* origin/main:
Optimize Jira ADF text extraction
Make ADF extraction iterative
Fix mutable text in ADF extractor
Optimize ADF join separator
Refine ADF flattening and tests
Add ADF extraction test coverage
Fix ADF text flattening
Fix Jira ADF description not being scanned on Jira Cloud
fix: around 20 `set-output` command warnings
chore: changes from formatting on save
- Performance: skip blobs smaller than 20 bytes during enumeration (too small to contain any secret).
- Performance: preserve pack-ascending blob order in the metadata path for better I/O locality when Rayon splits work.
Jira Cloud API v3 returns issue descriptions and comment bodies in
Atlassian Document Format (ADF) — a nested JSON tree — rather than as
plain strings. Previously, the raw ADF object was serialized to disk
and the scanner found 0 bytes of meaningful content, producing no
findings even when secrets were present.
This commit adds `extract_adf_text()` which recursively walks the ADF
`content` tree and collects all leaf `"type":"text"` node values into a
single plain string. `download_issues_to_dir()` now replaces any ADF
`description` or comment `body` fields with their extracted plain text
before writing the issue JSON to disk.
Fixes#242
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
- Added revocation support for Vercel app tokens (vca_, vcr_) via https://api.vercel.com/login/oauth/token/revoke. Requires VERCEL_APP_CLIENT_ID (or NEXT_PUBLIC_VERCEL_APP_CLIENT_ID) and VERCEL_APP_CLIENT_SECRET.
- Fixed validate/revoke command generation to omit regex named captures (e.g., BODY, CHECKSUM) when they are not used by validation/revocation templates, so rules like Vercel no longer produce unnecessary --var BODY=... arguments.
- Prevented transient HTTP validation failures (429/5xx) from being cached, avoiding cache poisoning that could suppress later successful validations in the same scan.
- Switch validation endpoint from /-/npm/v1/user to /-/whoami which
works for all token types regardless of scope/permissions
- Fix revocation token matching: use Regex extractor with Liquid-rendered
prefix ({{ TOKEN | prefix: 8 }}) to locate the correct token in the
list response instead of blindly taking objects[0]
- Add Liquid template rendering support in multi-step revocation
extraction patterns (render_extractor) for dynamic matching
- Add debug logging of HTTP response status and body during revocation
so -v flag shows full API responses for troubleshooting
- Include response body in extraction failure error messages
Co-authored-by: Cursor <cursoragent@cursor.com>
