157dbbb9eb
## Phase 8: Enterprise Extractor Improvements ✅ - 14 security extractors (TLS, JWT, SQL injection, XSS, etc.) - 10 framework-specific extractors (Spring, Django, Rails, etc.) - Config file security detection (YAML, TOML) ## Phase 9: Autonomous Extractor Generation ✅ - Shadow mode executor with TP/FP tracking - Graduation pipeline with confidence thresholds - Auto-rollback on regression detection - Cross-project pattern syncing ## UAT Suite Complete (14 scripts, 90 tests) - test-core-detection.sh (6 tests) - test-declarative-extractors.sh (5 tests) - test-domain-frameworks.sh (5 tests) - test-domain-unreal.sh (3 tests) - test-llm-extraction.sh (6 tests) - test-eval-harness.sh (5 tests) - test-cross-language.sh (3 tests) - test-precommit-performance.sh (4 tests) - test-output-formats.sh (8 tests) - test-drift-detection.sh (6 tests) - test-exit-codes.sh (12 tests) + 3 more scripts ## Other Changes - Updated roadmap to mark Phase 8-9 complete - Added .gitignore entries for build artifacts - Updated pre-commit: 800 line limit, exclude tests/data/cmd Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
51 lines
1.4 KiB
TOML
51 lines
1.4 KiB
TOML
# NEGATIVE-002: Secrets from Environment
|
|
#
|
|
# This is a NEGATIVE test - secrets are properly loaded from environment
|
|
# variables, not hardcoded. Should NOT trigger secrets findings.
|
|
|
|
[metadata]
|
|
id = "negative-002"
|
|
name = "Secrets loaded from environment (no findings expected)"
|
|
category = "negative"
|
|
language = "rust"
|
|
difficulty = "easy"
|
|
source = "hand-curated"
|
|
created = "2025-02-05"
|
|
notes = "Negative test - proper secret management"
|
|
|
|
[input]
|
|
filename = "config.rs"
|
|
content = """
|
|
use std::env;
|
|
|
|
pub struct Config {
|
|
pub database_url: String,
|
|
pub api_key: String,
|
|
pub jwt_secret: String,
|
|
}
|
|
|
|
impl Config {
|
|
pub fn from_env() -> Result<Self, env::VarError> {
|
|
Ok(Self {
|
|
database_url: env::var("DATABASE_URL")?,
|
|
api_key: env::var("API_KEY")?,
|
|
jwt_secret: env::var("JWT_SECRET")?,
|
|
})
|
|
}
|
|
}
|
|
"""
|
|
|
|
[expected]
|
|
# No must_contain - this is a negative test
|
|
must_contain = []
|
|
|
|
must_not_contain = [
|
|
{ subject = "secrets/api_key", predicate = "hardcoded", value = true, rationale = "API key is loaded from environment" },
|
|
{ subject = "secrets/jwt_secret", predicate = "hardcoded", value = true, rationale = "JWT secret is loaded from environment" },
|
|
{ subject = "secrets/database_url", predicate = "hardcoded", value = true, rationale = "Database URL is loaded from environment" }
|
|
]
|
|
|
|
[scoring]
|
|
weight = 1.0
|
|
min_confidence = 0.9
|