feat: expand DLP to 34 patterns + crypto wallet protection#37
Merged
Conversation
Add private key PEM (all operations), HuggingFace, Groq, Vercel, Supabase, DigitalOcean, HashiCorp Vault, Linear, Postman, Replicate, Twilio, Doppler, OpenAI admin, Firebase patterns. Promote gitleaks from optional to recommended with install instructions on missing.
- BIP39 mnemonic detection (embedded 2048-word wordlist, sliding window) - Extended private key (xprv/yprv/zprv/tprv) with base58check validation - WIF private key with base58check + version byte validation - Hardcoded wallet path protection for 15+ chains via btcutil.AppDataDir() - Fix /proc symlink bypass: moved hardcoded checks after symlink resolution - Pipeline reordered: symlink resolution now step 13, hardcoded checks 14-15
- Pipeline reordered: symlink resolution before hardcoded checks - Add crypto DLP section (BIP39, xprv, WIF with checksum validation) - Add crypto wallet path protection for 16 chains - Add 4 new rows to attack coverage table - Add Crypto Wallets to protection categories
- Word length filter 2-8 → 3-8 (matches actual BIP39 range) - Skip empty AppDataDir() results defensively - Add 15-word and 18-word BIP39 mnemonic test cases
chen-zichen
approved these changes
Feb 28, 2026
…iscovery Use runtime.GOOS + os.UserHomeDir() instead of btcutil.AppDataDir() for computing crypto wallet directories. Removes direct btcutil import (base58 sub-package retained for key validation). Also fixes Windows path separator normalization with filepath.Clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HashiCorp Vault, Linear, Postman, Replicate, Twilio, Doppler, OpenAI admin, Firebase, PEM private keys)
keys (base58check checksum) — zero false positives
Test plan
go build ./...passesgo test -race ./...passesSecurity checklist