Release 2.1.0#9
Merged
Merged
Conversation
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| - | - | Generic Password | 1c6b392 | tests/test_secrets_analyzer.py | View secret |
| 29427053 | Triggered | Generic Password | 1c6b392 | tests/test_config_analyzer.py | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
There was a problem hiding this comment.
Pull request overview
Release bump to 2.1.0 that extends the scanner/extension with confidence-aware filtering (especially for fixtures/docs), improves analyzer resilience by converting analyzer runtime failures into findings, and expands dependency coverage.
Changes:
- Added
min_confidence+include_fixturesoptions end-to-end (CLI/bridge/scan + VS Code bridge + docs) and implemented filtering in the scan pipeline. - Enhanced secrets/PII/config/dependency/json analyzers with better file filtering, reduced false positives, and per-finding confidence metadata.
- Updated SARIF report version to use the package
__version__, and bumped project/extension versions to 2.1.0.
Reviewed changes
Copilot reviewed 24 out of 25 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| vscode-src/pythonBridge.ts | Passes minimum-confidence and include-fixtures options from VS Code settings into the Python bridge invocation. |
| src/contractguard/scan.py | Adds scan-time filtering by confidence/fixtures and wraps per-analyzer execution to emit runtime-error findings instead of aborting. |
| src/contractguard/reporter.py | Uses contractguard.__version__ for SARIF driver version. |
| src/contractguard/cli.py | Adds --min-confidence / --include-fixtures flags to CLI commands and threads them into run_scan. |
| src/contractguard/bridge.py | Adds bridge flags for minimum confidence + fixture inclusion and threads them into ScanTarget. |
| src/contractguard/analyzers/secrets_analyzer.py | Adds heuristics to reduce false positives, assigns confidence per secret, and marks fixture-path findings low confidence. |
| src/contractguard/analyzers/pii_analyzer.py | Tightens PII matching (context/Luhn), assigns confidence, expands file skipping, and adds per-line findings. |
| src/contractguard/analyzers/json_analyzer.py | Skips common lock/config JSON files and uses global path skipping to reduce noise. |
| src/contractguard/analyzers/file_filters.py | Introduces fixture/source/data/doc classification, inline-ignore markers, large-file skipping, and confidence ordering. |
| src/contractguard/analyzers/dependency_analyzer.py | Adds parsing for pyproject.toml, package.json, and package-lock.json plus an npm advisory DB; removes placeholder CVEs. |
| src/contractguard/analyzers/config_analyzer.py | Adds docker-compose default password detection, improves SSL-disabled detection, and skips large/irrelevant files. |
| src/contractguard/init.py | Bumps library version to 2.1.0. |
| README.md | Documents new behaviors/settings at a high level (confidence filtering, runtime isolation, dependency coverage). |
| INSTRUCTIONS.md | Adds examples using the new --min-confidence flag. |
| DEPLOYMENT.md | Updates packaging/runtime notes and highlights new scanner behaviors. |
| CAPABILITIES.md | Updates capability matrix to include confidence filtering, runtime isolation, and dependency coverage. |
| pyproject.toml | Bumps Python package version to 2.1.0. |
| package.json | Bumps extension version, adjusts packaged Python file globs, and adds new VS Code settings (minimumConfidence, includeFixtures). |
| package-lock.json | Bumps lockfile package version and updates dependency versions. |
| tests/test_scan.py | Adds coverage for min-confidence defaults and analyzer runtime-error reporting behavior. |
| tests/test_reporter.py | Asserts SARIF uses __version__. |
| tests/test_secrets_analyzer.py | Adds coverage for new secret heuristics and fixture/doc low-confidence behavior. |
| tests/test_pii_analyzer.py | Adds coverage for new PII false-positive suppression and low-confidence behaviors. |
| tests/test_dependency_analyzer.py | Adds coverage for pyproject/package-lock parsing and removal of placeholder CVEs. |
| tests/test_config_analyzer.py | Adds coverage for compose default password detection and STARTTLS behavior. |
Comments suppressed due to low confidence (1)
INSTRUCTIONS.md:17
- This bridge example shows
--min-confidencebut not--include-fixtures; however fixture/test/doc paths are filtered independently unless--include-fixturesis provided. Consider updating the example to demonstrate the intended way to include fixture findings (or add a note explaining both flags).
```powershell
$env:PYTHONPATH = (Resolve-Path .\src).Path
.\.venv\Scripts\python.exe -m contractguard.bridge scan --path . --analyzer all --include-sarif
.\.venv\Scripts\python.exe -m contractguard.bridge scan --path . --analyzer all --min-confidence medium
</details>
---
💡 <a href="/CodeforGood1/contractguard/new/main?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
| if is_fixture_path(source): | ||
| finding.confidence = "low" | ||
| if facts["pii_details"]: | ||
| findings = [item for item in findings if item.rule_id == "PII004"] |
Comment on lines
+222
to
+234
| def _merge_facts(items: list[dict[str, Any]]) -> dict[str, Any]: | ||
| merged = _empty_facts() | ||
| for facts in items: | ||
| merged["vulnerable_count"] += facts["vulnerable_count"] | ||
| merged["total_packages"] += facts["total_packages"] | ||
| merged["unpinned_count"] += facts["unpinned_count"] | ||
| merged["critical_vuln_count"] += facts["critical_vuln_count"] | ||
| merged["vulnerabilities"].extend(facts["vulnerabilities"]) | ||
| merged["has_vulnerable_packages"] = merged["vulnerable_count"] > 0 | ||
| merged["has_unpinned_packages"] = merged["unpinned_count"] > 0 | ||
| return merged | ||
|
|
||
|
|
Comment on lines
54
to
+60
| - `contractguard.rulesDirectory` | ||
| - `contractguard.sqlExplainDatabase` | ||
|
|
||
| ## Notes | ||
|
|
||
| - The extension runs analysis locally. | ||
| - The default minimum confidence is `medium`; use `low` for audit mode when you want sample/test fixtures included. |
Comment on lines
5
to
9
| ```powershell | ||
| .\.venv\Scripts\python.exe -m contractguard.cli analyze --type all --path . --score | ||
| .\.venv\Scripts\python.exe -m contractguard.cli analyze --type secrets --path . --report-sarif contractguard.sarif | ||
| .\.venv\Scripts\python.exe -m contractguard.cli analyze --type all --path . --min-confidence low --score | ||
| ``` |
|
|
||
| ContractGuard runs its analyzers out of process through `python -m contractguard.bridge`. The extension sets `PYTHONPATH` to its bundled `src/` directory so the engine can run without a separate package install step inside the extension host. | ||
|
|
||
| The 2.0 scanner filters low-confidence fixture findings by default and reports analyzer runtime failures as findings instead of aborting an entire workspace scan. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.