mirror of
https://github.com/pezkuwichain/pezkuwi-wallet-utils.git
synced 2026-07-09 08:17:31 +00:00
fix: exclude "account" field from hardcoded-private-key scan (false positive)
Every account_overrides.json/chains_for_testBalance.json entry has a 32-byte hex "account" field - a public AccountId32 (Substrate's public account identifier), not a private key. The two share the same byte length/hex format, but are fundamentally different: one is meant to be public (it's literally how you address a chain account), the other must stay secret. The scanner's regex can't tell them apart and flags every single one, which just triggered a false "Possible private key found" failure on PR #33 (the master->main sync). This isn't a one-off - it'll fire on every future sync PR too, since chains_for_testBalance.json always has these fields. Left as "FAILURE" long-term, it trains reviewers to ignore this specific check, which is exactly the alarm-fatigue failure mode that would let a real leaked secret slip through unnoticed.
This commit is contained in:
@@ -60,7 +60,7 @@ jobs:
|
||||
FOUND=0
|
||||
|
||||
echo "Checking for private keys in config files..."
|
||||
if grep -rn --include="*.json" --include="*.py" -E "(0x[a-fA-F0-9]{64}|-----BEGIN.*PRIVATE)" . | grep -v node_modules | grep -v "chainId\|genesisHash\|parentId\|currencyIdScale\|typeAlias\|signedExtensions"; then
|
||||
if grep -rn --include="*.json" --include="*.py" -E "(0x[a-fA-F0-9]{64}|-----BEGIN.*PRIVATE)" . | grep -v node_modules | grep -v "chainId\|genesisHash\|parentId\|currencyIdScale\|typeAlias\|signedExtensions\|\"account\""; then
|
||||
echo "::error::Possible private key found"
|
||||
FOUND=1
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user