Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions extensions/rules-guard/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -479,6 +479,7 @@ describe("redactText — provider token shapes (positive)", () => {
test("redacts newly-added provider token shapes", () => {
for (const s of [
`gho_${"a".repeat(36)}`, // GitHub CLI OAuth token
`gho_${"a".repeat(40)}`, // longer body — must match {36,}, not exactly 36
`glpat-${"a".repeat(20)}`,
`xapp-${"1234567890abc"}`,
`AIza${"a".repeat(35)}`,
Expand All @@ -493,6 +494,8 @@ describe("redactText — provider token shapes (positive)", () => {
`M${"a".repeat(23)}.${"a".repeat(6)}.${"a".repeat(27)}`,
`123456789-${"a".repeat(32)}.apps.googleusercontent.com`,
`eyJ${"a".repeat(10)}.eyJ${"a".repeat(10)}.${"a".repeat(20)}`,
`ghs_${"a".repeat(36)}`, // classic server-to-server token
`ghs_123456_${"A".repeat(40)}.${"B".repeat(60)}.${"C".repeat(40)}`, // stateless ghs_APPID_JWT
])
expect(redactText(s)).toBe("[REDACTED]");
// AWS secret access key only redacts in context (label + value).
Expand Down
8 changes: 6 additions & 2 deletions extensions/rules-guard/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -530,8 +530,12 @@ const SECRET_OUTPUT: RegExp[] = [
// AWS secret access key: bare 40-char base64 is indistinguishable from a git SHA,
// so match only in context (an aws-secret-ish label followed by `=`/`:`).
/\baws_?secret_?access_?key[ \t]*[:=][ \t]*["']?[A-Za-z0-9/+]{40}/gi,
// GitHub token — PAT ghp_, OAuth/CLI gho_, user-to-server ghu_, server ghs_, refresh ghr_.
/\bgh[oprsu]_[A-Za-z0-9]{36}\b/g,
// GitHub token — PAT ghp_, OAuth/CLI gho_, user-to-server ghu_, refresh ghr_.
/\bgh[opru]_[A-Za-z0-9]{36,}/g,
// GitHub server-to-server / installation token ghs_ — covers both the classic
// 36-char form and the stateless ghs_APPID_JWT form (~520 chars, dot- and
// underscore-separated), per GitHub's recommended `ghs_[A-Za-z0-9._-]{36,}`.
/\bghs_[A-Za-z0-9._-]{36,}/g,
/\bgithub_pat_[A-Za-z0-9_]{20,}/g, // GitHub PAT (fine-grained)
/\bglpat-[A-Za-z0-9_-]{20,}/g, // GitLab PAT
/\b(?:xox[baprs]|xapp)-[A-Za-z0-9-]{10,}/g, // Slack tokens (bot/user/app/...)
Expand Down