Fix False Positive Secret Detection
The secret scanner's weak signing secret regex produces false critical findings from enum values, JSDoc examples, dev default constants, form field type declarations, and mock methods. Across 48 repos tested, this regex has zero true positives and 23+ false positives. Those false findings propagate into AGENTS.md as duplicated constraint lines and into project-context.md as inflated issue counts. The PostHog `phc_` pattern also flags intentionally-public analytics keys as warnings.
verdict PASSscore 12 / 12findings 5 (0 risk · 1 debt · 4 obs)duration 1h 23mrejection cycles 0shipped May 26, 2026surface cli
Pipeline timeline
Intent to proven code in 1h 23m across Think, Plan, Build, and Verify.
Think11m
Plan6m
Build54m
Verify22m
Assertion ledger
12 claims, each independently verified. Showing 8 — show all →
| ID | Says | Matcher | |
|---|---|---|---|
| A001 | The weak signing secret regex no longer exists in the scanner | verified | ok |
| A002 | PostHog public analytics keys are no longer flagged | verified | ok |
| A003 | AWS documented example key is not flagged as a secret | verified | ok |
| A004 | Real AWS keys are still detected | verified | ok |
| A005 | Database URLs with bracket template passwords are not flagged | verified | ok |
| A006 | Database URLs with short placeholder passwords are not flagged | verified | ok |
| A007 | Database URLs with real credentials are still detected | verified | ok |
| A008 | Enum values like SECRET = secret no longer trigger false findings | verified | ok |
Findings 5 total
debtpackages/cli/tests/commands/commit-hygiene.test.ts→ closed
Vacuously true test — __tests__ exclusion still uses removed phc_ pattern
obspackages/cli/src/engine/findings/rules/secrets.ts→ monitor
Trailing bracket regex broader than [password] intent — matches any lowercase word ending in ]
obspackages/cli/tests/engine/findings/secrets.test.ts→ closed
Dedup assertions test extracted logic, not actual generateAgentsMd code path
obspackages/cli/tests/engine/findings/secrets.test.ts→ closed
@ana tag namespace collision — A001-A007 duplicated from fix-scanner-trust-output cycle
obspackages/cli/tests/engine/findings/secrets.test.ts→ closed
fix-scanner-trust-output-C1 still present — A007 old test asserts 'at least one critical' without verifying both URLs fire
Integrity seal
scopesha256:d9f42b5ecbb57...
contractsha256:b29c1d9ddb1bf...
plansha256:6fb8cabdbcd6a...
specsha256:42f3f0251c7e0...
build-reportsha256:9e2c48e42ab22...
build-datasha256:f788192b77131...
verify-reportsha256:ab5ec0bfa7f5c...
verify-datasha256:a9ddedb148876...
audit cmd$ ana proof audit fix-false-positive-secrets → all hashes match