feat(betterleaks): add placeholder allowlists to org config#31
Merged
Conversation
The curl-auth-header rule (329 hits in the May 2026 baseline) is dominated by docs examples using stable placeholder values: YOUR_API_KEY (across city-project API-spec templates), angle-bracket placeholders <your-token>, famous example UUIDs (550e8400-e29b-...), and dev scaffold tokens. Sampled noise rate: ~80%. Allowlists cover only patterns that cannot accidentally match a real credential: - YOUR_API_KEY / YOUR-API-KEY / YOUR_TOKEN family - Angle-bracket placeholders <foo>, <エンドポイントURL> - Famous example UUIDs (550e8400-e29b-..., 00000000-..., deadbeef-...) - REPLACE_ME / CHANGEME / PLACEHOLDER / EXAMPLE / FAKE / SAMPLE - Explicit dev tokens (dev-local-token-please-change, please-change-X) Real-looking values continue to trip the rule. Detection on the Devise/Rails token format (eyJhY...) and high-entropy random keys is unchanged.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughAdded org-wide allowlist configuration to ChangesAllowlist configuration for placeholder strings
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@betterleaks/default.toml`:
- Line 77: The allowlist entry containing the regex pattern
`(?i)\bplease[-_]?(change|update|replace|rotate)\b` is too broad and may
suppress real credentials; either remove this pattern entirely or tighten it to
require credential context (e.g., require "token|key|secret|password" or
explicit words like "token" alongside the please-change phrase) so it only
matches placeholder scaffold text; update the pattern in the TOML (the literal
pattern string shown) to the constrained form or delete the line and keep the
surrounding credential-specific patterns.
- Line 70: Update the regex entry in betterleaks/default.toml so the SAMPLE
group mirrors EXAMPLE and FAKE by making the suffix group optional: change the
part matching "SAMPLE[-_]?(KEY|TOKEN|SECRET)" to include a trailing ? after the
suffix group so it will match standalone "SAMPLE" as well as
"SAMPLE_KEY"/"SAMPLE_TOKEN"/"SAMPLE_SECRET"; locate the regex string containing
'''(?i)\b(REPLACE[-_]?ME|CHANGE[-_]?ME|PLACEHOLDER|EXAMPLE[-_]?(KEY|TOKEN|SECRET)?|FAKE[-_]?(KEY|TOKEN|SECRET)?|SAMPLE[-_]?(KEY|TOKEN|SECRET))\b'''
and add the missing ? for the SAMPLE suffix group.
- Line 56: The regex in the angle-bracket allowlist uses Unicode property
escapes (\p{Han}\p{Hiragana}\p{Katakana}) which Go's regexp engine doesn't
support; replace those property classes in the pattern string
'''<[A-Za-z\p{Han}\p{Hiragana}\p{Katakana}][^>]{1,60}>''' with explicit Unicode
escape ranges for Hiragana, Katakana and Han (e.g., use \u3040-\u309F,
\u30A0-\u30FF, \u4E00-\u9FFF) so the pattern compiles and matches the intended
characters in Betterleaks' Go regex engine.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e5fc6c10-80e3-4c61-b4e2-221b78438b6d
📒 Files selected for processing (1)
betterleaks/default.toml
Three fixes from #31 review: 1. Replace `\p{Han}\p{Hiragana}\p{Katakana}` with explicit `\x{...}` Unicode escape ranges. While Go's RE2 does accept `\p{...}` for Unicode scripts, explicit ranges are clearer for readers and match betterleaks' lower-bound regex feature set. 2. Add the missing `?` after `SAMPLE[-_]?(KEY|TOKEN|SECRET)` so the group is consistent with EXAMPLE and FAKE (matches bare "SAMPLE"). 3. Drop the standalone `please[-_]?(change|update|replace|rotate)` pattern from the dev-scaffold allowlist. It lacked credential context and could plausibly suppress real secrets whose value contained the phrase. The remaining patterns on lines 76 and 78 already cover `dev-local-token-please-change` and the `(test|sample|dummy|dev|stub)[-_]?(token|key|secret|password)` shapes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds five `[[allowlists]]` blocks to `betterleaks/default.toml` so common docs-placeholder patterns no longer trip the targeted rules (mainly `curl-auth-header` and `curl-auth-user`).
Sample analysis on the May 2026 baseline
Out of 10 `curl-auth-header` findings sampled across distinct repos, 8 were unmistakable placeholders:
The 2 real-looking ones remain detected; they'll be in the per-repo issues we open next.
Patterns added
Conservative — every regex is constrained so it cannot match a real credential:
Test plan
Summary by CodeRabbit