Commits on Jan 13, 2026

1. Add structured metadata fields to findings for programmatic access (#385 …

   )
   
   * Add structured metadata fields to findings for programmatic access
   
   Adds new fields to FindingMeta for library users who need machine-readable
   access to security-relevant data without parsing human-readable strings:
   
   - injection_sources: Array of specific expressions being injected
   - lotp_tool: Living Off The Pipeline build tool (npm, pip, make, etc.)
   - lotp_action: LOTP GitHub Action identifier
   - referenced_secrets: Secrets referenced in the job (excludes GITHUB_TOKEN)
   
   The referenced_secrets field is automatically extracted when rules pass
   the _job field, supporting dot notation (secrets.FOO) and bracket notation
   (secrets['FOO'] and secrets["FOO"]).
   
   Benchmark (Apple M4 Pro):
   | Version | ns/op     | B/op      | allocs/op |
   |---------|-----------|-----------|-----------|
   | Before  | 10971339  | 7149084   | 132787    |
   | After   | 12059356  | 7858242   | 148422    |
   | Delta   | +9.9%     | +9.9%     | +11.8%    |
   
   Co-Authored-By: Claude Opus 4.5 <[email protected]>
   
   * Use hex.EncodeToString for faster fingerprint encoding
   
   Fixes perfsprint linter warning by replacing fmt.Sprintf("%x", ...) with
   hex.EncodeToString which is more performant.
   
   Co-Authored-By: Claude Opus 4.5 <[email protected]>
   
   * Use require.NoError for error assertions in test
   
   Fixes testifylint warning by using require.NoError instead of
   assert.NoError for error checking in TestStructuredFindingFields.
   
   Co-Authored-By: Claude Opus 4.5 <[email protected]>
   
   ---------
   
   Co-authored-by: Claude Opus 4.5 <[email protected]>

   

   fproulx-boostsecurity and claude authored Jan 13, 2026
   Configuration menu

   • View commit details
   • Copy full SHA for 849436a
   • Browse repository at this point

   Copy the full SHA

   849436a View commit details

   Browse the repository at this point in the history