Skip to content

Reduce false positives in Chatbot detector #4629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rootranjan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Reduce false positives in Chatbot detector #4629

rootranjan wants to merge 1 commit into from

Conversation

@rootranjan
Copy link

@rootranjan rootranjan commented Dec 30, 2025

Fixes #4628

Description:

Reduce false positives in Chatbot detector by filtering out legitimate code identifiers that match the detector pattern.

Changes:

  • Add filters to exclude letters-only matches (no digits)
  • Filter out snake_case patterns (variable/table names)
  • Filter out camelCase/PascalCase patterns (code identifiers)
  • Fix lint error by properly handling res.Body.Close() error

This reduces false positives from legitimate code identifiers like variable names, class names, and schema names while still detecting real Chatbot API keys that contain digits and have higher entropy.

Problem:
The Chatbot detector was flagging any 32-character alphanumeric string near the keyword "chatbot" as a potential secret, including:

  • PascalCase variable names (e.g., internalFeatureNavigationManager)
  • Snake_case identifiers (e.g., analytics_abc_meltsys_adachatbot)
  • Class names, function names, and configuration keys

Solution:
Added isLikelyFalsePositive() helper function that filters out:

  1. Strings with only letters (no digits) - Real API keys typically contain digits
  2. Snake_case patterns (^[a-z]+(_[a-z]+)+$) - Common for variable/table names
  3. CamelCase/PascalCase patterns - Common for code identifiers

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@rootranjan
Reduce false positives in Chatbot detector
1b5d911 
- Add filters to exclude letters-only matches (no digits)
- Filter out snake_case patterns (variable/table names)
- Filter out camelCase/PascalCase patterns (code identifiers)
- Fix lint error by properly handling res.Body.Close() error

This reduces false positives from legitimate code identifiers like
variable names, class names, and schema names while still detecting
real Chatbot API keys that contain digits and have higher entropy.
@rootranjan rootranjan requested a review from a team December 30, 2025 16:52
@rootranjan rootranjan requested a review from a team as a code owner December 30, 2025 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Chatbot detector flags legitimate code identifiers as secrets

1 participant

@rootranjan