[HIGH] Fix secret scanner false negatives on file read errors #267

New Issue

jason.woltje · 2026-02-02T23:17:02Z

jason.woltje commented

2026-02-02 23:17:02 +00:00

Priority: HIGH - Security vulnerability

Problem:
SecretScannerService returns "no secrets found" when file reading fails, potentially approving commits with secrets.

File: apps/orchestrator/src/git/secret-scanner.service.ts:268-277

Hidden Errors:

File permission denied
File encoding issues (binary files as text)
Disk I/O errors
File deleted during scan
Filesystem corruption

Impact:
CRITICAL SECURITY RISK - A commit containing secrets could be approved because scanner failed to read the file but returned "no secrets found."

Acceptance Criteria:

scanFile() returns error result when read fails (not empty success)
New scanFailed: boolean field in SecretScanResult
Callers must check scanFailed before trusting results
Commit blocked if any file scan fails
Tests verify scan failure scenarios
Logging includes read errors

Recommended Fix:

async scanFile(filePath: string): Promise<SecretScanResult> {
  try {
    const content = await fs.readFile(filePath, 'utf-8');
    return this.scanContent(content, filePath);
  } catch (readError) {
    return {
      filePath,
      hasSecrets: false,
      matches: [],
      count: 0,
      error: `Failed to read file: ${readError.message}`,
      scanFailed: true, // NEW: Indicates scan couldn't complete
    };
  }
}

// Caller must check:
const results = await scanner.scanFiles(files);
const failedScans = results.filter(r => r.scanFailed);
if (failedScans.length > 0) {
  throw new Error('Secret scan failed - cannot guarantee safety');
}

Code Review Confidence: 85%
Found by: pr-review-toolkit:silent-failure-hunter

**Priority:** HIGH - Security vulnerability **Problem:** SecretScannerService returns "no secrets found" when file reading fails, potentially approving commits with secrets. **File:** `apps/orchestrator/src/git/secret-scanner.service.ts:268-277` **Hidden Errors:** - File permission denied - File encoding issues (binary files as text) - Disk I/O errors - File deleted during scan - Filesystem corruption **Impact:** CRITICAL SECURITY RISK - A commit containing secrets could be approved because scanner failed to read the file but returned "no secrets found." **Acceptance Criteria:** - [ ] scanFile() returns error result when read fails (not empty success) - [ ] New `scanFailed: boolean` field in SecretScanResult - [ ] Callers must check scanFailed before trusting results - [ ] Commit blocked if any file scan fails - [ ] Tests verify scan failure scenarios - [ ] Logging includes read errors **Recommended Fix:** ```typescript async scanFile(filePath: string): Promise<SecretScanResult> { try { const content = await fs.readFile(filePath, 'utf-8'); return this.scanContent(content, filePath); } catch (readError) { return { filePath, hasSecrets: false, matches: [], count: 0, error: `Failed to read file: ${readError.message}`, scanFailed: true, // NEW: Indicates scan couldn't complete }; } } // Caller must check: const results = await scanner.scanFiles(files); const failedScans = results.filter(r => r.scanFailed); if (failedScans.length > 0) { throw new Error('Secret scan failed - cannot guarantee safety'); } ``` **Code Review Confidence:** 85% **Found by:** pr-review-toolkit:silent-failure-hunter

jason.woltje added this to the M6-AgentOrchestration (0.0.6) milestone 2026-02-02 23:17:02 +00:00

jason.woltje added the security orchestrator labels 2026-02-02 23:17:02 +00:00

jason.woltje closed this issue

2026-02-03 17:37:06 +00:00

jason.woltje commented

2026-02-03 17:37:43 +00:00

✅ Fixed: Added try-catch around readFile operations with proper error logging. No more silent failures on file read errors.

jason.woltje referenced this issue from a commit

2026-02-03 18:45:49 +00:00

fix(orchestrator): resolve all M6 remediation issues (#260-#269)

Sign in to join this conversation.

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#267