Skip to content

feat(gitleaks): introduce local secret scanning and redaction using Gitleaks#1

Merged
junit merged 1 commit into
mainfrom
feature/gitleaks
Jul 18, 2026
Merged

feat(gitleaks): introduce local secret scanning and redaction using Gitleaks#1
junit merged 1 commit into
mainfrom
feature/gitleaks

Conversation

@junit

@junit junit commented Jul 18, 2026

Copy link
Copy Markdown
Owner

…itleaks

Summary by CodeRabbit

  • New Features

    • Added optional local secret scanning and redaction for review output, with clear status reporting when unavailable or disabled.
    • Added cross-platform Gitleaks provisioning, integrity checks, and a diagnostic mode.
    • Added self-contained release packages containing required review tools and resources.
  • Bug Fixes

    • Prevented raw secrets from appearing in truncated, split, fallback, or error output.
    • Strengthened review behavior when trusted helper execution is unavailable.
  • Documentation

    • Expanded installation, scanner behavior, configuration, troubleshooting, and evaluation guidance.
    • Added Gitleaks licensing and security configuration documentation.

@coderabbitai

coderabbitai Bot commented Jul 18, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This change adds trusted, optional Gitleaks provisioning and secret redaction across Rust and shell helper paths, introduces installer and release packaging support, expands output-quality evaluation, and updates documentation, skill contracts, CI, and regression tests.

Changes

Secret redaction runtime

Layer / File(s) Summary
Scanner distribution and installation
collect-diff-context-cli/Cargo.toml, collect-diff-context-cli/src/secret_scan.rs, scripts/fetch_gitleaks.sh, scripts/lib/*, install.sh, tests/*gitleaks*
Pinned Gitleaks binaries, SHA-256 manifests, version checks, capability checks, optional installation, diagnostics, and distribution tests are added.
Sanitization runtime integration
collect-diff-context-cli/src/main.rs, scripts/collect_diff_context.sh, tests/secret_gate_test.sh, tests/helper_shadow_mode_test.sh, tests/parity*, tests/control_plane_test.sh
Diffs and captured stdout/stderr are sanitized before truncation or release, with redaction summaries, scanner failure states, fallback handling, and continued-review semantics.
Output evaluation harness
evals/*, docs/gitleaks-quality-evaluation.md
The runner supports --skill-dir and secret-attention recall checks; a comparator produces baseline/current regression reports and is tested for regression, no-regression, and incomplete-response cases.
Workflow and contract updates
.github/workflows/*, SKILL.md, README*, docs/helper-capabilities.md, tests/skill_contract_test.sh, tests/lib/normalize_parity_output.py
CI and release workflows fetch and package scanner binaries, while skill, helper, parity, and user documentation define trusted scope, scanner behavior, and fallback constraints.

Estimated code review effort: 5 (Critical) | ~120 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Helper as collect_diff_context.sh
  participant Sanitizer as collect-diff-context-cli
  participant Gitleaks
  participant Reviewer as Review output

  Helper->>Sanitizer: send captured stdout/stderr
  Sanitizer->>Gitleaks: scan input with trusted config
  Gitleaks-->>Sanitizer: findings or clean report
  Sanitizer-->>Helper: sanitized output and status
  Helper-->>Reviewer: redacted output or continued-review status
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 15.84% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding local secret scanning and redaction with Gitleaks.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/gitleaks

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@junit junit changed the title feat(gitleaks): introduce local secret scanning and redaction using G… feat(gitleaks): introduce local secret scanning and redaction using Gitleaks Jul 18, 2026
@junit
junit merged commit 9841558 into main Jul 18, 2026
3 of 4 checks passed

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (2)
scripts/bin/collect_diff_context-darwin-arm64 (1)

1-1: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add checksum coverage for scripts/bin/collect_diff_context-*.
build_all_binaries.sh and the release workflow ship these artifacts, but there’s no manifest like scripts/gitleaks-binaries.sha256 for consumers to validate them.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/bin/collect_diff_context-darwin-arm64` at line 1, Add a SHA-256
checksum manifest covering every scripts/bin/collect_diff_context-* artifact
shipped by build_all_binaries.sh and the release workflow, following the format
and placement of scripts/gitleaks-binaries.sha256. Ensure all platform binaries
are included so consumers can validate each downloaded artifact.
tests/helper_shadow_mode_test.sh (1)

59-69: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Derive the fake scanner version from the pinned version file.

Hardcoding 8.30.1 makes this test fail whenever scripts/gitleaks.version is updated.

Proposed fix
 fake_gitleaks="$tmp_dir/gitleaks"
-cat >"$fake_gitleaks" <<'EOF'
+gitleaks_version="$(tr -d '[:space:]' < "$repo_root/scripts/gitleaks.version")"
+cat >"$fake_gitleaks" <<EOF
 #!/usr/bin/env bash
 set -euo pipefail
-if [ "${1:-}" = 'version' ]; then
-  printf '%s\n' '8.30.1'
+if [ "\${1:-}" = 'version' ]; then
+  printf '%s\n' '$gitleaks_version'
   exit 0
 fi
 cat >/dev/null
 printf '[]\n'
 EOF
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/helper_shadow_mode_test.sh` around lines 59 - 69, Update the fake
gitleaks script in the test setup to read and return the version from the pinned
scripts/gitleaks.version file instead of hardcoding 8.30.1, while preserving the
existing version-command behavior and scan output.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@collect-diff-context-cli/src/secret_scan.rs`:
- Around line 319-329: The secret-scan pipeline must fail closed after Gitleaks
confirms a finding but redaction fails. In
collect-diff-context-cli/src/secret_scan.rs lines 319-329, update the
RedactionFailed path to withhold or replace the original content; in
scripts/collect_diff_context.sh lines 145-148, stop retaining or releasing input
for a redaction-failed report; and in tests/secret_gate_test.sh lines 390-397,
assert that the confirmed secret is absent.

In `@install.sh`:
- Around line 546-547: Update the Gitleaks setup around
resolve_gitleaks_platform and gitleaks_binary_name so unsupported OS or
architecture does not terminate installation. Defer platform resolution behind
the download-enabled path, or handle failure as an unavailable optional binary,
allowing --no-download and graceful degradation to continue without bundled
redaction.

In `@scripts/fetch_gitleaks.sh`:
- Around line 68-79: Update the platform-detection logic in the script’s mode
dispatch so host OS and architecture resolution occurs only for current-mode
execution. Ensure --all and --platform proceed using their explicit target
values without exiting on an unsupported host platform, while preserving
validation and errors for current mode.
- Around line 87-109: Update the download function’s curl and wget invocations
to enforce a single overall download timeout, covering stalled response bodies
as well as connection setup. Add the corresponding timeout option to every curl
mode and each wget progress-mode branch, preserving the existing progress and
output behavior.

In `@scripts/lib/gitleaks_integrity.sh`:
- Around line 54-94: Update gitleaks_smoke_scan so the validated configuration
path remains usable after changing into config_dir: resolve the relative config
path to an absolute path before the subshell invokes the executable, while
preserving absolute paths and existing validation behavior.

In `@tests/lib/normalize_parity_output.py`:
- Around line 15-23: Update the scan-metadata removal loop in
normalize_parity_output.py to stop before a line beginning with “unit_id:”,
preserving that adjacent record as the next output record. In
tests/parity_assets_test.sh lines 51-70, add a scan section immediately followed
by unit_id:, and in lines 88-95, assert the adjacent record remains after
normalization.

---

Nitpick comments:
In `@scripts/bin/collect_diff_context-darwin-arm64`:
- Line 1: Add a SHA-256 checksum manifest covering every
scripts/bin/collect_diff_context-* artifact shipped by build_all_binaries.sh and
the release workflow, following the format and placement of
scripts/gitleaks-binaries.sha256. Ensure all platform binaries are included so
consumers can validate each downloaded artifact.

In `@tests/helper_shadow_mode_test.sh`:
- Around line 59-69: Update the fake gitleaks script in the test setup to read
and return the version from the pinned scripts/gitleaks.version file instead of
hardcoding 8.30.1, while preserving the existing version-command behavior and
scan output.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dc42ecf0-2352-4fc3-97d1-3ace427a7fe2

📥 Commits

Reviewing files that changed from the base of the PR and between 1cad5c9 and 756883f.

⛔ Files ignored due to path filters (2)
  • collect-diff-context-cli/Cargo.lock is excluded by !**/*.lock
  • scripts/bin/collect_diff_context-windows-amd64.exe is excluded by !**/*.exe
📒 Files selected for processing (41)
  • .github/workflows/lint.yml
  • .github/workflows/release.yml
  • .gitignore
  • README.md
  • README.zh-CN.md
  • SKILL.md
  • THIRD_PARTY_LICENSES/gitleaks-LICENSE
  • collect-diff-context-cli/Cargo.toml
  • collect-diff-context-cli/src/main.rs
  • collect-diff-context-cli/src/secret_scan.rs
  • docs/gitleaks-quality-evaluation.md
  • docs/helper-capabilities.md
  • evals/compare_output_eval_quality.sh
  • evals/compare_output_eval_quality_test.sh
  • evals/eval_contract_test.sh
  • evals/output/advanced-output-eval.json
  • evals/output_eval_runner.sh
  • evals/output_eval_runner_test.sh
  • install.sh
  • references/security/gitleaks.toml
  • scripts/bin/collect_diff_context-darwin-amd64
  • scripts/bin/collect_diff_context-darwin-arm64
  • scripts/bin/collect_diff_context-linux-amd64
  • scripts/build_all_binaries.sh
  • scripts/check_gitleaks.sh
  • scripts/collect_diff_context.sh
  • scripts/fetch_gitleaks.sh
  • scripts/gitleaks-assets.sha256
  • scripts/gitleaks-binaries.sha256
  • scripts/gitleaks.version
  • scripts/lib/gitleaks_integrity.sh
  • tests/control_plane_test.sh
  • tests/gitleaks_distribution_test.sh
  • tests/helper_shadow_mode_test.sh
  • tests/install_gitleaks_test.sh
  • tests/install_smoke_test.sh
  • tests/lib/normalize_parity_output.py
  • tests/parity_assets_test.sh
  • tests/parity_golden_test.sh
  • tests/secret_gate_test.sh
  • tests/skill_contract_test.sh
👮 Files not reviewed due to content moderation or server errors (2)
  • scripts/bin/collect_diff_context-darwin-amd64
  • scripts/bin/collect_diff_context-linux-amd64

Comment on lines +319 to +329
Err(error) => {
let status = if error.is_redaction_failure() {
SecretScanStatus::RedactionFailed(error.reason_code())
} else {
SecretScanStatus::Unavailable(error.reason_code())
};
SanitizedOutput {
content: input.to_string(),
redactions: Vec::new(),
status,
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | 🏗️ Heavy lift

Fail closed once Gitleaks has confirmed a finding.

The current cross-layer contract releases original content after redaction fails, exposing a known secret.

  • collect-diff-context-cli/src/secret_scan.rs#L319-L329: withhold or replace content for RedactionFailed.
  • scripts/collect_diff_context.sh#L145-L148: do not retain and release input when the report says redaction-failed.
  • tests/secret_gate_test.sh#L390-L397: require the confirmed secret to be absent.
📍 Affects 3 files
  • collect-diff-context-cli/src/secret_scan.rs#L319-L329 (this comment)
  • scripts/collect_diff_context.sh#L145-L148
  • tests/secret_gate_test.sh#L390-L397
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@collect-diff-context-cli/src/secret_scan.rs` around lines 319 - 329, The
secret-scan pipeline must fail closed after Gitleaks confirms a finding but
redaction fails. In collect-diff-context-cli/src/secret_scan.rs lines 319-329,
update the RedactionFailed path to withhold or replace the original content; in
scripts/collect_diff_context.sh lines 145-148, stop retaining or releasing input
for a redaction-failed report; and in tests/secret_gate_test.sh lines 390-397,
assert that the confirmed secret is absent.

Comment thread install.sh
Comment on lines +546 to +547
gitleaks_platform="$(resolve_gitleaks_platform)"
gitleaks_binary="$(gitleaks_binary_name "$gitleaks_platform")"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Do not make optional Gitleaks platform support a prerequisite for installation.

resolve_gitleaks_platform terminates installation on an unsupported OS/architecture before --no-download or graceful degradation can apply. Installation should continue without bundled redaction on such hosts.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@install.sh` around lines 546 - 547, Update the Gitleaks setup around
resolve_gitleaks_platform and gitleaks_binary_name so unsupported OS or
architecture does not terminate installation. Defer platform resolution behind
the download-enabled path, or handle failure as an unavailable optional binary,
allowing --no-download and graceful degradation to continue without bundled
redaction.

Comment thread scripts/fetch_gitleaks.sh
Comment on lines +68 to +79
case "$(uname -s | tr '[:upper:]' '[:lower:]')" in
darwin) CURRENT_OS='darwin' ;;
linux) CURRENT_OS='linux' ;;
msys*|mingw*|cygwin*) CURRENT_OS='windows' ;;
*) printf 'unsupported operating system\n' >&2; exit 1 ;;
esac

case "$(uname -m)" in
arm64|aarch64) CURRENT_ARCH='arm64' ;;
x86_64|amd64) CURRENT_ARCH='amd64' ;;
*) printf 'unsupported architecture\n' >&2; exit 1 ;;
esac

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Resolve the host platform only in current mode.

--all and --platform are explicit cross-target operations, but an unsupported host OS or architecture exits before either mode runs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/fetch_gitleaks.sh` around lines 68 - 79, Update the
platform-detection logic in the script’s mode dispatch so host OS and
architecture resolution occurs only for current-mode execution. Ensure --all and
--platform proceed using their explicit target values without exiting on an
unsupported host platform, while preserving validation and errors for current
mode.

Comment thread scripts/fetch_gitleaks.sh
Comment on lines +87 to +109
download() {
local url="$1"
local output="$2"
if command -v curl >/dev/null 2>&1; then
local -a curl_args=(-fL --show-error --retry 5 --retry-all-errors --connect-timeout 15)
if [ "$PROGRESS_MODE" = 'always' ] || { [ "$PROGRESS_MODE" = 'auto' ] && [ -t 2 ]; }; then
curl_args+=(--progress-bar)
else
curl_args+=(--silent)
fi
curl "${curl_args[@]}" "$url" -o "$output"
elif command -v wget >/dev/null 2>&1; then
case "$PROGRESS_MODE" in
always) wget --progress=bar:force:noscroll -O "$output" "$url" ;;
auto)
if [ -t 2 ]; then
wget -O "$output" "$url"
else
wget -qO "$output" "$url"
fi
;;
never) wget -qO "$output" "$url" ;;
esac

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add an overall download timeout.

The connection timeout does not bound a stalled response body, and the wget path has no timeout at all. A network stall can hang installation or release staging indefinitely.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/fetch_gitleaks.sh` around lines 87 - 109, Update the download
function’s curl and wget invocations to enforce a single overall download
timeout, covering stalled response bodies as well as connection setup. Add the
corresponding timeout option to every curl mode and each wget progress-mode
branch, preserving the existing progress and output behavior.

Comment on lines +54 to +94
gitleaks_smoke_scan() {
local executable="$1"
local config="$2"
local tmp_dir
local report_file
local error_file
local config_dir
local compact_report

[ -x "$executable" ] && [ -f "$config" ] || return 1
tmp_dir="$(mktemp -d)" || return 1
report_file="$tmp_dir/report.json"
error_file="$tmp_dir/error.log"
config_dir="$(CDPATH='' cd -- "$(dirname -- "$config")" && pwd -P)" || {
rm -rf "$tmp_dir"
return 1
}

if ! (
cd "$config_dir"
printf '' | "$executable" \
--config "$config" \
--ignore-gitleaks-allow \
--redact=100 \
--exit-code=42 \
--no-banner \
--no-color \
--log-level=error \
--max-decode-depth=5 \
--report-format=json \
--report-path=- \
stdin > "$report_file" 2> "$error_file"
); then
rm -rf "$tmp_dir"
return 1
fi

compact_report="$(tr -d '[:space:]' < "$report_file")"
rm -rf "$tmp_dir"
[ "$compact_report" = '[]' ]
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Preserve relative configuration overrides during the smoke scan.

A relative PRE_COMMIT_REVIEW_GITLEAKS_CONFIG can pass Line 63, but after changing directories, Line 75 resolves it relative to config_dir again and rejects an otherwise valid configuration.

Proposed fix
   local config_dir
+  local config_file
   local compact_report

   [ -x "$executable" ] && [ -f "$config" ] || return 1
   tmp_dir="$(mktemp -d)" || return 1
   report_file="$tmp_dir/report.json"
   error_file="$tmp_dir/error.log"
   config_dir="$(CDPATH='' cd -- "$(dirname -- "$config")" && pwd -P)" || {
     rm -rf "$tmp_dir"
     return 1
   }
+  config_file="$config_dir/$(basename -- "$config")"

   if ! (
     cd "$config_dir"
     printf '' | "$executable" \
-      --config "$config" \
+      --config "$config_file" \
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
gitleaks_smoke_scan() {
local executable="$1"
local config="$2"
local tmp_dir
local report_file
local error_file
local config_dir
local compact_report
[ -x "$executable" ] && [ -f "$config" ] || return 1
tmp_dir="$(mktemp -d)" || return 1
report_file="$tmp_dir/report.json"
error_file="$tmp_dir/error.log"
config_dir="$(CDPATH='' cd -- "$(dirname -- "$config")" && pwd -P)" || {
rm -rf "$tmp_dir"
return 1
}
if ! (
cd "$config_dir"
printf '' | "$executable" \
--config "$config" \
--ignore-gitleaks-allow \
--redact=100 \
--exit-code=42 \
--no-banner \
--no-color \
--log-level=error \
--max-decode-depth=5 \
--report-format=json \
--report-path=- \
stdin > "$report_file" 2> "$error_file"
); then
rm -rf "$tmp_dir"
return 1
fi
compact_report="$(tr -d '[:space:]' < "$report_file")"
rm -rf "$tmp_dir"
[ "$compact_report" = '[]' ]
}
gitleaks_smoke_scan() {
local executable="$1"
local config="$2"
local tmp_dir
local report_file
local error_file
local config_dir
local config_file
local compact_report
[ -x "$executable" ] && [ -f "$config" ] || return 1
tmp_dir="$(mktemp -d)" || return 1
report_file="$tmp_dir/report.json"
error_file="$tmp_dir/error.log"
config_dir="$(CDPATH='' cd -- "$(dirname -- "$config")" && pwd -P)" || {
rm -rf "$tmp_dir"
return 1
}
config_file="$config_dir/$(basename -- "$config")"
if ! (
cd "$config_dir"
printf '' | "$executable" \
--config "$config_file" \
--ignore-gitleaks-allow \
--redact=100 \
--exit-code=42 \
--no-banner \
--no-color \
--log-level=error \
--max-decode-depth=5 \
--report-format=json \
--report-path=- \
stdin > "$report_file" 2> "$error_file"
); then
rm -rf "$tmp_dir"
return 1
fi
compact_report="$(tr -d '[:space:]' < "$report_file")"
rm -rf "$tmp_dir"
[ "$compact_report" = '[]' ]
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/lib/gitleaks_integrity.sh` around lines 54 - 94, Update
gitleaks_smoke_scan so the validated configuration path remains usable after
changing into config_dir: resolve the relative config path to an absolute path
before the subshell invokes the executable, while preserving absolute paths and
existing validation behavior.

Comment on lines +15 to +23
index += 1
while index < len(lines):
line = lines[index]
if line.strip() == "":
index += 1
break
if line.lstrip().startswith("#"):
break
index += 1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Preserve adjacent split-preview records when removing scan metadata.

  • tests/lib/normalize_parity_output.py#L15-L23: treat unit_id: as the start of the next output record.
  • tests/parity_assets_test.sh#L51-L70: add a scan section followed immediately by unit_id:.
  • tests/parity_assets_test.sh#L88-L95: assert the adjacent record remains after normalization.
📍 Affects 2 files
  • tests/lib/normalize_parity_output.py#L15-L23 (this comment)
  • tests/parity_assets_test.sh#L51-L70
  • tests/parity_assets_test.sh#L88-L95
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/lib/normalize_parity_output.py` around lines 15 - 23, Update the
scan-metadata removal loop in normalize_parity_output.py to stop before a line
beginning with “unit_id:”, preserving that adjacent record as the next output
record. In tests/parity_assets_test.sh lines 51-70, add a scan section
immediately followed by unit_id:, and in lines 88-95, assert the adjacent record
remains after normalization.

@junit
junit deleted the feature/gitleaks branch July 18, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant