Fix false positive secret detection and verbose output extraction (#20)

derekmisler · web-flow · commit eaa2dfa086ee · 2026-01-23T09:10:12.000-05:00
diff --git a/action.yml b/action.yml
@@ -473,6 +473,15 @@ runs:
             tail -n +$((AGENT_LINE + 1)) "$OUTPUT_FILE" | \
               grep -v "^time=" | \
               grep -v "^level=" | \
+              grep -v "^msg=" | \
+              grep -v "^--- Agent:" | \
+              grep -v "^--- Tool:" | \
+              grep -v "^<thinking>" | \
+              grep -v "^</thinking>" | \
+              grep -v "^\[thinking\]" | \
+              grep -v "^\[/thinking\]" | \
+              grep -v "^Thinking:" | \
+              grep -v "^> \[!NOTE\]" | \
               grep -v "For any feedback" | \
               sed '/^$/N;/^\n$/d' > "${OUTPUT_FILE}.clean"
 
@@ -486,6 +495,15 @@ runs:
         else
           grep -v "^time=" "$OUTPUT_FILE" | \
             grep -v "^level=" | \
+            grep -v "^msg=" | \
+            grep -v "^--- Agent:" | \
+            grep -v "^--- Tool:" | \
+            grep -v "^<thinking>" | \
+            grep -v "^</thinking>" | \
+            grep -v "^\[thinking\]" | \
+            grep -v "^\[/thinking\]" | \
+            grep -v "^Thinking:" | \
+            grep -v "^> \[!NOTE\]" | \
             grep -v "For any feedback" > "${OUTPUT_FILE}.clean"
 
           echo "⚠️  No extraction markers found - cleaned metadata only"
diff --git a/security/sanitize-output.sh b/security/sanitize-output.sh
@@ -26,10 +26,31 @@ DETECTED_PATTERNS=()
 
 # Check each pattern
 for pattern in "${SECRET_PATTERNS[@]}"; do
-  if grep -E "$pattern" "$OUTPUT_FILE" > /dev/null 2>&1; then
-    echo "::error::🚨 SECRET LEAK DETECTED: Pattern matched: $pattern"
-    LEAKED=true
-    DETECTED_PATTERNS+=("$pattern")
+  # Find matches for this pattern
+  MATCHES=$(grep -oE "$pattern" "$OUTPUT_FILE" 2>/dev/null || true)
+
+  if [ -n "$MATCHES" ]; then
+    # Verify each match is a real secret, not a regex pattern or code reference
+    while IFS= read -r match; do
+      # Skip if match contains regex metacharacters (it's probably a pattern definition, not a real secret)
+      # Real tokens are alphanumeric only after the prefix
+      if echo "$match" | grep -qE '[\[\]\{\}\(\)\*\+\?\^\$\\]'; then
+        echo "::debug::Skipping false positive (regex pattern): $match"
+        continue
+      fi
+
+      # Skip if match appears within single quotes (quoted regex pattern in code)
+      if grep -qF "'$match'" "$OUTPUT_FILE" 2>/dev/null; then
+        echo "::debug::Skipping false positive (quoted pattern): $match"
+        continue
+      fi
+
+      # This looks like a real secret
+      echo "::error::🚨 SECRET LEAK DETECTED: Pattern matched: $pattern"
+      LEAKED=true
+      DETECTED_PATTERNS+=("$pattern")
+      break  # One match per pattern is enough to flag
+    done <<< "$MATCHES"
   fi
 done
 
diff --git a/tests/test-security.sh b/tests/test-security.sh
@@ -274,6 +274,43 @@ fi
 set -e
 echo ""
 
+# Test 14: sanitize-output.sh - Should NOT flag regex patterns as leaks (false positive prevention)
+echo "Test 14: Regex pattern in output (should NOT flag as leak)"
+cat > test-regex-output.txt <<'EOF'
+Here is the security pattern for GitHub server tokens:
+'ghs_[a-zA-Z0-9]{36}'
+This pattern matches tokens like ghs_ followed by 36 alphanumeric characters.
+EOF
+
+echo "" > "$GITHUB_OUTPUT"
+set +e
+OUTPUT=$($SECURITY_DIR/sanitize-output.sh test-regex-output.txt 2>&1)
+EXIT_CODE=$?
+if [ $EXIT_CODE -eq 0 ] && echo "$OUTPUT" | grep -q "No secrets detected"; then
+  echo "✅ PASSED: Regex pattern not flagged as false positive"
+else
+  echo "❌ FAILED: Regex pattern incorrectly flagged as secret leak"
+  TEST_FAILED=true
+fi
+set -e
+echo ""
+
+# Test 15: sanitize-output.sh - Should still catch real tokens
+echo "Test 15: Real GitHub server token (should flag as leak)"
+# Create a realistic-looking token (ghs_ + 36 alphanumeric chars)
+echo "Token: ghs_abcdefghijklmnopqrstuvwxyz1234567890" > test-real-token.txt
+
+echo "" > "$GITHUB_OUTPUT"
+set +e
+if $SECURITY_DIR/sanitize-output.sh test-real-token.txt 2>&1 | grep -q "SECRET LEAK DETECTED"; then
+  echo "✅ PASSED: Real token detected"
+else
+  echo "❌ FAILED: Real token not detected"
+  TEST_FAILED=true
+fi
+set -e
+echo ""
+
 # Cleanup
 rm -f test-*.diff test-*-clean.diff test-*.txt test-*-output.txt test-output.diff "$GITHUB_OUTPUT"
 
