Skip to content

Update ghs_ token detection/redaction for stateless JWT format #3786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 3 commits into from
May 25, 2026
+20 −3
Merged

Update ghs_ token detection/redaction for stateless JWT format #3786

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0d70355
Initial plan
Copilot May 25, 2026
2757aa0
fix: update ghs token regex for stateless jwt format
Copilot May 25, 2026
68e2c41
fix: include '-' in ghs token regex and coverage
Copilot May 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions src/cli.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,15 @@ describe('cli', () => {
expect(result).not.toContain('ghp_');
});

it('should redact stateless GitHub app installation tokens', () => {
const token = `ghs_${'A'.repeat(170)}.${'b'.repeat(170)}-${'c'.repeat(170)}_${'d'.repeat(170)}`;
const command = `echo ${token}`;
const result = redactSecrets(command);

expect(result).toBe('echo ***REDACTED***');
expect(result).not.toContain(token);
});
Comment on lines +113 to +120
Copy link
Copy Markdown
Member

@hpsin hpsin May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, this was my mistake.


it('should redact multiple secrets in one command', () => {
const command = 'GITHUB_TOKEN=ghp_token API_KEY=secret curl -H "Authorization: Bearer ghp_bearer"';
const result = redactSecrets(command);
Expand Down
10 changes: 9 additions & 1 deletion src/dlp.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,15 @@ describe('DLP Patterns', () => {
const matchingRegexes = findMatchingDlpRegexes(
'https://api.example.com/?key=ghs_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij'
);
expect(matchingRegexes).toContain('ghs_[a-zA-Z0-9]{36}');
expect(matchingRegexes).toContain('ghs_[A-Za-z0-9._-]{36,}');
});

it('should detect stateless GitHub App installation token (ghs_ JWT format)', () => {
const jwtLikeToken = `ghs_${'A'.repeat(170)}.${'b'.repeat(170)}-${'c'.repeat(170)}_${'d'.repeat(170)}`;
const matchingRegexes = findMatchingDlpRegexes(
`https://api.example.com/?key=${jwtLikeToken}`
);
expect(matchingRegexes).toContain('ghs_[A-Za-z0-9._-]{36,}');
});

it('should detect GitHub App user-to-server token (ghu_)', () => {
Expand Down
2 changes: 1 addition & 1 deletion src/dlp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ const DLP_PATTERNS: DlpPattern[] = [
{
name: 'GitHub App Installation Token',
description: 'GitHub App installation access token (ghs_)',
regex: 'ghs_[a-zA-Z0-9]{36}',
regex: 'ghs_[A-Za-z0-9._-]{36,}',
},
Comment on lines 52 to 56
{
name: 'GitHub App User-to-Server Token',
Expand Down
2 changes: 1 addition & 1 deletion src/redact-secrets.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ export function redactSecrets(command: string): string {
// Redact tokens in environment variables (TOKEN, SECRET, PASSWORD, KEY, API_KEY, etc)
.replace(/(\w*(?:TOKEN|SECRET|PASSWORD|KEY|AUTH)\w*)=(\S+)/gi, '$1=***REDACTED***')
// Redact GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_)
.replace(/\b(gh[pousr]_[a-zA-Z0-9]{36,255})/g, '***REDACTED***');
.replace(/\b(gh[pousr]_[A-Za-z0-9._-]{36,})/g, '***REDACTED***');
}
Loading