@@ -230,3 +230,43 @@ RUN echo bar
230230 assert .Equal (t , []digest.Digest {"sha256:2e112031b4b923a873c8b3d685d48037e4d5ccd967b658743d93a6e56c3064b9" }, baseImg .RootFS .DiffIDs )
231231 assert .Equal (t , "2024-01-17 21:49:12 +0000 UTC" , baseImg .Created .String ())
232232}
233+
234+ func TestGetSecretsRegex (t * testing.T ) {
235+ t .Parallel ()
236+ deny , allow := getSecretsRegex ()
237+
238+ testCases := []struct {
239+ name string
240+ key string
241+ isSecret bool
242+ }{
243+ // Positive matches
244+ {name : "exact api_key" , key : "api_key" , isSecret : true },
245+ {name : "uppercase token" , key : "GITHUB_TOKEN" , isSecret : true },
246+ {name : "contains password" , key : "DATABASE_PASSWORD" , isSecret : true },
247+ {name : "contains secret" , key : "secret_MESSAGE" , isSecret : true },
248+ {name : "exact auth" , key : "AUTH" , isSecret : true },
249+ {name : "contains credential" , key : "USER_CREDENTIAL" , isSecret : true },
250+ {name : "contains passwd" , key : "DB_PASSWD" , isSecret : true },
251+ {name : "contains pword" , key : "MY_PWORD" , isSecret : true },
252+
253+ // Negative matches (allowed keywords)
254+ {name : "public key" , key : "public_key" , isSecret : false },
255+ {name : "ssh public key" , key : "SSH_PUBLIC_KEY" , isSecret : false },
256+
257+ // Negative matches (should not match)
258+ {name : "normal variable" , key : "myvar" , isSecret : false },
259+ {name : "contains key but not fitst of last or full" , key : "new_key_file_path" , isSecret : false },
260+ {name : "contains auth but not as whole word" , key : "authority" , isSecret : false },
261+ {name : "not a secret" , key : "some_variable" , isSecret : false },
262+ }
263+
264+ for _ , tc := range testCases {
265+ tc := tc
266+ t .Run (tc .name , func (t * testing.T ) {
267+ t .Parallel ()
268+ matched := deny .MatchString (tc .key ) && ! allow .MatchString (tc .key )
269+ assert .Equal (t , tc .isSecret , matched )
270+ })
271+ }
272+ }
0 commit comments