Skip to content

feat: expand DLP to 34 patterns + crypto wallet protection#37

Merged
cyyever merged 5 commits intomainfrom
fix/doc-gaps
Feb 28, 2026
Merged

feat: expand DLP to 34 patterns + crypto wallet protection#37
cyyever merged 5 commits intomainfrom
fix/doc-gaps

Conversation

@cyyever
Copy link
Collaborator

@cyyever cyyever commented Feb 28, 2026

Summary

  • Expand DLP Tier 1 from 19 → 34 hardcoded token patterns (HuggingFace, Groq, Vercel, Supabase, DigitalOcean,
    HashiCorp Vault, Linear, Postman, Replicate, Twilio, Doppler, OpenAI admin, Firebase, PEM private keys)
  • Add crypto wallet DLP with cryptographic validation: BIP39 mnemonic (embedded 2048-word wordlist), xprv/WIF
    keys (base58check checksum) — zero false positives
  • Hardcoded wallet path protection for 16 chains via btcutil.AppDataDir()
  • Fix symlink bypass: /proc and crypto wallet checks now run after symlink resolution
  • Pipeline reordered to 17 steps; hardcoded checks get same protection as YAML rules

Test plan

  • go build ./... passes
  • go test -race ./... passes
  • Tested manually (describe below)

Security checklist

  • No new path traversal or glob bypass vectors
  • No secrets or credentials in code

@cyyever
feat: expand DLP to 34 patterns, add 15 new token detectors
9644f6c 
Add private key PEM (all operations), HuggingFace, Groq, Vercel,
Supabase, DigitalOcean, HashiCorp Vault, Linear, Postman, Replicate,
Twilio, Doppler, OpenAI admin, Firebase patterns. Promote gitleaks
from optional to recommended with install instructions on missing.
@cyyever
feat: add crypto wallet DLP protection with checksum validation
bca7985 
- BIP39 mnemonic detection (embedded 2048-word wordlist, sliding window)
- Extended private key (xprv/yprv/zprv/tprv) with base58check validation
- WIF private key with base58check + version byte validation
- Hardcoded wallet path protection for 15+ chains via btcutil.AppDataDir()
- Fix /proc symlink bypass: moved hardcoded checks after symlink resolution
- Pipeline reordered: symlink resolution now step 13, hardcoded checks 14-15
@cyyever
docs: add crypto wallet protection, update pipeline to 17 steps
1e57373 
- Pipeline reordered: symlink resolution before hardcoded checks
- Add crypto DLP section (BIP39, xprv, WIF with checksum validation)
- Add crypto wallet path protection for 16 chains
- Add 4 new rows to attack coverage table
- Add Crypto Wallets to protection categories
@cyyever
fix: tighten BIP39 word filter, add defensive checks and test coverage
88e2da9 
- Word length filter 2-8 → 3-8 (matches actual BIP39 range)
- Skip empty AppDataDir() results defensively
- Add 15-word and 18-word BIP39 mnemonic test cases
@cyyever
refactor: replace btcutil.AppDataDir with Go stdlib for wallet path d…
afdb6de 
…iscovery

Use runtime.GOOS + os.UserHomeDir() instead of btcutil.AppDataDir()
for computing crypto wallet directories. Removes direct btcutil import
(base58 sub-package retained for key validation). Also fixes Windows
path separator normalization with filepath.Clean.
@cyyever cyyever merged commit 89dbcca into main Feb 28, 2026
6 checks passed
@cyyever cyyever deleted the fix/doc-gaps branch February 28, 2026 08:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chen-zichen chen-zichen chen-zichen approved these changes

@zhangchen-xu zhangchen-xu Awaiting requested review from zhangchen-xu

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyyever @chen-zichen