Merged
Conversation
fproulx-boostsecurity
previously approved these changes
Mar 12, 2026
fproulx-boostsecurity
requested changes
Mar 12, 2026
fproulx-boostsecurity
left a comment
fproulx-boostsecurity
left a comment
There was a problem hiding this comment.
Overall great, except Fingerpint is not salted, need to discuss.
… from the host iteself
There was a problem hiding this comment.
Pull request overview
Adds first-class fingerprints to findings across the scanning pipeline, enabling stable deduplication/silencing and improving consistency of output. It also introduces a “stable hostname” helper (macOS uses scutil) and propagates a host-derived salt to secret detectors for machine-unique fingerprints.
Changes:
- Add
Finding.Fingerprintplus hashing helpers inpkg/models, and propagate a host-derivedFingerprintSaltthrough probes into the detector registry/context. - Update probes/detectors to populate the new
Fingerprintfield; update reporter deduplication to use it. - Update docs/examples and add tests for fingerprinting + stable hostname.
Reviewed changes
Copilot reviewed 37 out of 37 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/sysinfo/hostname_test.go | Adds a basic test for stable hostname retrieval. |
| pkg/sysinfo/hostname_other.go | Implements stable hostname on non-macOS via os.Hostname(). |
| pkg/sysinfo/hostname_darwin.go | Implements stable hostname on macOS via scutil with fallback. |
| pkg/sysinfo/hostname.go | Exposes GetStableHostname and test seams for hostname retrieval. |
| pkg/reporter/reporter_test.go | Updates deduplication tests to use Finding.Fingerprint. |
| pkg/reporter/reporter.go | Switches deduplication logic from metadata fingerprint to top-level Fingerprint. |
| pkg/probe/ssh.go | Adds salt propagation and assigns fingerprints to SSH config/permission findings. |
| pkg/probe/shell_history.go | Adds salt propagation to detector registry. |
| pkg/probe/probe.go | Introduces FingerprintSaltAware probe interface. |
| pkg/probe/npm.go | Adds salt propagation and assigns fingerprints to NPM config findings. |
| pkg/probe/jetbrains.go | Adds salt propagation to detector registry. |
| pkg/probe/git.go | Adds salt propagation and assigns fingerprints to Git config findings. |
| pkg/probe/gh.go | Assigns a fingerprint to the GH auth finding. |
| pkg/probe/env.go | Adds salt propagation to detector registry. |
| pkg/probe/cloud.go | Adds salt propagation to detector registry. |
| pkg/probe/ai_cli.go | Adds salt propagation to detector registry. |
| pkg/models/result_test.go | Adds tests for fingerprinting/salting helpers and host salt format. |
| pkg/models/result.go | Adds fingerprint helpers, detection context salt, and Finding.Fingerprint. |
| pkg/detector/ssh_private_key.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/splunk_token.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/npm_token.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/jwt.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/http_auth.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/github_pat.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/generic_api_key.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/detector.go | Adds registry-level fingerprint salt and injects it into DetectionContext. |
| pkg/detector/cloud_credentials.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/detector/ai_service.go | Moves secret fingerprinting to top-level salted fingerprint. |
| pkg/collector/collector.go | Computes host salt, propagates it to probes, and uses stable hostname. |
| docs/content/probes/ai-cli.md | Updates example output to include top-level fingerprint. |
| docs/content/detectors/ssh-private-key.md | Updates example output to include top-level fingerprint. |
| docs/content/detectors/npm-token.md | Updates example output to include top-level fingerprint. |
| docs/content/detectors/jwt.md | Updates example output to include top-level fingerprint. |
| docs/content/detectors/github-token.md | Updates example output to include top-level fingerprint. |
| docs/content/detectors/generic-api-key.md | Updates example output to include top-level fingerprint. |
| docs/content/detectors/ai-service.md | Updates example output to include top-level fingerprint. |
| docs/content/detectors/_index.md | Updates overview example to use top-level fingerprint. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+8
to
+10
| // GetStableHostname returns a hostname that is stable across network changes. | ||
| // On macOS, it uses scutil --get LocalHostName which returns the user-set | ||
| // ComputerName rather than the DHCP-assigned name. Falls back to os.Hostname(). |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Alexis-Maurer Fortin <alexis-maurer.fortin@outlook.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added fingerprints not just to secret types. This improves output and will allow to silence specific findings as well.