KyZN: fix HIGH+MEDIUM+LOW findings (20260326-103634-09e6556b)

[bokiko]

Analysis Fixes

Applied fixes for findings at severity LOW and above.

Run ID: 20260326-103634-09e6556b
Cost: $2.93
Batches: 3 applied (HIGH → MEDIUM → LOW), 0 failed, 0 skipped
Diff: 1164 lines

Changes

 gitshield/cli.py       |  48 +++-
 gitshield/config.py    |  17 +-
 gitshield/db.py        |  53 ++--
 gitshield/engine.py    |  52 ++--
 gitshield/formatter.py |  28 +-
 gitshield/hook.py      |   3 +-
 gitshield/models.py    |  31 +++
 gitshield/monitor.py   |  11 +-
 gitshield/notifier.py  |  19 +-
 gitshield/scanner.py   |  41 +--
 tests/test_db.py       | 156 +++++++++++
 uv.lock                | 705 +++++++++++++++++++++++++++++++++++++++++++++++++
 12 files changed, 1046 insertions(+), 118 deletions(-)

What Was Fixed

HIGH: 8/8 passed on CLI tests too. Full suite is clean: 66/66 tests passing across all test files.

MEDIUM: All 66 tests pass. Here's a summary of every fix:

---

SEC-002 — Path traversal in _scan_staged

• engine.py:291 — Resolve file_path and check is_relative_to(root) before scanning; skip any path that escapes the repo root.

SEC-003 — GitHub API URL path injection in patrol

• cli.py — Added import re; after splitting owner/name, validate both components against ^[A-Za-z0-9._-]+$ and exit 1 if invalid.

SEC-004 — TOCTOU race in gitleaks temp file

• scanner.py:33-34 — Replaced NamedTemporaryFile(delete=False) with tempfile.mkdtemp() creating a private directory (mode 0o700). finally block now calls shutil.rmtree(tmp_dir) instead of unlink.

BUG-003 — macOS /tmp symlink crash in clone_and_scan

• monitor.py:152 — Wrapped mkdtemp() result with Path(...).resolve() so relative_to() works on both Linux and macOS.

BUG-004 — init silently overwrites existing config

• config.py:193 — create_default_config now raises FileExistsError if the file exists and force=False.
• cli.py:init — Added --force flag; catches FileExistsError and exits with error message.

BUG-005 — DB connection leaks (already fixed in previous run — singleton pattern was in place)

PERF-003 — N+1 DB queries in notify()

• db.py — Added get_notified_fingerprints(repo_url, fingerprints) -> Set[str] using a single IN (...) query.
• notifier.py:notify() — Replaced per-finding was_notified() loop with one call to get_notified_fingerprints.

PERF-004 — Entropy computed unconditionally

• engine.py:150 — Patterns without entropy_threshold now set ent = 0.0 (skipping the entropy() call) unless a config_threshold is provided.

ARCH-004 — Entropy threshold config dead code

• engine.py:scan_text — Added optional config_threshold: float = None parameter; used as entropy floor for patterns without their own threshold.
• engine.py:scan_content — Passes config_threshold through to scan_text.

ARCH-005 — Duplicated get_github_token()

• config.py — Added canonical get_github_token() function (imports os).
• monitor.py — Removed local definition; now imports from .config.
• notifier.py — Removed local definition; now imports from .config.

LOW: All 66 tests pass. Here's a summary of the changes:

---

PERF-005 — gitshield/scanner.py

• Added gitleaks_path: Optional[str] = None parameter to _scan_with_gitleaks
• Changed its internals to use gitleaks_path or _has_gitleaks() — skips the second shutil.which when path is already provided
• In scan_path, stored _has_gitleaks() result in gitleaks_bin and passed it through to _scan_with_gitleaks(... gitleaks_path=gitleaks_bin) — one PATH search per scan instead of two

DEAD-001 — gitshield/formatter.py

• Refactored print_json to call format_findings_json internally (print(format_findings_json(findings))), eliminating the duplicated list comprehension + json.dumps logic
• format_findings_json is now the canonical implementation; print_json delegates to it

Approach

Findings were batched by severity tier (CRITICAL → HIGH → MEDIUM → LOW).
Each batch was verified and committed independently — if a batch broke tests,
self-repair was attempted. Failed batches were reverted to protect passing code.
Diff budget was tracked incrementally to prevent waste.

---

Generated by KyZN — autonomous code improvement

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.