Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

IssueGuard: Real-Time Secret Leak Prevention Tool for GitHub Issue Reports

Md Nafiu Rahman, Sadif Ahmed, Zahin Wahab, Gias Uddin, Rifat Shahriyar

TL;DR

IssueGuard tackles the problem of accidental secret exposure in issue reports by delivering real-time, pre-submission detection within the user interface. The approach combines regex-based candidate extraction with a fine-tuned CodeBERT classifier to achieve high accuracy (F1 = 92.70%) while keeping latency low (≈198 ms end-to-end) through a client–server Chrome extension design and GPU-accelerated inference. The paper demonstrates strong model performance, favorable comparisons to post-submission tools, and a positive user study demonstrating usability and confidence gains. This work offers a practical, privacy-conscious solution that can be extended to additional platforms and browsers to prevent secret leakage across collaborative workflows.

Abstract

GitHub and GitLab are widely used collaborative platforms whose issue-tracking systems contain large volumes of unstructured text, including logs, code snippets, and configuration examples. This creates a significant risk of accidental secret exposure, such as API keys and credentials, yet these platforms provide no mechanism to warn users before submission. We present \textsc{IssueGuard}, a tool for real-time detection and prevention of secret leaks in issue reports. Implemented as a Chrome extension, \textsc{IssueGuard} analyzes text as users type and combines regex-based candidate extraction with a fine-tuned CodeBERT model for contextual classification. This approach effectively separates real secrets from false positives and achieves an F1-score of 92.70\% on a benchmark dataset, outperforming traditional regex-based scanners. \textsc{IssueGuard} integrates directly into the web interface and continuously analyzes the issue editor, presenting clear visual warnings to help users avoid submitting sensitive data. The source code is publicly available at \href{https://github.com/nafiurahman00/IssueGuard}{https://github.com/nafiurahman00/IssueGuard}, and a demonstration video is available at \href{https://youtu.be/kvbWA8rr9cU}{https://youtu.be/kvbWA8rr9cU}.

IssueGuard: Real-Time Secret Leak Prevention Tool for GitHub Issue Reports

TL;DR

IssueGuard tackles the problem of accidental secret exposure in issue reports by delivering real-time, pre-submission detection within the user interface. The approach combines regex-based candidate extraction with a fine-tuned CodeBERT classifier to achieve high accuracy (F1 = 92.70%) while keeping latency low (≈198 ms end-to-end) through a client–server Chrome extension design and GPU-accelerated inference. The paper demonstrates strong model performance, favorable comparisons to post-submission tools, and a positive user study demonstrating usability and confidence gains. This work offers a practical, privacy-conscious solution that can be extended to additional platforms and browsers to prevent secret leakage across collaborative workflows.

Abstract

GitHub and GitLab are widely used collaborative platforms whose issue-tracking systems contain large volumes of unstructured text, including logs, code snippets, and configuration examples. This creates a significant risk of accidental secret exposure, such as API keys and credentials, yet these platforms provide no mechanism to warn users before submission. We present \textsc{IssueGuard}, a tool for real-time detection and prevention of secret leaks in issue reports. Implemented as a Chrome extension, \textsc{IssueGuard} analyzes text as users type and combines regex-based candidate extraction with a fine-tuned CodeBERT model for contextual classification. This approach effectively separates real secrets from false positives and achieves an F1-score of 92.70\% on a benchmark dataset, outperforming traditional regex-based scanners. \textsc{IssueGuard} integrates directly into the web interface and continuously analyzes the issue editor, presenting clear visual warnings to help users avoid submitting sensitive data. The source code is publicly available at \href{https://github.com/nafiurahman00/IssueGuard}{https://github.com/nafiurahman00/IssueGuard}, and a demonstration video is available at \href{https://youtu.be/kvbWA8rr9cU}{https://youtu.be/kvbWA8rr9cU}.
Paper Structure (21 sections, 3 figures, 4 tables)

This paper contains 21 sections, 3 figures, 4 tables.

Table of Contents

  1. Introduction and Related Work
  2. Methodology
  3. Core Detection Engine
  4. IssueGuard System Architecture and Workflow
  5. Evaluation
  6. Model Effectiveness
  7. Comparison with Standard Security Tools
  8. Tool Performance and Latency
  9. User Study on Tool Usability
  10. Conclusion and Future Scope
  11. Tool Demonstration Walkthrough (Appendix)
  12. System Requirements
  13. Installation and Setup
  14. Clone the Repository
  15. Install Python Dependencies
  16. ...and 6 more sections

Figures (3)

  • Figure 1: Workflow of IssueGuard
  • Figure 2: Demonstration IssueGuard. As the user types, the extension sends text to the backend. Real secrets are highlighted in red, while regex-based positives such as placeholders are ignored.
  • Figure 3: Participants' satisfaction with various aspects of the IssueGuard tool.