Merged
Conversation
If the file is signed with GPG, then the `Hash:` header is not flagged as an unknown field. Close #41
There was a problem hiding this comment.
Pull request overview
This PR implements unknown field warnings for security.txt files and properly handles OpenPGP armor headers in signed files, addressing issue #41. Unknown fields now generate warnings instead of being silently ignored, while armor headers (like Hash:) in PGP-signed messages are correctly skipped.
Key changes:
- Introduced
SecurityTxtUnknownFieldviolation class to warn about unknown fields - Added logic to skip OpenPGP armor headers when processing signed files
- Updated tests to use valid security.txt fields and added comprehensive tests for signed file handling
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/Violations/SecurityTxtUnknownField.php |
New violation class that generates warnings for unknown fields with clear error messages and fix suggestions |
src/Parser/SecurityTxtParser.php |
Enhanced parser to detect PGP signature headers, skip armor headers until separator, and generate warnings for unknown fields |
tests/Parser/SecurityTxtParserTest.phpt |
Updated test data to use valid security.txt fields (Contact, Hiring) instead of placeholders (Foo, Bar), added tests for unknown field warnings and signed file handling |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
spaze
added a commit
to spaze/michalspacek.cz
that referenced
this pull request
Dec 16, 2025
Because spaze/security-txt now warns when it sees one spaze/security-txt#46
spaze
added a commit
to spaze/michalspacek.cz
that referenced
this pull request
Dec 16, 2025
Because spaze/security-txt now warns when it sees one (spaze/security-txt#46) Plus - Update paths to `security.txt` files in the signing script, because files are now served from the app, not by nginx (#642) - And eventually re-sign the updated `security.txt` files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If the file is signed with GPG, then the
Hash:header and all other Armor Headers of the OpenPGP format up until a separator (an empty line) are not flagged as unknown fields.Close #41