fix(review): detect cross-line split credentials in gate secret scan (#2454)#2887
fix(review): detect cross-line split credentials in gate secret scan (#2454)#2887RealDiligent wants to merge 1 commit into
Conversation
…SONbored#2454) The unconditional secret_leak hard blocker scanned added lines in isolation, so credentials split across adjacent added string literals evaded every per-line regex while REES enrichment already joined them (JSONbored#2454). Add scanPrDiffForSecretKinds with bounded cross-line literal join, hunk/context boundaries, consecutive-run generic assignment detection, and in-hunk +++ content handling. Wire secretLeakFinding through the new walker. Only skip the cross-line join when the current line matched a gate-blocking kind on its own — a soft heuristic alone (e.g. coldkey:) must not suppress joining literals that complete a split concrete credential (JSONbored#2877 review blocker). Export GATE_BLOCKING_SECRET_KINDS as the single source of truth shared between the diff walker and secretLeakFinding filter. Supersedes closed JSONbored#2877. Co-authored-by: Cursor <cursoragent@cursor.com>
Codecov Report❌ Patch coverage is
❌ Your patch status has failed because the patch coverage (97.14%) is below the target coverage (99.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #2887 +/- ##
=======================================
Coverage ? 96.03%
=======================================
Files ? 259
Lines ? 28458
Branches ? 10342
=======================================
Hits ? 27329
Misses ? 492
Partials ? 637
🚀 New features to boost your workflow:
|
|
Caution 🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥 🛑 Gittensory review result - fixes requiredReview updated: 2026-07-04 04:14:37 UTC
🛑 Suggested Action - Fix Blockers
Review summary Nits — 6 non-blocking
CI checks failing
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
|
Gittensory is closing this pull request on the maintainer's behalf (CI is failing (codecov/patch)). This is an automated maintenance action — to pursue this change, please open a new pull request with the issues resolved. Closed PRs are re-reviewed automatically, so an inaccurate close may be reopened, but that does not guarantee it can merge (e.g. if conflicts or failing CI remain). |
Summary
The unconditional
secret_leakhard blocker scanned added diff lines in isolation. A credential split across two adjacent added string literals (e.g.const a = "AKIA…";+const b = "REST";) evaded every per-line regex — exactly the #2454 evasion class REES enrichment already closes, but the gate path did not.This PR adds
scanPrDiffForSecretKindsand wiressecretLeakFindingthrough it:+++content handling and/dev/nullheader regex escape#2877 review blocker fix
Closed #2877 skipped the cross-line join whenever any scanner kind matched the line — including soft heuristics (
bittensor_key,seed_or_mnemonic) thatsecretLeakFindingfilters out. A split credential whose second line also containedcoldkey = "…"would pass unblocked.Fix: only skip the join when the line matched a gate-blocking kind on its own. Export
GATE_BLOCKING_SECRET_KINDSas the single source of truth shared by the walker and thesecretLeakFindingfilter.Test plan
npm run typechecknpx vitest run test/unit/secrets-scan.test.ts test/unit/safety-wiring.test.ts(70/70)coldkey =on second line blocks via join (fix(review): detect cross-line split credentials in gate secret scan (#2454) #2877)Related
review-enrichment/src/analyzers/secret-scan.ts