Skip to content

santhsecurity/keyhog

v0.5.35 Feature

This release adds 1 notable feature for engineering teams evaluating rollout.

Published 6d Secrets & Credentials
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

api-keys credentials security git gpu hyperscan
+5 more
pre-commit rust secret-detection secret-scanner simd

Summary

AI summary

Wrapper-harness misses dropped from 216 to 152 and a new diagnostic variable KEYHOG_ADVERSARIAL_FULL_LOG was added.

Changes in this release

Feature Low

Added diagnostic environment variable KEYHOG_ADVERSARIAL_FULL_LOG to dump full wrapper-harness miss list.

Added diagnostic environment variable KEYHOG_ADVERSARIAL_FULL_LOG to dump full wrapper-harness miss list.

Source: llm_adapter@2026-05-28

Confidence: high
Performance Medium

Reduced wrapper-harness misses from 216 to 152 (30% reduction).

Reduced wrapper-harness misses from 216 to 152 (30% reduction).

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Fixed 5 detector regex issues affecting deepnote, cloudsmith, aws-lambda, five9, fedex.

Fixed 5 detector regex issues affecting deepnote, cloudsmith, aws-lambda, five9, fedex.

Source: llm_adapter@2026-05-28

Confidence: high
Bugfix Medium

Corrected 4 contract body-length mismatches for fedex, finicity, footprint, mistral.

Corrected 4 contract body-length mismatches for fedex, finicity, footprint, mistral.

Source: llm_adapter@2026-05-28

Confidence: high
Full changelog

What changed

  • 5 detector regex fixes (deepnote, cloudsmith, aws-lambda, five9, fedex)
  • 4 contract body-length corrections (fedex, finicity, footprint, mistral)
  • KEYHOG yellow ASCII-art banner shipped at docs/assets/keyhog-banner.svg
  • New diagnostic: KEYHOG_ADVERSARIAL_FULL_LOG=<path> dumps full wrapper-harness miss list

Wrapper-harness misses dropped from 216 to 152 (30% reduction).

Full changelog: CHANGELOG.md.

Known remaining

152 of 14,512 wrapper variants still miss. The bulk (~144) sit on detectors whose canonical positives surface but whose wrapped variants do not — a prefilter / extract handoff issue tracked for v0.5.36. The remaining ~8 are contract-redesign cases (bandwidth pos#1, vertexai).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track santhsecurity/keyhog

Get notified when new releases ship.

Sign up free

About santhsecurity/keyhog

All releases →

Related context

Beta — feedback welcome: [email protected]