Skip to content

feat(enrichment): detect Slack enterprise and cookie tokens in secret-scan#3119

Merged
gittensory-orb[bot] merged 1 commit into
JSONbored:mainfrom
bohdansolovie:feat/secret-scan-slack-xoxe
Jul 4, 2026
Merged

feat(enrichment): detect Slack enterprise and cookie tokens in secret-scan#3119
gittensory-orb[bot] merged 1 commit into
JSONbored:mainfrom
bohdansolovie:feat/secret-scan-slack-xoxe

Conversation

@bohdansolovie

Copy link
Copy Markdown
Contributor

Summary

The slack_token rule matched xoxb / xoxp / xoxa / xoxr / xoxs but missed xoxe (enterprise) and xoxc (cookie) tokens, so those credentials went unflagged in PR diffs.

Scope

Extends the type character class from xox[baprs] to xox[baprsec]. Classic bot tokens still match. No value is returned — only kind/confidence/file/line.

Test plan

  • xoxe-… and xoxc-… positives (built from fragments).
  • Classic xoxb-… still flagged.
  • node --test test/secret-scan.test.ts — 23 passed.

No linked issue

Self-contained detection-coverage improvement; no tracking issue. Touches only secret-scan.ts and additive tests.

Made with Cursor

…-scan

The slack_token rule matched xoxb/p/a/r/s but missed xoxe (enterprise) and
xoxc (cookie) tokens, so those credentials went unflagged. Extend the type
character class; classic bot tokens still match.

Co-authored-by: Cursor <cursoragent@cursor.com>
@bohdansolovie bohdansolovie requested a review from JSONbored as a code owner July 4, 2026 15:14
@superagent-security superagent-security Bot added the contributor:flagged Contributor flagged for review by trust analysis. label Jul 4, 2026
@superagent-security

Copy link
Copy Markdown

🚨 Contributor flagged. Click here for more info: Superagent Dashboard

@superagent-security

Copy link
Copy Markdown

Superagent didn't find any vulnerabilities or security issues in this PR.

@gittensory-orb gittensory-orb Bot added the gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 1.25x multiplier. label Jul 4, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 4, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-04 15:13:19 UTC

2 files · 1 AI reviewer · no blockers · readiness 73/100 · CI green · clean

⏸️ Suggested Action - Manual Review

Review summary
This is a narrow secret-scan coverage improvement: the Slack token rule now accepts `xoxe-` enterprise and `xoxc-` cookie prefixes while preserving the existing classic token path. The new tests exercise the production `scanPatch` path with fragment-built fixtures, so the detection change is grounded in the actual analyzer behavior and does not expose literal secret-shaped values in source. I do not see a reachable correctness, wiring, or test-quality blocker in this diff.

Nits — 5 non-blocking
  • nit: review-enrichment/test/secret-scan.test.ts:232 asserts `confidence` for `xoxe` but not for the new `xoxc` case, so the paired regression test is slightly asymmetric.
  • nit: review-enrichment/test/secret-scan.test.ts:240 keeps the classic `xoxb` regression to `kind` only; asserting `confidence: "high"` would match the rest of this file's format-specific token coverage.
  • review-enrichment/test/secret-scan.test.ts:232 Add `assert.equal(cookieFindings[0].confidence, "high");` so both newly supported Slack token classes lock the same contract.
  • review-enrichment/test/secret-scan.test.ts:240 Add `assert.equal(findings[0].confidence, "high");` to keep the classic Slack regression aligned with the rule contract.
  • Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ❌ 5/25 Preflight is holding this PR: the review lane is unavailable, so it is not ready for automated review.
Contributor workload ✅ 10/10 Author activity: 151 registered-repo PR(s), 73 merged, 10 issue(s).
Contributor context ✅ Confirmed Gittensor contributor bohdansolovie; Gittensor profile; 151 PR(s), 10 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
  • Author: bohdansolovie
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: not available
  • Official Gittensor activity: 151 PR(s), 10 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Explain no-issue PR.
  • Await review-lane availability.
  • Refresh registry data or choose a registered active repo.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the gittensor Gittensor contributor context label Jul 4, 2026

@gittensory-orb gittensory-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gittensory approves — the gate is satisfied and CI is green.

@gittensory-orb gittensory-orb Bot merged commit 2d1a34b into JSONbored:main Jul 4, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contributor:flagged Contributor flagged for review by trust analysis. gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 1.25x multiplier. gittensor Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant