diff --git a/extensions/rules-guard/index.test.ts b/extensions/rules-guard/index.test.ts index 425c2d0..302445d 100644 --- a/extensions/rules-guard/index.test.ts +++ b/extensions/rules-guard/index.test.ts @@ -479,6 +479,7 @@ describe("redactText — provider token shapes (positive)", () => { test("redacts newly-added provider token shapes", () => { for (const s of [ `gho_${"a".repeat(36)}`, // GitHub CLI OAuth token + `gho_${"a".repeat(40)}`, // longer body — must match {36,}, not exactly 36 `glpat-${"a".repeat(20)}`, `xapp-${"1234567890abc"}`, `AIza${"a".repeat(35)}`, @@ -493,6 +494,8 @@ describe("redactText — provider token shapes (positive)", () => { `M${"a".repeat(23)}.${"a".repeat(6)}.${"a".repeat(27)}`, `123456789-${"a".repeat(32)}.apps.googleusercontent.com`, `eyJ${"a".repeat(10)}.eyJ${"a".repeat(10)}.${"a".repeat(20)}`, + `ghs_${"a".repeat(36)}`, // classic server-to-server token + `ghs_123456_${"A".repeat(40)}.${"B".repeat(60)}.${"C".repeat(40)}`, // stateless ghs_APPID_JWT ]) expect(redactText(s)).toBe("[REDACTED]"); // AWS secret access key only redacts in context (label + value). diff --git a/extensions/rules-guard/index.ts b/extensions/rules-guard/index.ts index cda0c09..e9f371a 100644 --- a/extensions/rules-guard/index.ts +++ b/extensions/rules-guard/index.ts @@ -530,8 +530,12 @@ const SECRET_OUTPUT: RegExp[] = [ // AWS secret access key: bare 40-char base64 is indistinguishable from a git SHA, // so match only in context (an aws-secret-ish label followed by `=`/`:`). /\baws_?secret_?access_?key[ \t]*[:=][ \t]*["']?[A-Za-z0-9/+]{40}/gi, - // GitHub token — PAT ghp_, OAuth/CLI gho_, user-to-server ghu_, server ghs_, refresh ghr_. - /\bgh[oprsu]_[A-Za-z0-9]{36}\b/g, + // GitHub token — PAT ghp_, OAuth/CLI gho_, user-to-server ghu_, refresh ghr_. + /\bgh[opru]_[A-Za-z0-9]{36,}/g, + // GitHub server-to-server / installation token ghs_ — covers both the classic + // 36-char form and the stateless ghs_APPID_JWT form (~520 chars, dot- and + // underscore-separated), per GitHub's recommended `ghs_[A-Za-z0-9._-]{36,}`. + /\bghs_[A-Za-z0-9._-]{36,}/g, /\bgithub_pat_[A-Za-z0-9_]{20,}/g, // GitHub PAT (fine-grained) /\bglpat-[A-Za-z0-9_-]{20,}/g, // GitLab PAT /\b(?:xox[baprs]|xapp)-[A-Za-z0-9-]{10,}/g, // Slack tokens (bot/user/app/...)