Skip to content

fix(brain-repo): harden secrets_scanner — provider coverage + false-positive filters#120

Open
mt-alarcon wants to merge 1 commit into
evolution-foundation:developfrom
mt-alarcon:feat/secrets-scanner-providers-fp
Open

fix(brain-repo): harden secrets_scanner — provider coverage + false-positive filters#120
mt-alarcon wants to merge 1 commit into
evolution-foundation:developfrom
mt-alarcon:feat/secrets-scanner-providers-fp

Conversation

@mt-alarcon

Copy link
Copy Markdown

Problem

The Brain Repo secrets scanner silently deleted legitimate backup files on false positives. Aggressive patterns matched variable names (password), base64 image data, ${VAR} references, ALL_CAPS binding names (META_CAPI_TOKEN_X), and placeholders (SUA_SENHA). In our instance this deleted dozens of real files from the backup before we caught it.

Fix

Hardens the scanner in both directions (fewer false positives, no lost true-positives):

  • +13 provider patterns: GitLab, Supabase, HuggingFace, Replicate, Groq, npm, PyPI, Linear, Figma, Telegram bot, Notion ntn_, Meta EAA (with access_token/bearer context guard + length floor), Google OAuth GOCSPX-.
  • Case-sensitive lookbehind/lookahead on AWS / JWT / Fernet / GENERIC_SECRET patterns to kill false positives without dropping real detections.
  • Central _is_false_positive filter rejecting ${VAR} refs and common placeholders.

Testing

  • Regression-tested both ways: false-positive corpus → 0 findings; real true-positives still detected.
  • All test fixtures are synthetic (no real secrets).
  • 111 tests, all green.

🤖 Generated with Claude Code

…ositive filters

The Brain Repo secrets scanner silently deleted legitimate backup files on
false positives (aggressive patterns matched var names, base64 image data,
${VAR} refs, ALL_CAPS binding names, placeholders like SUA_SENHA).

This hardens the scanner in both directions:
- Adds 13+ provider patterns (GitLab, Supabase, HuggingFace, Replicate, Groq,
  npm, PyPI, Linear, Figma, Telegram bot, Notion ntn_, Meta EAA with
  access_token/bearer context guard, Google OAuth GOCSPX-)
- Case-sensitive lookbehind/lookahead on AWS/JWT/Fernet/GENERIC_SECRET to kill
  false positives without losing real true-positives
- Central _is_false_positive filter rejecting ${VAR} refs and placeholders

Regression-tested both ways (FP corpus -> 0, real TP intact). Test fixtures are
synthetic. 111 tests.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @mt-alarcon, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant