Skip to content

Secrets scanning and CI hardening pass#65

Merged
Patel230 merged 4 commits into
mainfrom
feature/wip-20260705
Jul 8, 2026
Merged

Secrets scanning and CI hardening pass#65
Patel230 merged 4 commits into
mainfrom
feature/wip-20260705

Conversation

@Patel230

@Patel230 Patel230 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Secrets scanning hardening
  • CI workflow updates
  • Update AGENTS.md to the shared hawk-eco extension-authoring format

Test plan

  • go build ./...
  • go vet ./...
  • go test ./...
  • govulncheck ./...

Patel230 added 3 commits July 5, 2026 20:34
- Update AGENTS.md to the shared hawk-eco extension-authoring format
VPBROADCASTB with a general-purpose-register source only has an
AVX-512 (EVEX-encoded) form; the AVX2 (VEX-encoded) form requires an
XMM or memory source operand. hasANSIavx2 and countBytesAVX2 broadcast
directly from a GPR, so despite being gated only on cpu.X86.HasAVX2,
they emitted an AVX-512 instruction that crashes with SIGILL on
AVX2-only hardware (as hit by the fuzz job on GitHub Actions runners).
Stage the byte through an XMM register first to keep both broadcasts
in valid AVX2 form.
A short captured secret value can coincidentally be a substring of a
fixed redaction marker's type label (e.g. captured value "eare" is a
substring of the marker text "[REDACTED:Bearer Token]", since "eare"
is itself a substring of the word "Bearer"). The invariant check was
counting raw substring occurrences across the whole redacted output,
so this coincidence was flagged as the redactor failing to reduce
exposure, when in fact the original occurrence was correctly removed
and the marker text is not a leak of the secret. Strip [REDACTED:...]
markers before counting so only genuinely leaked occurrences count.
@Patel230 Patel230 merged commit c252e12 into main Jul 8, 2026
20 checks passed
@Patel230 Patel230 deleted the feature/wip-20260705 branch July 8, 2026 17:42
Patel230 added a commit that referenced this pull request Jul 11, 2026
* chore: commit wip changes on feature/wip-20260705

* Secrets scanning and CI hardening pass

- Update AGENTS.md to the shared hawk-eco extension-authoring format

* Fix SIGILL crash in AVX2 assembly from illegal EVEX-encoded VPBROADCASTB

VPBROADCASTB with a general-purpose-register source only has an
AVX-512 (EVEX-encoded) form; the AVX2 (VEX-encoded) form requires an
XMM or memory source operand. hasANSIavx2 and countBytesAVX2 broadcast
directly from a GPR, so despite being gated only on cpu.X86.HasAVX2,
they emitted an AVX-512 instruction that crashes with SIGILL on
AVX2-only hardware (as hit by the fuzz job on GitHub Actions runners).
Stage the byte through an XMM register first to keep both broadcasts
in valid AVX2 form.

* Fix FuzzRedactSecrets false positive from marker text self-collision

A short captured secret value can coincidentally be a substring of a
fixed redaction marker's type label (e.g. captured value "eare" is a
substring of the marker text "[REDACTED:Bearer Token]", since "eare"
is itself a substring of the word "Bearer"). The invariant check was
counting raw substring occurrences across the whole redacted output,
so this coincidence was flagged as the redactor failing to reduce
exposure, when in fact the original occurrence was correctly removed
and the marker text is not a leak of the secret. Strip [REDACTED:...]
markers before counting so only genuinely leaked occurrences count.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant