Skip to content
11 changes: 11 additions & 0 deletions scripts/ci/noema_review_gate.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,17 @@
(re.compile(r'(?i)((?:authorization|proxy-authorization)\s*:\s*(?:bearer|basic)\s+)[A-Za-z0-9._~+\/=-]+'), r'\1***'),
)

SENSITIVE_DATA_SCRUB_PATTERNS = (
(re.compile(r'(?i)(bearer\s+)[^\s"\'\\]+'), r'\1***'),
(re.compile(r'(?i)(token\s+)[^\s"\'\\]+'), r'\1***'),
(re.compile(r'(?i)\b(?:github_pat_[A-Za-z0-9_]+|gh[pousr]_[A-Za-z0-9_]+)\b'), '***'),
(re.compile(r'\b(sk-[A-Za-z0-9_-]+)'), '***'),
(re.compile(r'\b(xox[baprs]-[A-Za-z0-9-]+)'), '***'),
(re.compile(r'\b(AKIA[0-9A-Z]{16})'), '***'),
(re.compile(r'(?i)((?:api[_-]?key|access[_-]?token|refresh[_-]?token|id[_-]?token|client[_-]?secret|password|passwd|secret)\s*[:=]\s*)["\']?[^"\'\s]+["\']?'), r'\1***'),
)


def scrub_sensitive_data(text: str | None) -> str | None:
"""Mask sensitive tokens in text to prevent secret leakage."""
if not text:
Expand Down
Loading