From cea7aa7f242c7240965da1a8cf0bf41dbd49585b Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Sat, 4 Jul 2026 17:31:02 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9A=A1=20Bolt:=20noema=5Freview=5Fgate?= =?UTF-8?q?=EC=9D=98=20=EC=A0=95=EA=B7=9C=EC=8B=9D=20=EC=BB=B4=ED=8C=8C?= =?UTF-8?q?=EC=9D=BC=20=EC=84=B1=EB=8A=A5=20=EC=B5=9C=EC=A0=81=ED=99=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit scripts/ci/noema_review_gate.py 파일의 scrub_sensitive_data 함수 내에서 매번 재컴파일되던 정규식들을 모듈 수준 변수 SENSITIVE_DATA_SCRUB_PATTERNS에 선컴파일하여 캐싱. 이를 통해 반복 호출 시 발생하는 불필요한 연산 부하를 줄여 CI 실행 속도를 개선함. --- scripts/ci/noema_review_gate.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/scripts/ci/noema_review_gate.py b/scripts/ci/noema_review_gate.py index 1e4661b7..6f195a12 100644 --- a/scripts/ci/noema_review_gate.py +++ b/scripts/ci/noema_review_gate.py @@ -34,17 +34,23 @@ MAX_DIFF_CHARS = 60000 +SENSITIVE_DATA_SCRUB_PATTERNS = ( + (re.compile(r'(?i)(bearer\s+)[^\s"\'\\]+'), r'\1***'), + (re.compile(r'(?i)(token\s+)[^\s"\'\\]+'), r'\1***'), + (re.compile(r'(?i)\b(?:github_pat_[A-Za-z0-9_]+|gh[pousr]_[A-Za-z0-9_]+)\b'), '***'), + (re.compile(r'\b(sk-[A-Za-z0-9_-]+)'), '***'), + (re.compile(r'\b(xox[baprs]-[A-Za-z0-9-]+)'), '***'), + (re.compile(r'\b(AKIA[0-9A-Z]{16})'), '***'), + (re.compile(r'(?i)((?:api[_-]?key|access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|passwd|secret)\s*[:=]\s*)["\']?[^"\'\s]+["\']?'), r'\1***'), +) + + def scrub_sensitive_data(text: str | None) -> str | None: """Mask sensitive tokens in text to prevent secret leakage.""" if not text: return text - text = re.sub(r'(?i)(bearer\s+)[^\s"\'\\]+', r'\1***', text) - text = re.sub(r'(?i)(token\s+)[^\s"\'\\]+', r'\1***', text) - text = re.sub(r'(?i)\b(?:github_pat_[A-Za-z0-9_]+|gh[pousr]_[A-Za-z0-9_]+)\b', '***', text) - text = re.sub(r'\b(sk-[A-Za-z0-9_-]+)', '***', text) - text = re.sub(r'\b(xox[baprs]-[A-Za-z0-9-]+)', '***', text) - text = re.sub(r'\b(AKIA[0-9A-Z]{16})', '***', text) - text = re.sub(r'(?i)((?:api[_-]?key|access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|passwd|secret)\s*[:=]\s*)["\']?[^"\'\s]+["\']?', r'\1***', text) + for pattern, repl in SENSITIVE_DATA_SCRUB_PATTERNS: + text = pattern.sub(repl, text) return text