My credential rule reported 842 secrets in vercel/ai. The real count was 0.
7.1 relevance
Score Breakdown
technical depth 8
novelty 7
actionability 7
community 5
strategic 6
personal 8
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Analysis of false positives in secret scanning rules, provides practical lessons for code quality tools.
Summary
A credential scanning rule (secure-coding/no-hardcoded-credentials) reported 842 secrets in the vercel/ai SDK, but 807 of those were false positives triggered by long identifier strings like 'experimental_onToolExecutionStart'. In contrast, the peer plugin eslint-plugin-no-secrets, which uses Shannon entropy instead of regex shape matching, flagged only 380 findings with far fewer false alarms. The author's regex rule lacked tests for non-random but long strings, highlighting that high detection counts are meaningless without precision.