals that complete a split concrete credential (JSONbored#2877 review blocker). Export GATE_BLOCKING_SECRET_KINDS as the single source of truth shared between the diff walker and secretLeakFinding filter. Supersedes closed JSONbored#2877. Co-authored-by: Cursor <cursoragent@cursor.com>
Summary
The unconditional
secret_leakhard blocker scanned added diff lines in isolation. A credential split across two adjacent added string literals (e.g.const a = "AKIA…";+const b = "REST";) evaded every per-line regex — exactly the #2454 evasion class REES enrichment already closes, but the gate path did not.This PR adds
scanPrDiffForSecretKindsand wiressecretLeakFindingthrough it:+++content handling and/dev/nullheader regex escapeMirrors the REES
secret-scan.tsjoin heuristic while keepingsecrets-scan.tsself-contained (no cross-package import).Test plan
npm run typechecknpx vitest run test/unit/secrets-scan.test.ts test/unit/safety-wiring.test.ts(68/68)Related
review-enrichment/src/analyzers/secret-scan.ts