Disagreement · 44bd7a66-anthropic-2

scanChangedFilesForSecrets mutates shared RegExp.lastIndex and may miss matches with /g flag (not present, but pattern is fragile)

solo Opus

repo 56f59a0d·PR #1·reviewed 4 days ago

Opus finding

scanChangedFilesForSecrets mutates shared RegExp.lastIndex and may miss matches with /g flag (not present, but pattern is fragile)

lowmaintainabilitymedium

src/ci/secrets.ts:76-100

The code defensively resets lastIndex even though none of the SECRET_PATTERNS declare /g or /y. firstMatchingLine() then sets pattern.lastIndex = 0 after each .test() call — but RegExp without /g/y always has lastIndex 0, so this is dead code. The danger is future maintenance: if any pattern is updated to include /g, the shared module-level RegExp state would cause non-deterministic misses across files. The defensive resets help, but only inside this scanner — redactEvidence uses inline regexes with /g flag (safe because they are literal-per-call).

Recommendation

Either drop the unnecessary lastIndex resets, or compile fresh RegExps per scan, or assert non-stateful flags. Add a unit test that ensures patterns are stateless.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

highsecurity
Security policy can be bypassed by placing sensitive files in subdirectories (anchored patterns only match repo root)
view anatomy →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗