Skip to content

KyZN: fix HIGH+MEDIUM+LOW findings (20260327-035304-599dbbd1)#2

Merged
bokiko merged 3 commits intomainfrom
kyzn/20260327-analyze-fix-599dbbd1
Mar 27, 2026
Merged

KyZN: fix HIGH+MEDIUM+LOW findings (20260327-035304-599dbbd1)#2
bokiko merged 3 commits intomainfrom
kyzn/20260327-analyze-fix-599dbbd1

Conversation

@bokiko
Copy link
Copy Markdown
Owner

@bokiko bokiko commented Mar 27, 2026

Analysis Fixes

Applied fixes for findings at severity LOW and above.

Run ID: 20260327-035304-599dbbd1
Cost: $3.98
Batches: 3 applied (HIGH → MEDIUM → LOW), 0 failed, 0 skipped
Diff: 337 lines

Changes

 gitshield/claude.py           |  10 +--
 gitshield/cli.py              |  11 ++--
 gitshield/config.py           |  62 +++++++++++++++++-
 gitshield/engine.py           | 145 +++++++++++++++++++++++++++++++++---------
 gitshield/formatter.py        |  10 ++-
 gitshield/hook.py             |  17 +++--
 gitshield/models.py           |  14 ++++
 gitshield/monitor.py          |   6 +-
 gitshield/notifier.py         |  18 ++----
 gitshield/scanner.py          |  40 ++++++++++--
 tests/fixtures/secret_file.py |   4 +-
 11 files changed, 266 insertions(+), 71 deletions(-)

What Was Fixed

MEDIUM: All 10 fixes applied. All 66 tests pass.

Summary

ID Change File
SEC-004 Path traversal fix: _is_allowed_path now checks Path.parent.parts for exact component match instead of substring containment hook.py:35-48
SEC-005 Added timeout=120 to gitleaks subprocess + timeout=30 to _scan_staged, both catch TimeoutExpired scanner.py:60, engine.py:330
BUG-002 _should_skip_path now checks path.parent.parts only — .env files no longer silently skipped engine.py:72
SEC-006 create_github_issue body now generic (count + rule types only) — no file paths or line numbers leaked notifier.py:129-155
BUG-003 uninstall_hook uses setdefault for defensive write — no more KeyError if settings modified externally claude.py:95-101
SEC-007 os.chmod(tmp_dir, 0o700) + os.chmod(report_path, 0o600) after mkdtemp scanner.py:40-67
ARCH-002 scan_directory now accepts scan_tests param (default True); wired through scan_path and CLI engine.py:240,287
ARCH-003 Removed bare except Exception from patrol; narrowed clone_and_scan to except (OSError, ValueError) cli.py:280-282, monitor.py:180-181
PERF-002 scan_file now reads file once in rb mode — binary check + decode in single syscall engine.py:207-222
PERF-003 _compile_gitignore_patterns pre-compiles via re.compile(fnmatch.translate(...)) once per scan; _matches_any_glob uses lru_cache engine.py:101-122, config.py:209-215

Approach

Findings were batched by severity tier (CRITICAL → HIGH → MEDIUM → LOW).
Each batch was verified and committed independently — if a batch broke tests,
self-repair was attempted. Failed batches were reverted to protect passing code.
Diff budget was tracked incrementally to prevent waste.

Generated by KyZN — autonomous code improvement

@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector bot commented Mar 27, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@bokiko bokiko merged commit 828cf7b into main Mar 27, 2026
6 of 7 checks passed
@bokiko bokiko deleted the kyzn/20260327-analyze-fix-599dbbd1 branch March 29, 2026 04:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bokiko