fixyoursecret 0.4.2 → 0.4.3

package/CHANGELOG.md

@@ -2,6 +2,22 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.4.3] - 2026-03-26
+
+### Improved
+- Further reduced residual generic noise on 500 quick corpus runs.
+  - Better path-segment detection for `test/spec/examples/docs` style locations.
+  - Added targeted generic suppressions for tutorial/audio/base64 and known non-secret artifacts.
+  - Strengthened placeholder suppression in non-production contexts.
+- 500 quick tuning snapshot improved from 51 findings to 38 findings.
+
+### CI/Release
+- Release workflow now publishes a quality summary in job summary and uploads release-quality artifacts.
+- Added release artifact bundle:
+  - `docs/tuning/report-500.json`
+  - `docs/tuning/false-positive-review-500.md`
+  - `docs/tuning/release-quality-summary.json`
+
 ## [0.4.2] - 2026-03-26
 
 ### Fixed

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fixyoursecret",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "CLI tool to detect leaked secrets, frontend exposure, and generate safe fixes.",
   "type": "module",
   "bin": {

package/utils/verifier.js

@@ -75,8 +75,14 @@ export function shouldSkipAsNonSecret(match, snippet = "", filePath = "", hints
   const lowerPath = filePath.toLowerCase();
   const value = String(match.value || "");
   const isNonProdPath = (
-    ["/test/", "/tests/", "/__tests__/", "/fixtures/", "/docs/", "/examples/", "/spec/"]
-      .some((segment) => lowerPath.includes(segment)) ||
+    hasPathSegment(lowerPath, "test") ||
+    hasPathSegment(lowerPath, "tests") ||
+    hasPathSegment(lowerPath, "__tests__") ||
+    hasPathSegment(lowerPath, "fixtures") ||
+    hasPathSegment(lowerPath, "docs") ||
+    hasPathSegment(lowerPath, "examples") ||
+    hasPathSegment(lowerPath, "spec") ||
+    hasPathSegment(lowerPath, "specs") ||
     /\.test\.[a-z0-9]+$/i.test(lowerPath) ||
     /\.spec\.[a-z0-9]+$/i.test(lowerPath)
   );
@@ -98,21 +104,22 @@ export function shouldSkipAsNonSecret(match, snippet = "", filePath = "", hints
   if (
     match.rule === "generic-high-entropy" &&
     [
-      "/test/",
-      "/tests/",
-      "/__tests__/",
-      "/fixtures/",
-      "/docs/",
-      "/spec/",
-      "/bench/",
-      "/benchmark/",
-      "/examples/",
-      "/migrations/",
-      "/generated/",
-      "/api-client/",
-      "/fonts/",
-      "/vendor/"
-    ].some((segment) => lowerPath.includes(segment))
+      "test",
+      "tests",
+      "__tests__",
+      "fixtures",
+      "docs",
+      "spec",
+      "specs",
+      "bench",
+      "benchmark",
+      "examples",
+      "migrations",
+      "generated",
+      "api-client",
+      "fonts",
+      "vendor"
+    ].some((segment) => hasPathSegment(lowerPath, segment))
   ) {
     return true;
   }
@@ -145,7 +152,11 @@ export function shouldSkipAsNonSecret(match, snippet = "", filePath = "", hints
       "apps.googleusercontent.com",
       "downloaded-logs-",
       "webkiformboundary",
-      "gpt-4o-realtime-preview"
+      "gpt-4o-realtime-preview",
+      "audio-16khz-32kbitrate",
+      "toolchain-profile.zip",
+      "gocspx-",
+      "useandom-"
     ];
     if (genericNoiseHints.some((hint) => lowerSnippet.includes(hint))) return true;
   }
@@ -182,3 +193,9 @@ function hasDiversityScore(value, minClasses) {
   ].filter(Boolean).length;
   return classes >= minClasses;
 }
+
+function hasPathSegment(filePath, segment) {
+  const escaped = segment.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const re = new RegExp(`(?:^|/)${escaped}(?:/|$)`);
+  return re.test(filePath);
+}