--- type: work-item project: fidelity status: backlog-review ticket: PDIAP-11962 title: "Closure of secret scanning alerts" systems: [xflowsdk] workstreams: [security, backlog-triage] people: [jeff-dewitte] related: [pdiap-11961] updated: 2026-05-05 tags: - work-item - fidelity - security --- # PDIAP-11962 - Closure of secret scanning alerts ## Status - Backlog item under review for future work. - Earlier alert-closure process appears partially completed, but two Google API Key alerts remain open. --- ## Current Findings - David found an October 9, 2025 email confirming the prior submission. - Follow-up shows Matthew closed the earlier alerts/story on March 5, 2026. - Two Google API Key alerts remain open and were not part of that closure. - Those alerts appear tied to an old `MockPageViewWithHiddenToggle` commit from April 18, 2025, not newly introduced REST-story work. - Google API Key rotation is not owned by David/XFlow directly; backend support or clarification may be needed if rotation/invalidating is required. --- ## Historical Slack Context - October 2025 Slack context ties this story to `PDIAP-11573 - Remediate secret scanning alerts in XFlow iOS SDK`. - The intended sequence was: 1. report inactive secrets through the SSDLC/AAVD process, 2. use `PDIAP-11961` to handle invalidation/rotation of still-active Google API keys, 3. use `PDIAP-11962` to close the GitHub alerts after `PDIAP-11961` is completed. - Slack context from October 10, 2025 says inactive secrets were reported in `ESWR-35407`, `PDIAP-11961` was created for active-secret invalidation, and `PDIAP-11962` was created to manage alert closure after invalidation. - Slack context from November 19, 2025 says the secret-remediation alerts were still present and none had been marked resolved at that time. - Treat `PDIAP-11962` as the closure/follow-up story, not the rotation/invalidation story itself. --- ## Related Work - `PDIAP-11961 - Remediation of Exposed Secrets in XFlow iOS SDK - Request for Rotation/Invalidation` is the related story for the remaining Google API Key alerts and is not assigned yet.