circle-ir-ai 2.12.1 → 2.12.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +37 -0
- package/dist/secret-scan/history-patterns.d.ts.map +1 -1
- package/dist/secret-scan/history-patterns.js +2 -12
- package/dist/secret-scan/history-patterns.js.map +1 -1
- package/dist/secret-scan/patterns.d.ts.map +1 -1
- package/dist/secret-scan/patterns.js +2 -14
- package/dist/secret-scan/patterns.js.map +1 -1
- package/dist/secret-scan/validators.d.ts +28 -0
- package/dist/secret-scan/validators.d.ts.map +1 -0
- package/dist/secret-scan/validators.js +39 -0
- package/dist/secret-scan/validators.js.map +1 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,43 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.12.2] - 2026-06-19
|
|
9
|
+
|
|
10
|
+
### Refactored — extract `validateJwtStructure` to shared utility (REFACTOR-015)
|
|
11
|
+
|
|
12
|
+
The JWT structural validator was duplicated verbatim across two
|
|
13
|
+
pattern modules:
|
|
14
|
+
- `src/secret-scan/history-patterns.ts:134-143` (active path, git
|
|
15
|
+
history scanning)
|
|
16
|
+
- `src/secret-scan/patterns.ts:211-222` (deprecated path, retained
|
|
17
|
+
for backwards compat)
|
|
18
|
+
|
|
19
|
+
Both copies parsed the header via `JSON.parse(atob(parts[0].replace(...)))`
|
|
20
|
+
with identical logic. Two copies meant any future improvement (e.g.
|
|
21
|
+
adding `nbf`/`exp` validation, signature verification, kid header
|
|
22
|
+
checks) had to be applied twice or risked silent drift.
|
|
23
|
+
|
|
24
|
+
Extracted to `src/secret-scan/validators.ts` as a single
|
|
25
|
+
`validateJwtStructure(match: string): boolean` export. Both pattern
|
|
26
|
+
modules now import and reference it directly:
|
|
27
|
+
|
|
28
|
+
```ts
|
|
29
|
+
import { validateJwtStructure } from './validators.js';
|
|
30
|
+
// ...
|
|
31
|
+
validator: validateJwtStructure,
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
Behavior preserved exactly — same input → same boolean output. Pure
|
|
35
|
+
internal refactor; no public API change. The new `validators.ts`
|
|
36
|
+
module is the designated landing zone for REFACTOR-014's three
|
|
37
|
+
follow-up entropy/shape validators.
|
|
38
|
+
|
|
39
|
+
Tests: 52 files / 788 pass + 3 skipped. typecheck clean.
|
|
40
|
+
|
|
41
|
+
Pre-existing files in `.specifica/hardcoded-secrets/`: this closes
|
|
42
|
+
REFACTOR-015 (priority: low) — see `tasks.md` for the audit-trail
|
|
43
|
+
entry.
|
|
44
|
+
|
|
8
45
|
## [2.12.1] - 2026-06-19
|
|
9
46
|
|
|
10
47
|
### Added — REFACTOR-018: tag verifier JSONL entries with priority tier
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EA8HjD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD"}
|
|
@@ -8,6 +8,7 @@
|
|
|
8
8
|
* This file intentionally duplicates a minimal subset of patterns to support
|
|
9
9
|
* git history scanning. The authoritative patterns live in circle-ir.
|
|
10
10
|
*/
|
|
11
|
+
import { validateJwtStructure } from './validators.js';
|
|
11
12
|
/**
|
|
12
13
|
* Minimal high-confidence patterns for git history scanning.
|
|
13
14
|
* These mirror circle-ir's ScanSecretsPass provider patterns.
|
|
@@ -111,18 +112,7 @@ export const HISTORY_SCAN_PATTERNS = [
|
|
|
111
112
|
pattern: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
|
|
112
113
|
severity: 'critical',
|
|
113
114
|
category: 'jwt',
|
|
114
|
-
validator:
|
|
115
|
-
const parts = match.split('.');
|
|
116
|
-
if (parts.length !== 3)
|
|
117
|
-
return false;
|
|
118
|
-
try {
|
|
119
|
-
const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
|
|
120
|
-
return header && typeof header === 'object';
|
|
121
|
-
}
|
|
122
|
-
catch {
|
|
123
|
-
return false;
|
|
124
|
-
}
|
|
125
|
-
},
|
|
115
|
+
validator: validateJwtStructure,
|
|
126
116
|
},
|
|
127
117
|
// Private Keys
|
|
128
118
|
{
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;
|
|
1
|
+
{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAYvD;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAqB;IACrD,MAAM;IACN;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,YAAY;IACZ;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,WAAW;KACtB;IAED,QAAQ;IACR;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;KAClB;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,oBAAoB;KAChC;IAED,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;KACxB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;IACvC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;CAClC;AAqaD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAY1C,CAAC;AAEF;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAEvE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,cAAc,GAAG,aAAa,EAAE,CAE/E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C"}
|
|
@@ -16,6 +16,7 @@
|
|
|
16
16
|
* - Git history scanning: Use HISTORY_SCAN_PATTERNS from './history-patterns.js'
|
|
17
17
|
* - LLM verification: Use SecretScanner with llmVerify: true
|
|
18
18
|
*/
|
|
19
|
+
import { validateJwtStructure } from './validators.js';
|
|
19
20
|
/**
|
|
20
21
|
* AWS Credential Patterns
|
|
21
22
|
*/
|
|
@@ -189,20 +190,7 @@ const jwtPatterns = [
|
|
|
189
190
|
severity: 'high',
|
|
190
191
|
category: 'jwt',
|
|
191
192
|
keywords: ['eyJ'],
|
|
192
|
-
validator:
|
|
193
|
-
// Validate JWT structure
|
|
194
|
-
const parts = match.split('.');
|
|
195
|
-
if (parts.length !== 3)
|
|
196
|
-
return false;
|
|
197
|
-
try {
|
|
198
|
-
// Check if header is valid base64
|
|
199
|
-
const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
|
|
200
|
-
return header && typeof header === 'object';
|
|
201
|
-
}
|
|
202
|
-
catch {
|
|
203
|
-
return false;
|
|
204
|
-
}
|
|
205
|
-
},
|
|
193
|
+
validator: validateJwtStructure,
|
|
206
194
|
},
|
|
207
195
|
];
|
|
208
196
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;
|
|
1
|
+
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAgBvD;;GAEG;AACH,MAAM,WAAW,GAAoB;IACnC;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;KAClF;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,sFAAsF;QAC/F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,6BAA6B;QAC1C,OAAO,EAAE,2EAA2E;QACpF,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC;KACtC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,wCAAwC;QACrD,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,+BAA+B;QAC5C,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,2CAA2C;QACxD,OAAO,EAAE,iDAAiD;QAC1D,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,aAAa,CAAC;KAC1B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,wDAAwD;QACrE,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;QACxB,qBAAqB,EAAE;YACrB,UAAU;YACV,cAAc;YACd,uBAAuB;YACvB,OAAO;YACP,MAAM;YACN,KAAK;SACN;KACF;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,6BAA6B;QAC1C,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,qBAAqB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;QAClD,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,yCAAyC;YACzC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YAC9C,iEAAiE;YACjE,OAAO,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC;QAC5B,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,GAAoB;IACnC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,WAAW;QACjB,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,KAAK,CAAC;QACjB,SAAS,EAAE,oBAAoB;KAChC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAoB;IACxC;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,6CAA6C;QAC1D,OAAO,EAAE,wFAAwF;QACjG,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC;QACnE,qBAAqB,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC;KACrE;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,oCAAoC;QACjD,OAAO,EAAE,sHAAsH;QAC/H,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,CAAC;QAC7D,qBAAqB,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,CAAC;KAChE;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAoB;IAC1C;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,+EAA+E;QACxF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,2BAA2B,CAAC;KACxC;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,sBAAsB,CAAC;KACnC;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,mFAAmF;QAC5F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,aAAa,GAAoB;IACrC;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,+BAA+B;QAC5C,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,OAAO,CAAC;KACpB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,SAAS,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,iCAAiC;QAC9C,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,0BAA0B,EAAE,YAAY,CAAC;KACrD;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,qBAAqB,GAAoB;IAC7C;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,WAAW,EAAE,yBAAyB;QACtC,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC;KACxD;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,iBAAiB,CAAC;KAC9B;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,8BAA8B;QAC3C,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;KACjC;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,IAAI,CAAC;KACjB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,kBAAkB;QAC/B,OAAO,EAAE,+CAA+C;QACxD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,KAAK,CAAC;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAoB;IACvC;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,QAAQ,CAAC;KACrB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,yBAAyB;QACtC,OAAO,EAAE,qCAAqC;QAC9C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,KAAK,CAAC;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAoB;IAC3C;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,gBAAgB;YAChB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC/B,4BAA4B;YAC5B,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACtC,sDAAsD;YACtD,OAAO,OAAO,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;QAC3C,CAAC;KACF;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,4DAA4D;QACzE,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACtC,4CAA4C;YAC5C,OAAO,OAAO,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;QAC3C,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C,GAAG,WAAW;IACd,GAAG,cAAc;IACjB,GAAG,cAAc;IACjB,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,gBAAgB;IACnB,GAAG,kBAAkB;IACrB,GAAG,aAAa;IAChB,GAAG,qBAAqB;IACxB,GAAG,eAAe;IAClB,GAAG,mBAAmB;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAwB;IAC5D,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared validators for secret-pattern matches.
|
|
3
|
+
*
|
|
4
|
+
* REFACTOR-015 (2026-06-19): JWT validation was duplicated verbatim
|
|
5
|
+
* across `history-patterns.ts` and `patterns.ts`. Future structural
|
|
6
|
+
* validators (REFACTOR-014: high-entropy entropy gates, provider-
|
|
7
|
+
* prefix shape checks, etc.) should land here so both pattern modules
|
|
8
|
+
* stay in sync.
|
|
9
|
+
*
|
|
10
|
+
* Validators take the matched string and return `true` when the match
|
|
11
|
+
* is structurally plausible. They are NOT exploit checks — they only
|
|
12
|
+
* filter out obvious false positives by parsing the embedded payload.
|
|
13
|
+
*/
|
|
14
|
+
/**
|
|
15
|
+
* Validate that a string looks like a JWT (header.payload.signature
|
|
16
|
+
* with a base64-decodable JSON object header).
|
|
17
|
+
*
|
|
18
|
+
* Used by:
|
|
19
|
+
* - `history-patterns.ts` (`jwt-token` pattern)
|
|
20
|
+
* - `patterns.ts` (`jwt-token` pattern, deprecated in favor of
|
|
21
|
+
* circle-ir's ScanSecretsPass)
|
|
22
|
+
*
|
|
23
|
+
* No signature verification — that requires the public key, which the
|
|
24
|
+
* scanner doesn't have. Header decode is sufficient to discard random
|
|
25
|
+
* base64 strings.
|
|
26
|
+
*/
|
|
27
|
+
export declare function validateJwtStructure(match: string): boolean;
|
|
28
|
+
//# sourceMappingURL=validators.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW3D"}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared validators for secret-pattern matches.
|
|
3
|
+
*
|
|
4
|
+
* REFACTOR-015 (2026-06-19): JWT validation was duplicated verbatim
|
|
5
|
+
* across `history-patterns.ts` and `patterns.ts`. Future structural
|
|
6
|
+
* validators (REFACTOR-014: high-entropy entropy gates, provider-
|
|
7
|
+
* prefix shape checks, etc.) should land here so both pattern modules
|
|
8
|
+
* stay in sync.
|
|
9
|
+
*
|
|
10
|
+
* Validators take the matched string and return `true` when the match
|
|
11
|
+
* is structurally plausible. They are NOT exploit checks — they only
|
|
12
|
+
* filter out obvious false positives by parsing the embedded payload.
|
|
13
|
+
*/
|
|
14
|
+
/**
|
|
15
|
+
* Validate that a string looks like a JWT (header.payload.signature
|
|
16
|
+
* with a base64-decodable JSON object header).
|
|
17
|
+
*
|
|
18
|
+
* Used by:
|
|
19
|
+
* - `history-patterns.ts` (`jwt-token` pattern)
|
|
20
|
+
* - `patterns.ts` (`jwt-token` pattern, deprecated in favor of
|
|
21
|
+
* circle-ir's ScanSecretsPass)
|
|
22
|
+
*
|
|
23
|
+
* No signature verification — that requires the public key, which the
|
|
24
|
+
* scanner doesn't have. Header decode is sufficient to discard random
|
|
25
|
+
* base64 strings.
|
|
26
|
+
*/
|
|
27
|
+
export function validateJwtStructure(match) {
|
|
28
|
+
const parts = match.split('.');
|
|
29
|
+
if (parts.length !== 3)
|
|
30
|
+
return false;
|
|
31
|
+
try {
|
|
32
|
+
const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
|
|
33
|
+
return header && typeof header === 'object';
|
|
34
|
+
}
|
|
35
|
+
catch {
|
|
36
|
+
return false;
|
|
37
|
+
}
|
|
38
|
+
}
|
|
39
|
+
//# sourceMappingURL=validators.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CACrD,CAAC;QACF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
|