t4959: Address 4 review findings in prompt-guard-helper.sh

[alex-solovyev]

Summary

• Add key as standalone credential parameter to detection pattern, sanitization regex, and YAML config — aligning with build.txt section 8.4 which documents ?key= as a sensitive URL parameter
• Replace credential-like test literals (sk_live_, AKIA, SuperSecret123!, eyJhbGci, cs_) with PLACEHOLDER_ prefixed values to eliminate Gitleaks/secret-scanner false positives
• Add test coverage for new key= parameter detection
• Confirm short param test already uses tracked parameter (secret=abc), no change needed

Findings Addressed

#	Severity	Reviewer	Finding	Fix
1	MEDIUM	gemini	Detection pattern missing key=	Added key to inline pattern + YAML
2	MEDIUM	gemini	Sanitization regex missing key=	Added key to sed regex
3	HIGH	coderabbit	Test literals trigger secret scanners	Replaced with PLACEHOLDER_ values
4	HIGH	coderabbit	Short param test uses untracked key=abc	Already secret=abc in current code

Files Changed

File	Change
.agents/scripts/prompt-guard-helper.sh	Add key to detection + sanitization, placeholder test values, new key= test
.agents/configs/prompt-injection-patterns.yaml	Add key to credential_exposure pattern

Verification

• key= detection: exit=2 (WARN on moderate policy) — correct
• key= sanitization: value replaced with [REDACTED] — correct
• secret=abc short value: exit=0 (no match) — correct
• ShellCheck: clean (only pre-existing SC1091 info)

Closes #4959

Summary by CodeRabbit

• Bug Fixes

  • Enhanced credential exposure detection to recognize additional parameter name variants, improving security monitoring coverage.

• Tests

  • Improved test security by replacing sensitive data with placeholder values.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the prompt guard helper script and its associated configuration to improve the detection and sanitization of sensitive key parameters in URLs. It also refines the testing methodology by replacing literal sensitive data with placeholders, thereby preventing erroneous security scanner alerts and ensuring robust credential protection.

Highlights

• Credential Detection: The key parameter has been added to the credential detection patterns in both the prompt-guard-helper.sh script and the prompt-injection-patterns.yaml configuration, aligning with documentation that identifies ?key= as a sensitive URL parameter.
• Credential Sanitization: The sanitization regex in prompt-guard-helper.sh has been updated to redact values associated with the key parameter, ensuring sensitive information is masked.
• Test Literal Updates: Credential-like test literals (e.g., sk_live_, AKIA, SuperSecret123!) in the test suite have been replaced with PLACEHOLDER_ prefixed values to eliminate false positives from Gitleaks and other secret scanners.
• New Test Coverage: New test coverage has been added specifically for the key= parameter detection, verifying its correct identification and handling.

Changelog

• .agents/configs/prompt-injection-patterns.yaml
  • Added 'key' to the credential_exposure pattern for URL query parameters.
• .agents/scripts/prompt-guard-helper.sh
  • Updated the credential_exposure pattern to include key as a sensitive URL query parameter.
  • Modified the sanitization regex to redact key parameters in URLs.
  • Replaced hardcoded credential-like test literals with PLACEHOLDER_ prefixed values to prevent false positives from secret scanners.
  • Added a new test case to verify detection of key= parameters.

Activity

• Addressed a MEDIUM severity finding from 'gemini' regarding the detection pattern missing key= by adding key to the inline pattern and YAML configuration.
• Addressed a MEDIUM severity finding from 'gemini' regarding the sanitization regex missing key= by adding key to the sed regex.
• Addressed a HIGH severity finding from 'coderabbit' regarding test literals triggering secret scanners by replacing them with PLACEHOLDER_ values.
• Confirmed that a HIGH severity finding from 'coderabbit' about a short param test using an untracked key=abc was already using secret=abc and required no change.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

These changes address review feedback by adding key as a sensitive parameter to credential detection and sanitization patterns. Test credentials are replaced with non-sensitive placeholders to eliminate secret scanner false positives while maintaining regex coverage.

Changes

Cohort / File(s)	Summary
Configuration Pattern Update .agents/configs/prompt-injection-patterns.yaml	Expanded credential_exposure detection for API credentials to include key parameter alongside existing api_key, apikey, and api-key variants in both pattern and description.
Script Pattern & Test Updates .agents/scripts/prompt-guard-helper.sh	Added key to credential detection and sanitization regex patterns; replaced real-looking credential test literals (e.g., sk_live_, AKIA, JWT-like values) with explicit PLACEHOLDER_*_123456 format; updated test expectations and added comments clarifying placeholder usage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🔐 Keys and secrets tucked away,
With placeholders saving the day,
No more scanners in a spin,
Your code's clean—let's commit and win! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the PR objective of addressing review findings in prompt-guard-helper.sh, directly matching the changeset scope.
Linked Issues check	✅ Passed	All four review findings from issue #4959 are comprehensively addressed: key added to detection patterns and sanitization regex, credential-like test literals replaced with PLACEHOLDER values, and short-parameter test corrected to use tracked parameter.
Out of Scope Changes check	✅ Passed	All changes are scoped to addressing the four specific review findings from #4959; no unrelated modifications detected in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/quality-debt-4959-prompt-guard

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 364 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Mar 15 23:33:13 UTC 2026: Code review monitoring started
Sun Mar 15 23:33:13 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 364

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 364
• VULNERABILITIES: 0

Generated on: Sun Mar 15 23:33:16 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request successfully addresses several review findings by enhancing credential detection and sanitization. The replacement of test literals with placeholders is a good security practice. The two minor suggestions to improve the consistency of descriptions for the updated detection patterns are valid and have been retained.

[gemini-code-assist]

To improve clarity and ensure the description perfectly matches the pattern, consider including all variants. The pattern checks for key, api_key, apikey, and api-key, but the description is missing api-key.

    description: "URL query param: key/api_key/apikey/api-key"

References

1. To ensure comprehensive coverage, security detection patterns must include all known variations.
2. When applying a fix for a specific pattern, also fix other instances of the same pattern in the file for consistency.

[gemini-code-assist]

For consistency with the pattern and the YAML configuration, it would be best to make this description fully comprehensive. The current description key/api_key is missing apikey and api-key which are present in the regex.

Suggested change

	MEDIUM|credential_exposure|URL query param: key/api_key|[?&](key|api_key|apikey|api-key)=[^&\s]{8,}
	MEDIUM|credential_exposure|URL query param: key/api_key/apikey/api-key|[?&](key|api_key|apikey|api-key)=[^&
	s]{8,}

References

1. To ensure comprehensive coverage, security detection patterns must include all known variations.
2. When applying a fix for a specific pattern, also fix other instances of the same pattern in the file for consistency.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud