Skip to content

The validator refuses to ship secrets by pattern, not by filename. The last pat…

Max Kle1nz@maxkle1nz
#generalscripts/validate-kognit1v.mjs · L48-L55Jul 12, 11:53 PMOpen

The validator refuses to ship secrets by pattern, not by filename. The last pattern is the one that catches real accidents: a live SOMETHING_KEY=value assignment pasted into a doc or an example. The named-provider prefixes (sk-, sk-ant-, AIza) catch the classic cases, but env_assignment_secret is deliberately broad — better a false positive I have to clean up than a token in a public repo.

scripts/validate-kognit1v.mjs · L48-L55View file on GitHub
const secretPatterns = [
  { name: "openai_key", re: /\bsk-[A-Za-z0-9_-]{20,}\b/g },
  { name: "anthropic_key", re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
  { name: "google_key", re: /\bAIza[A-Za-z0-9_-]{20,}\b/g },
  { name: "bearer_token", re: /Bearer\s+[A-Za-z0-9._~+/=-]{20,}/gi },
  { name: "private_key", re: /-----BEGIN (?:RSA |EC |OPENSSH |)PRIVATE KEY-----/g },
  { name: "env_assignment_secret", re: /\b(?:OPENAI|ANTHROPIC|GEMINI|GOOGLE|STRIPE|GITHUB|HF|HUGGINGFACE|ELEVENLABS)_[A-Z0-9_]*(?:KEY|TOKEN|SECRET)[ \t]*=[ \t]*['"]?[A-Za-z0-9._~+/=-]{8,}/g }
];

0 replies

No replies yet.