add unit and e2e tests

Author: cx-leonardo-fontes

engine/engine_test.go

@@ -1320,3 +1320,198 @@ func TestBuildSecret(t *testing.T) {
 		assert.Equal(t, pageID, value)
 	})
 }
+
+func TestMaxRuleMatchesPerFragmentFlag(t *testing.T) {
+	// Content with multiple secrets that would match the same rule
+	multipleSecrets := `
+token1: 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
+token2: ghp_1234567890abcdefghijklmnopqrstuvwxyz
+token3: ghp_abcdefghijklmnopqrstuvwxyz1234567890
+token4: ghp_9876543210zyxwvutsrqponmlkjihgfedcba
+token5: ghp_aB3cD4eF5gH6iJ7kL8mN9oP0qR1sT2uV3wX4
+`
+
+	testCases := []struct {
+		name          string
+		limit         uint64
+		expectedCount int
+	}{
+		{
+			name:          "no limit - finds all matches",
+			limit:         0,
+			expectedCount: 5,
+		},
+		{
+			name:          "limit of 2 - finds only 2 matches",
+			limit:         2,
+			expectedCount: 2,
+		},
+		{
+			name:          "limit of 1 - finds only 1 match",
+			limit:         1,
+			expectedCount: 1,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			eng, err := initEngine(&EngineConfig{
+				DetectorWorkerPoolSize:    1,
+				MaxRuleMatchesPerFragment: tc.limit,
+			})
+			require.NoError(t, err)
+			defer eng.Shutdown()
+
+			secretsChan := make(chan *secrets.Secret, 10)
+			fsPlugin := &plugins.FileSystemPlugin{}
+			err = eng.DetectFragment(item{content: &multipleSecrets}, secretsChan, fsPlugin.GetName())
+			require.NoError(t, err)
+			close(secretsChan)
+
+			count := 0
+			for range secretsChan {
+				count++
+			}
+			assert.Equal(t, tc.expectedCount, count)
+		})
+	}
+}
+
+func TestMaxSecretSizeFlag(t *testing.T) {
+	// Valid GitHub PAT format - 40 chars
+	secret := "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"
+
+	testCases := []struct {
+		name        string
+		limit       uint64
+		shouldFind  bool
+	}{
+		{
+			name:        "no limit - finds secret",
+			limit:       0,
+			shouldFind:  true,
+		},
+		{
+			name:        "limit larger than secret - finds secret",
+			limit:       200,
+			shouldFind:  true,
+		},
+		{
+			name:        "limit smaller than secret - ignores secret",
+			limit:       10,
+			shouldFind:  false,
+		},
+		{
+			name:        "limit exactly at secret size boundary - finds secret",
+			limit:       40,
+			shouldFind:  true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			eng, err := initEngine(&EngineConfig{
+				DetectorWorkerPoolSize: 1,
+				MaxSecretSize:          tc.limit,
+			})
+			require.NoError(t, err)
+			defer eng.Shutdown()
+
+			secretsChan := make(chan *secrets.Secret, 1)
+			fsPlugin := &plugins.FileSystemPlugin{}
+			err = eng.DetectFragment(item{content: &secret}, secretsChan, fsPlugin.GetName())
+			require.NoError(t, err)
+			close(secretsChan)
+
+			s := <-secretsChan
+			if tc.shouldFind {
+				assert.NotNil(t, s)
+			} else {
+				assert.Nil(t, s)
+			}
+		})
+	}
+}
+
+func TestMaxFindingsFlag(t *testing.T) {
+	// Content with multiple secrets in single fragment
+	multipleSecrets := `
+github_token: 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
+another_token: ghp_1234567890abcdefghijklmnopqrstuvwxyz
+third_token: ghp_abcdefghijklmnopqrstuvwxyz1234567890
+`
+
+	testCases := []struct {
+		name          string
+		limit         uint64
+		fragments     []string
+		expectedCount int
+	}{
+		{
+			name:          "no limit - finds all secrets",
+			limit:         0,
+			fragments:     []string{multipleSecrets},
+			expectedCount: 3,
+		},
+		{
+			name:          "limit of 2 - stops after 2 findings",
+			limit:         2,
+			fragments:     []string{multipleSecrets},
+			expectedCount: 2,
+		},
+		{
+			name:          "limit of 1 - stops after 1 finding",
+			limit:         1,
+			fragments:     []string{multipleSecrets},
+			expectedCount: 1,
+		},
+		{
+			name:  "limit of 2 across 3 fragments",
+			limit: 2,
+			fragments: []string{
+				"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",
+				"ghp_1234567890abcdefghijklmnopqrstuvwxyz",
+				"ghp_abcdefghijklmnopqrstuvwxyz1234567890",
+			},
+			expectedCount: 2,
+		},
+		{
+			name:  "limit of 1 across 3 fragments",
+			limit: 1,
+			fragments: []string{
+				"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",
+				"ghp_1234567890abcdefghijklmnopqrstuvwxyz",
+				"ghp_abcdefghijklmnopqrstuvwxyz1234567890",
+			},
+			expectedCount: 1,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			eng, err := initEngine(&EngineConfig{
+				DetectorWorkerPoolSize: 1,
+				MaxFindings:            tc.limit,
+			})
+			require.NoError(t, err)
+			defer eng.Shutdown()
+
+			secretsChan := make(chan *secrets.Secret, 10)
+			fsPlugin := &plugins.FileSystemPlugin{}
+
+			for _, fragment := range tc.fragments {
+				f := fragment // capture for closure
+				err = eng.DetectFragment(item{content: &f}, secretsChan, fsPlugin.GetName())
+				require.NoError(t, err)
+			}
+
+			close(secretsChan)
+
+			count := 0
+			for range secretsChan {
+				count++
+			}
+			assert.Equal(t, tc.expectedCount, count)
+		})
+	}
+}

tests/e2e_test.go

@@ -766,4 +766,114 @@ api_key: test-key-456`
 			}
 		}
 	})
+
+	t.Run("--max-findings flag: caps total number of findings", func(t *testing.T) {
+		projectDir := t.TempDir()
+
+		// Create multiple files with secrets to ensure we have more than the limit
+		for i := 1; i <= 5; i++ {
+			content := fmt.Sprintf("secret%d: ghp_%dabcdefghijklmnopqrstuvwxyz12345678", i, i)
+			err := os.WriteFile(path.Join(projectDir, fmt.Sprintf("secret%d.txt", i)), []byte(content), 0644)
+			require.NoError(t, err, "failed to create test file")
+		}
+
+		// Run scan with --max-findings set to 2
+		err = executable.run("filesystem", "--path", projectDir, "--max-findings", "2", "--ignore-on-exit", "results")
+		assert.NoError(t, err, "scan should succeed with max-findings flag")
+
+		report, err := executable.getReport()
+		require.NoError(t, err, "failed to get report")
+
+		totalSecrets := report.GetTotalSecretsFound()
+		t.Logf("Total secrets found with --max-findings=2: %d", totalSecrets)
+		assert.LessOrEqual(t, totalSecrets, 2, "should find at most 2 secrets when --max-findings=2")
+	})
+
+	t.Run("--max-rule-matches-per-fragment flag: limits matches per rule per fragment", func(t *testing.T) {
+		projectDir := t.TempDir()
+
+		// Create a single file with multiple secrets that match the same rule
+		content := `Multiple GitHub PATs in one file:
+token1: ghp_1234567890abcdefghijklmnopqrstuvwxyz
+token2: ghp_abcdefghijklmnopqrstuvwxyz1234567890
+token3: ghp_9876543210zyxwvutsrqponmlkjihgfedcba
+token4: ghp_aB3cD4eF5gH6iJ7kL8mN9oP0qR1sT2uV3wX4
+token5: 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`
+
+		err := os.WriteFile(path.Join(projectDir, "multi_secrets.txt"), []byte(content), 0644)
+		require.NoError(t, err, "failed to create test file")
+
+		// Run scan with --max-rule-matches-per-fragment set to 2
+		err = executable.run("filesystem", "--path", projectDir, "--max-rule-matches-per-fragment", "2", "--ignore-on-exit", "results")
+		assert.NoError(t, err, "scan should succeed with max-rule-matches-per-fragment flag")
+
+		report, err := executable.getReport()
+		require.NoError(t, err, "failed to get report")
+
+		totalSecrets := report.GetTotalSecretsFound()
+		t.Logf("Total secrets found with --max-rule-matches-per-fragment=2: %d", totalSecrets)
+		assert.LessOrEqual(t, totalSecrets, 2, "should find at most 2 secrets per rule per fragment")
+	})
+
+	t.Run("--max-secret-size flag: ignores secrets larger than specified size", func(t *testing.T) {
+		projectDir := t.TempDir()
+
+		// Create a file with a normal-sized secret
+		normalSecret := "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" // 40 chars
+		err := os.WriteFile(path.Join(projectDir, "normal.txt"), []byte(normalSecret), 0644)
+		require.NoError(t, err, "failed to create test file")
+
+		// Run scan with --max-secret-size set to a value smaller than the secret
+		err = executable.run("filesystem", "--path", projectDir, "--max-secret-size", "10", "--ignore-on-exit", "results")
+		assert.NoError(t, err, "scan should succeed with max-secret-size flag")
+
+		report, err := executable.getReport()
+		require.NoError(t, err, "failed to get report")
+
+		totalSecrets := report.GetTotalSecretsFound()
+		t.Logf("Total secrets found with --max-secret-size=10: %d", totalSecrets)
+		assert.Equal(t, 0, totalSecrets, "should find no secrets when max-secret-size is smaller than secret")
+
+		// Run scan with --max-secret-size set to a value larger than the secret
+		err = executable.run("filesystem", "--path", projectDir, "--max-secret-size", "100", "--ignore-on-exit", "results")
+		assert.NoError(t, err, "scan should succeed with max-secret-size flag")
+
+		report, err = executable.getReport()
+		require.NoError(t, err, "failed to get report")
+
+		totalSecrets = report.GetTotalSecretsFound()
+		t.Logf("Total secrets found with --max-secret-size=100: %d", totalSecrets)
+		assert.GreaterOrEqual(t, totalSecrets, 1, "should find secrets when max-secret-size is larger than secret")
+	})
+
+	t.Run("Combined limit flags: multiple limit flags together", func(t *testing.T) {
+		projectDir := t.TempDir()
+
+		// Create multiple files with multiple secrets each
+		for i := 1; i <= 5; i++ {
+			content := fmt.Sprintf(`File %d secrets:
+token1: ghp_%d234567890abcdefghijklmnopqrstuvwxy
+token2: ghp_%dabcdefghijklmnopqrstuvwxyz123456789`, i, i, i)
+			err := os.WriteFile(path.Join(projectDir, fmt.Sprintf("file%d.txt", i)), []byte(content), 0644)
+			require.NoError(t, err, "failed to create test file")
+		}
+
+		// Run scan with multiple limit flags
+		err = executable.run("filesystem",
+			"--path", projectDir,
+			"--max-findings", "3",
+			"--max-rule-matches-per-fragment", "1",
+			"--max-secret-size", "100",
+			"--ignore-on-exit", "results")
+		assert.NoError(t, err, "scan should succeed with combined limit flags")
+
+		report, err := executable.getReport()
+		require.NoError(t, err, "failed to get report")
+
+		totalSecrets := report.GetTotalSecretsFound()
+		t.Logf("Total secrets found with combined limit flags: %d", totalSecrets)
+		// With max-rule-matches-per-fragment=1, we get at most 1 per file (3 files)
+		// With max-findings=3, we get at most 3 total
+		assert.LessOrEqual(t, totalSecrets, 3, "should respect combined limit flags")
+	})
 }