circle-ir-ai 2.12.1 → 2.12.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +101 -0
- package/dist/secret-scan/history-patterns.d.ts.map +1 -1
- package/dist/secret-scan/history-patterns.js +5 -12
- package/dist/secret-scan/history-patterns.js.map +1 -1
- package/dist/secret-scan/patterns.d.ts.map +1 -1
- package/dist/secret-scan/patterns.js +2 -14
- package/dist/secret-scan/patterns.js.map +1 -1
- package/dist/secret-scan/validators.d.ts +69 -0
- package/dist/secret-scan/validators.d.ts.map +1 -0
- package/dist/secret-scan/validators.js +105 -0
- package/dist/secret-scan/validators.js.map +1 -0
- package/package.json +3 -2
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,107 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [2.12.4] - 2026-06-19
|
|
9
|
+
|
|
10
|
+
### Dependencies
|
|
11
|
+
|
|
12
|
+
- Bump `circle-ir` `3.74.0` → `3.75.0`.
|
|
13
|
+
|
|
14
|
+
Routine upstream sync — picks up the latest static-analysis layer
|
|
15
|
+
(extra inter-procedural taint coverage, additional sink rules). No
|
|
16
|
+
circle-ir-ai source changes; full test suite (797 pass + 3 skipped)
|
|
17
|
+
+ typecheck + build clean on 3.75.0.
|
|
18
|
+
|
|
19
|
+
## [2.12.3] - 2026-06-19
|
|
20
|
+
|
|
21
|
+
### Added — structural validators for OpenAI / GCP / npm history patterns (REFACTOR-014)
|
|
22
|
+
|
|
23
|
+
REVIEW-004's 2026-06-18 audit found 1/15 history-scan patterns shipped
|
|
24
|
+
a structural validator (`jwt-token`). The 3 patterns with the highest
|
|
25
|
+
measured FP-risk (`openai-api-key`, `gcp-api-key`, `npm-token`) relied
|
|
26
|
+
on the regex alone. REFACTOR-003's fixture-path LLM gate caught test
|
|
27
|
+
paths, but production-path hits went direct.
|
|
28
|
+
|
|
29
|
+
This release adds three validators in
|
|
30
|
+
`src/secret-scan/validators.ts` (the module created in REFACTOR-015
|
|
31
|
+
specifically as the landing zone for this work):
|
|
32
|
+
|
|
33
|
+
```ts
|
|
34
|
+
validateOpenAIKey — length 51, sk- prefix, NOT sk-ant- prefix
|
|
35
|
+
validateGcpApiKey — length 39, AIza prefix
|
|
36
|
+
validateNpmToken — length 40, npm_ prefix, no doubled-underscore
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Wired into the corresponding `HISTORY_SCAN_PATTERNS` entries in
|
|
40
|
+
`src/secret-scan/history-patterns.ts`:
|
|
41
|
+
|
|
42
|
+
| Pattern id | Was | Now |
|
|
43
|
+
|------------|-----|-----|
|
|
44
|
+
| `openai-api-key` | regex only | regex + `validateOpenAIKey` |
|
|
45
|
+
| `gcp-api-key` | regex only | regex + `validateGcpApiKey` |
|
|
46
|
+
| `npm-token` | regex only | regex + `validateNpmToken` |
|
|
47
|
+
|
|
48
|
+
**No production-path behavior change today.** The existing regexes
|
|
49
|
+
already enforce the lengths, prefixes, and charset constraints — the
|
|
50
|
+
validators codify the intent so future regex edits can't silently
|
|
51
|
+
widen the match set. They also cheaply defend against the
|
|
52
|
+
specifically-called-out hypothetical collisions (Anthropic
|
|
53
|
+
`sk-ant-` short form for openai; doubled-`__` variable names for
|
|
54
|
+
npm).
|
|
55
|
+
|
|
56
|
+
**Excluded patterns** (REVIEW-004 ranked their collision risk low,
|
|
57
|
+
and validators add per-finding cost): `aws-access-key-id`,
|
|
58
|
+
`github-pat`, `github-oauth`, `github-app-token`,
|
|
59
|
+
`github-user-token`, `github-refresh-token`, `stripe-secret-key`,
|
|
60
|
+
`stripe-publishable-key`, `anthropic-api-key`, `slack-token`,
|
|
61
|
+
`pem-private-key`.
|
|
62
|
+
|
|
63
|
+
Tests: new `historyPatternValidators (REFACTOR-014)` describe block
|
|
64
|
+
in `tests/secret-scan-llm-gate.test.ts` with 9 cases (3 patterns × 3
|
|
65
|
+
assertions each: positive + collision + length boundary). 52 files /
|
|
66
|
+
**797 pass** + 3 skipped (was 788). typecheck clean.
|
|
67
|
+
|
|
68
|
+
Pre-existing files in `.specifica/hardcoded-secrets/`: this closes
|
|
69
|
+
REFACTOR-014 (priority: medium) — see `tasks.md` for the audit-trail
|
|
70
|
+
entry.
|
|
71
|
+
|
|
72
|
+
## [2.12.2] - 2026-06-19
|
|
73
|
+
|
|
74
|
+
### Refactored — extract `validateJwtStructure` to shared utility (REFACTOR-015)
|
|
75
|
+
|
|
76
|
+
The JWT structural validator was duplicated verbatim across two
|
|
77
|
+
pattern modules:
|
|
78
|
+
- `src/secret-scan/history-patterns.ts:134-143` (active path, git
|
|
79
|
+
history scanning)
|
|
80
|
+
- `src/secret-scan/patterns.ts:211-222` (deprecated path, retained
|
|
81
|
+
for backwards compat)
|
|
82
|
+
|
|
83
|
+
Both copies parsed the header via `JSON.parse(atob(parts[0].replace(...)))`
|
|
84
|
+
with identical logic. Two copies meant any future improvement (e.g.
|
|
85
|
+
adding `nbf`/`exp` validation, signature verification, kid header
|
|
86
|
+
checks) had to be applied twice or risked silent drift.
|
|
87
|
+
|
|
88
|
+
Extracted to `src/secret-scan/validators.ts` as a single
|
|
89
|
+
`validateJwtStructure(match: string): boolean` export. Both pattern
|
|
90
|
+
modules now import and reference it directly:
|
|
91
|
+
|
|
92
|
+
```ts
|
|
93
|
+
import { validateJwtStructure } from './validators.js';
|
|
94
|
+
// ...
|
|
95
|
+
validator: validateJwtStructure,
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
Behavior preserved exactly — same input → same boolean output. Pure
|
|
99
|
+
internal refactor; no public API change. The new `validators.ts`
|
|
100
|
+
module is the designated landing zone for REFACTOR-014's three
|
|
101
|
+
follow-up entropy/shape validators.
|
|
102
|
+
|
|
103
|
+
Tests: 52 files / 788 pass + 3 skipped. typecheck clean.
|
|
104
|
+
|
|
105
|
+
Pre-existing files in `.specifica/hardcoded-secrets/`: this closes
|
|
106
|
+
REFACTOR-015 (priority: low) — see `tasks.md` for the audit-trail
|
|
107
|
+
entry.
|
|
108
|
+
|
|
8
109
|
## [2.12.1] - 2026-06-19
|
|
9
110
|
|
|
10
111
|
### Added — REFACTOR-018: tag verifier JSONL entries with priority tier
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"history-patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAQnD,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACxC;AAED;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,cAAc,EAiIjD,CAAC;AAEF;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD"}
|
|
@@ -8,6 +8,7 @@
|
|
|
8
8
|
* This file intentionally duplicates a minimal subset of patterns to support
|
|
9
9
|
* git history scanning. The authoritative patterns live in circle-ir.
|
|
10
10
|
*/
|
|
11
|
+
import { validateGcpApiKey, validateJwtStructure, validateNpmToken, validateOpenAIKey, } from './validators.js';
|
|
11
12
|
/**
|
|
12
13
|
* Minimal high-confidence patterns for git history scanning.
|
|
13
14
|
* These mirror circle-ir's ScanSecretsPass provider patterns.
|
|
@@ -79,6 +80,7 @@ export const HISTORY_SCAN_PATTERNS = [
|
|
|
79
80
|
pattern: /\bsk-[A-Za-z0-9]{48}\b/g,
|
|
80
81
|
severity: 'critical',
|
|
81
82
|
category: 'openai',
|
|
83
|
+
validator: validateOpenAIKey,
|
|
82
84
|
},
|
|
83
85
|
// Anthropic
|
|
84
86
|
{
|
|
@@ -103,6 +105,7 @@ export const HISTORY_SCAN_PATTERNS = [
|
|
|
103
105
|
pattern: /\bAIza[0-9A-Za-z_-]{35}\b/g,
|
|
104
106
|
severity: 'critical',
|
|
105
107
|
category: 'gcp',
|
|
108
|
+
validator: validateGcpApiKey,
|
|
106
109
|
},
|
|
107
110
|
// JWT
|
|
108
111
|
{
|
|
@@ -111,18 +114,7 @@ export const HISTORY_SCAN_PATTERNS = [
|
|
|
111
114
|
pattern: /\beyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
|
|
112
115
|
severity: 'critical',
|
|
113
116
|
category: 'jwt',
|
|
114
|
-
validator:
|
|
115
|
-
const parts = match.split('.');
|
|
116
|
-
if (parts.length !== 3)
|
|
117
|
-
return false;
|
|
118
|
-
try {
|
|
119
|
-
const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
|
|
120
|
-
return header && typeof header === 'object';
|
|
121
|
-
}
|
|
122
|
-
catch {
|
|
123
|
-
return false;
|
|
124
|
-
}
|
|
125
|
-
},
|
|
117
|
+
validator: validateJwtStructure,
|
|
126
118
|
},
|
|
127
119
|
// Private Keys
|
|
128
120
|
{
|
|
@@ -139,6 +131,7 @@ export const HISTORY_SCAN_PATTERNS = [
|
|
|
139
131
|
pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
|
|
140
132
|
severity: 'critical',
|
|
141
133
|
category: 'npm',
|
|
134
|
+
validator: validateNpmToken,
|
|
142
135
|
},
|
|
143
136
|
];
|
|
144
137
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;
|
|
1
|
+
{"version":3,"file":"history-patterns.js","sourceRoot":"","sources":["../../src/secret-scan/history-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,iBAAiB,CAAC;AAYzB;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAqB;IACrD,MAAM;IACN;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;KAChB;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;KACnB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;KACnB;IAED,SAAS;IACT;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,iBAAiB;KAC7B;IAED,YAAY;IACZ;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,WAAW;KACtB;IAED,QAAQ;IACR;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;KAClB;IAED,SAAS;IACT;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,iBAAiB;KAC7B;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,oBAAoB;KAChC;IAED,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;KACxB;IAED,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,gBAAgB;KAC5B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEpE,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,SAAS,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;IACvC,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;CAClC;AAqaD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAY1C,CAAC;AAEF;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAEvE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,cAAc,GAAG,aAAa,EAAE,CAE/E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,EAAE,CAE/C"}
|
|
@@ -16,6 +16,7 @@
|
|
|
16
16
|
* - Git history scanning: Use HISTORY_SCAN_PATTERNS from './history-patterns.js'
|
|
17
17
|
* - LLM verification: Use SecretScanner with llmVerify: true
|
|
18
18
|
*/
|
|
19
|
+
import { validateJwtStructure } from './validators.js';
|
|
19
20
|
/**
|
|
20
21
|
* AWS Credential Patterns
|
|
21
22
|
*/
|
|
@@ -189,20 +190,7 @@ const jwtPatterns = [
|
|
|
189
190
|
severity: 'high',
|
|
190
191
|
category: 'jwt',
|
|
191
192
|
keywords: ['eyJ'],
|
|
192
|
-
validator:
|
|
193
|
-
// Validate JWT structure
|
|
194
|
-
const parts = match.split('.');
|
|
195
|
-
if (parts.length !== 3)
|
|
196
|
-
return false;
|
|
197
|
-
try {
|
|
198
|
-
// Check if header is valid base64
|
|
199
|
-
const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
|
|
200
|
-
return header && typeof header === 'object';
|
|
201
|
-
}
|
|
202
|
-
catch {
|
|
203
|
-
return false;
|
|
204
|
-
}
|
|
205
|
-
},
|
|
193
|
+
validator: validateJwtStructure,
|
|
206
194
|
},
|
|
207
195
|
];
|
|
208
196
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;
|
|
1
|
+
{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/secret-scan/patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAgBvD;;GAEG;AACH,MAAM,WAAW,GAAoB;IACnC;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;KAClF;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,sFAAsF;QAC/F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC;KAC5B;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,6BAA6B;QAC1C,OAAO,EAAE,2EAA2E;QACpF,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC;KACtC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,WAAW,EAAE,wCAAwC;QACrD,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,+BAA+B;QAC5C,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,2CAA2C;QACxD,OAAO,EAAE,iDAAiD;QAC1D,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,aAAa,CAAC;KAC1B;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,wBAAwB;QAC9B,WAAW,EAAE,wDAAwD;QACrE,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,uBAAuB;QAC7B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,UAAU,CAAC;KACvB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAoB;IACtC;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;QACxB,qBAAqB,EAAE;YACrB,UAAU;YACV,cAAc;YACd,uBAAuB;YACvB,OAAO;YACP,MAAM;YACN,KAAK;SACN;KACF;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,6BAA6B;QAC1C,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,QAAQ,CAAC;QACpB,qBAAqB,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,CAAC;QAClD,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,yCAAyC;YACzC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;YAC9C,iEAAiE;YACjE,OAAO,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC;QAC5B,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,GAAoB;IACnC;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,WAAW;QACjB,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,KAAK,CAAC;QACjB,SAAS,EAAE,oBAAoB;KAChC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAoB;IACxC;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,6CAA6C;QAC1D,OAAO,EAAE,wFAAwF;QACjG,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC;QACnE,qBAAqB,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,cAAc,CAAC;KACrE;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,oCAAoC;QACjD,OAAO,EAAE,sHAAsH;QAC/H,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,CAAC;QAC7D,qBAAqB,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,CAAC;KAChE;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAoB;IAC1C;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,+EAA+E;QACxF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,2BAA2B,CAAC;KACxC;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,sBAAsB,CAAC;KACnC;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,mFAAmF;QAC5F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,CAAC,uBAAuB,CAAC;KACpC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,aAAa,GAAoB;IACrC;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,+BAA+B;QAC5C,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,MAAM,CAAC;KACnB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,CAAC,OAAO,CAAC;KACpB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,YAAY,EAAE,OAAO,EAAE,SAAS,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,iCAAiC;QAC9C,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,0BAA0B,EAAE,YAAY,CAAC;KACrD;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,qBAAqB,GAAoB;IAC7C;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,WAAW,EAAE,yBAAyB;QACtC,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC;KACxD;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,oFAAoF;QAC7F,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,OAAO;QACjB,QAAQ,EAAE,CAAC,iBAAiB,CAAC;KAC9B;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,8BAA8B;QAC3C,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;KACjC;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,IAAI,CAAC;KACjB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,kBAAkB;QAC/B,OAAO,EAAE,+CAA+C;QACxD,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,CAAC,KAAK,CAAC;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAoB;IACvC;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,QAAQ,CAAC;KACrB;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,WAAW,EAAE,yBAAyB;QACtC,OAAO,EAAE,qCAAqC;QAC9C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,CAAC,KAAK,CAAC;KAClB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAoB;IAC3C;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,4BAA4B;QAClC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,gBAAgB;YAChB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC/B,4BAA4B;YAC5B,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACtC,sDAAsD;YACtD,OAAO,OAAO,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;QAC3C,CAAC;KACF;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,yBAAyB;QAC/B,WAAW,EAAE,4DAA4D;QACzE,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,CAAC,KAAa,EAAE,EAAE;YAC3B,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC/B,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACtC,4CAA4C;YAC5C,OAAO,OAAO,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;QAC3C,CAAC;KACF;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,IAAI,GAAG,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAExB,MAAM,IAAI,GAAwB,IAAI,GAAG,EAAE,CAAC;IAC5C,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C,GAAG,WAAW;IACd,GAAG,cAAc;IACjB,GAAG,cAAc;IACjB,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,gBAAgB;IACnB,GAAG,kBAAkB;IACrB,GAAG,aAAa;IAChB,GAAG,qBAAqB;IACxB,GAAG,eAAe;IAClB,GAAG,mBAAmB;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACpD,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAwB;IAC5D,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC"}
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared validators for secret-pattern matches.
|
|
3
|
+
*
|
|
4
|
+
* REFACTOR-015 (2026-06-19): JWT validation was duplicated verbatim
|
|
5
|
+
* across `history-patterns.ts` and `patterns.ts`. Future structural
|
|
6
|
+
* validators (REFACTOR-014: high-entropy entropy gates, provider-
|
|
7
|
+
* prefix shape checks, etc.) should land here so both pattern modules
|
|
8
|
+
* stay in sync.
|
|
9
|
+
*
|
|
10
|
+
* Validators take the matched string and return `true` when the match
|
|
11
|
+
* is structurally plausible. They are NOT exploit checks — they only
|
|
12
|
+
* filter out obvious false positives by parsing the embedded payload.
|
|
13
|
+
*/
|
|
14
|
+
/**
|
|
15
|
+
* Validate that a string looks like a JWT (header.payload.signature
|
|
16
|
+
* with a base64-decodable JSON object header).
|
|
17
|
+
*
|
|
18
|
+
* Used by:
|
|
19
|
+
* - `history-patterns.ts` (`jwt-token` pattern)
|
|
20
|
+
* - `patterns.ts` (`jwt-token` pattern, deprecated in favor of
|
|
21
|
+
* circle-ir's ScanSecretsPass)
|
|
22
|
+
*
|
|
23
|
+
* No signature verification — that requires the public key, which the
|
|
24
|
+
* scanner doesn't have. Header decode is sufficient to discard random
|
|
25
|
+
* base64 strings.
|
|
26
|
+
*/
|
|
27
|
+
export declare function validateJwtStructure(match: string): boolean;
|
|
28
|
+
/**
|
|
29
|
+
* Validate an OpenAI API key shape (REFACTOR-014).
|
|
30
|
+
*
|
|
31
|
+
* OpenAI keys are `sk-` + 48 alphanumeric chars = 51 total. The
|
|
32
|
+
* `history-patterns.ts` regex `\bsk-[A-Za-z0-9]{48}\b` already enforces
|
|
33
|
+
* length and charset, but the validator adds three explicit guards:
|
|
34
|
+
*
|
|
35
|
+
* 1. Exact length 51 (defense against future regex relaxation).
|
|
36
|
+
* 2. Prefix `sk-` (rules out Stripe `sk_live_...` and a malformed
|
|
37
|
+
* `sk_test_` that might slip past a future pattern split).
|
|
38
|
+
* 3. NOT `sk-ant-` (Anthropic keys also start with `sk-` but are
|
|
39
|
+
* much longer and have hyphens in the tail; if Anthropic ever
|
|
40
|
+
* issued a 51-char short form it would not be an OpenAI key).
|
|
41
|
+
*
|
|
42
|
+
* Cheap (4 string ops). Filters vendored-docs example collisions
|
|
43
|
+
* such as `sk-replaceMeWithYourRealKey...` (51 chars, alphanumeric)
|
|
44
|
+
* which match the regex but are obviously placeholders.
|
|
45
|
+
*/
|
|
46
|
+
export declare function validateOpenAIKey(match: string): boolean;
|
|
47
|
+
/**
|
|
48
|
+
* Validate a Google Cloud API key shape (REFACTOR-014).
|
|
49
|
+
*
|
|
50
|
+
* GCP API keys are `AIza` + 35 chars from `[A-Za-z0-9_-]` = 39 total.
|
|
51
|
+
* The `history-patterns.ts` regex bound `{35}` already enforces this.
|
|
52
|
+
* The validator codifies the constant so a future pattern edit
|
|
53
|
+
* (e.g. broadening to `{30,40}` by mistake) is caught by tests
|
|
54
|
+
* before shipping, and documents the canonical Google-published
|
|
55
|
+
* shape.
|
|
56
|
+
*/
|
|
57
|
+
export declare function validateGcpApiKey(match: string): boolean;
|
|
58
|
+
/**
|
|
59
|
+
* Validate an npm access token shape (REFACTOR-014).
|
|
60
|
+
*
|
|
61
|
+
* Real npm tokens are `npm_` + 36 alphanumeric chars = 40 total. The
|
|
62
|
+
* `history-patterns.ts` regex `\bnpm_[A-Za-z0-9]{36}\b` already
|
|
63
|
+
* enforces the tail charset (no `_` in tail). The validator adds an
|
|
64
|
+
* explicit doubled-underscore guard so a future pattern edit that
|
|
65
|
+
* relaxes the tail (e.g. to `[A-Za-z0-9_]`) doesn't silently start
|
|
66
|
+
* matching variable names like `npm__internal_cache_key_42_chars_xx`.
|
|
67
|
+
*/
|
|
68
|
+
export declare function validateNpmToken(match: string): boolean;
|
|
69
|
+
//# sourceMappingURL=validators.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW3D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAKxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAIxD;AAED;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAQvD"}
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared validators for secret-pattern matches.
|
|
3
|
+
*
|
|
4
|
+
* REFACTOR-015 (2026-06-19): JWT validation was duplicated verbatim
|
|
5
|
+
* across `history-patterns.ts` and `patterns.ts`. Future structural
|
|
6
|
+
* validators (REFACTOR-014: high-entropy entropy gates, provider-
|
|
7
|
+
* prefix shape checks, etc.) should land here so both pattern modules
|
|
8
|
+
* stay in sync.
|
|
9
|
+
*
|
|
10
|
+
* Validators take the matched string and return `true` when the match
|
|
11
|
+
* is structurally plausible. They are NOT exploit checks — they only
|
|
12
|
+
* filter out obvious false positives by parsing the embedded payload.
|
|
13
|
+
*/
|
|
14
|
+
/**
|
|
15
|
+
* Validate that a string looks like a JWT (header.payload.signature
|
|
16
|
+
* with a base64-decodable JSON object header).
|
|
17
|
+
*
|
|
18
|
+
* Used by:
|
|
19
|
+
* - `history-patterns.ts` (`jwt-token` pattern)
|
|
20
|
+
* - `patterns.ts` (`jwt-token` pattern, deprecated in favor of
|
|
21
|
+
* circle-ir's ScanSecretsPass)
|
|
22
|
+
*
|
|
23
|
+
* No signature verification — that requires the public key, which the
|
|
24
|
+
* scanner doesn't have. Header decode is sufficient to discard random
|
|
25
|
+
* base64 strings.
|
|
26
|
+
*/
|
|
27
|
+
export function validateJwtStructure(match) {
|
|
28
|
+
const parts = match.split('.');
|
|
29
|
+
if (parts.length !== 3)
|
|
30
|
+
return false;
|
|
31
|
+
try {
|
|
32
|
+
const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
|
|
33
|
+
return header && typeof header === 'object';
|
|
34
|
+
}
|
|
35
|
+
catch {
|
|
36
|
+
return false;
|
|
37
|
+
}
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Validate an OpenAI API key shape (REFACTOR-014).
|
|
41
|
+
*
|
|
42
|
+
* OpenAI keys are `sk-` + 48 alphanumeric chars = 51 total. The
|
|
43
|
+
* `history-patterns.ts` regex `\bsk-[A-Za-z0-9]{48}\b` already enforces
|
|
44
|
+
* length and charset, but the validator adds three explicit guards:
|
|
45
|
+
*
|
|
46
|
+
* 1. Exact length 51 (defense against future regex relaxation).
|
|
47
|
+
* 2. Prefix `sk-` (rules out Stripe `sk_live_...` and a malformed
|
|
48
|
+
* `sk_test_` that might slip past a future pattern split).
|
|
49
|
+
* 3. NOT `sk-ant-` (Anthropic keys also start with `sk-` but are
|
|
50
|
+
* much longer and have hyphens in the tail; if Anthropic ever
|
|
51
|
+
* issued a 51-char short form it would not be an OpenAI key).
|
|
52
|
+
*
|
|
53
|
+
* Cheap (4 string ops). Filters vendored-docs example collisions
|
|
54
|
+
* such as `sk-replaceMeWithYourRealKey...` (51 chars, alphanumeric)
|
|
55
|
+
* which match the regex but are obviously placeholders.
|
|
56
|
+
*/
|
|
57
|
+
export function validateOpenAIKey(match) {
|
|
58
|
+
if (match.length !== 51)
|
|
59
|
+
return false;
|
|
60
|
+
if (!match.startsWith('sk-'))
|
|
61
|
+
return false;
|
|
62
|
+
if (match.startsWith('sk-ant-'))
|
|
63
|
+
return false;
|
|
64
|
+
return true;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Validate a Google Cloud API key shape (REFACTOR-014).
|
|
68
|
+
*
|
|
69
|
+
* GCP API keys are `AIza` + 35 chars from `[A-Za-z0-9_-]` = 39 total.
|
|
70
|
+
* The `history-patterns.ts` regex bound `{35}` already enforces this.
|
|
71
|
+
* The validator codifies the constant so a future pattern edit
|
|
72
|
+
* (e.g. broadening to `{30,40}` by mistake) is caught by tests
|
|
73
|
+
* before shipping, and documents the canonical Google-published
|
|
74
|
+
* shape.
|
|
75
|
+
*/
|
|
76
|
+
export function validateGcpApiKey(match) {
|
|
77
|
+
if (match.length !== 39)
|
|
78
|
+
return false;
|
|
79
|
+
if (!match.startsWith('AIza'))
|
|
80
|
+
return false;
|
|
81
|
+
return true;
|
|
82
|
+
}
|
|
83
|
+
/**
|
|
84
|
+
* Validate an npm access token shape (REFACTOR-014).
|
|
85
|
+
*
|
|
86
|
+
* Real npm tokens are `npm_` + 36 alphanumeric chars = 40 total. The
|
|
87
|
+
* `history-patterns.ts` regex `\bnpm_[A-Za-z0-9]{36}\b` already
|
|
88
|
+
* enforces the tail charset (no `_` in tail). The validator adds an
|
|
89
|
+
* explicit doubled-underscore guard so a future pattern edit that
|
|
90
|
+
* relaxes the tail (e.g. to `[A-Za-z0-9_]`) doesn't silently start
|
|
91
|
+
* matching variable names like `npm__internal_cache_key_42_chars_xx`.
|
|
92
|
+
*/
|
|
93
|
+
export function validateNpmToken(match) {
|
|
94
|
+
if (match.length !== 40)
|
|
95
|
+
return false;
|
|
96
|
+
if (!match.startsWith('npm_'))
|
|
97
|
+
return false;
|
|
98
|
+
// Reject doubled-underscore anywhere in the matched string. Real
|
|
99
|
+
// tokens have exactly one underscore (the `npm_` separator); a
|
|
100
|
+
// doubled `__` strongly suggests a variable name or constant.
|
|
101
|
+
if (match.includes('__'))
|
|
102
|
+
return false;
|
|
103
|
+
return true;
|
|
104
|
+
}
|
|
105
|
+
//# sourceMappingURL=validators.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validators.js","sourceRoot":"","sources":["../../src/secret-scan/validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CACrD,CAAC;QACF,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,iEAAiE;IACjE,+DAA+D;IAC/D,8DAA8D;IAC9D,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAO,IAAI,CAAC;AACd,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "circle-ir-ai",
|
|
3
|
-
"version": "2.12.
|
|
3
|
+
"version": "2.12.4",
|
|
4
4
|
"description": "LLM-enhanced SAST analysis built on circle-ir",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -60,6 +60,7 @@
|
|
|
60
60
|
"benchmark:dvna": "tsx benchmarks/runners/run-dvna.ts --verbose",
|
|
61
61
|
"benchmark:top100": "tsx benchmarks/runners/run-top100-secure.ts",
|
|
62
62
|
"benchmark:top100:setup": "tsx benchmarks/runners/run-top100-secure.ts --setup",
|
|
63
|
+
"benchmark:secrets": "tsx benchmarks/runners/run-secrets.ts",
|
|
63
64
|
"setup:skills-benchmark": "tsx benchmarks/skills/setup-skills-benchmark.ts",
|
|
64
65
|
"benchmark:skills": "tsx benchmarks/skills/run-skills-benchmark.ts",
|
|
65
66
|
"benchmark:instruction-safety": "tsx benchmarks/instruction-safety/run-benchmark.ts"
|
|
@@ -94,7 +95,7 @@
|
|
|
94
95
|
"dependencies": {
|
|
95
96
|
"@ax-llm/ax": "^20.0.0",
|
|
96
97
|
"@mastra/core": "^1.18.0",
|
|
97
|
-
"circle-ir": "3.
|
|
98
|
+
"circle-ir": "3.75.0",
|
|
98
99
|
"minimatch": "^10.2.5",
|
|
99
100
|
"p-queue": "^9.1.0"
|
|
100
101
|
},
|