Fix false-positive policy failures by ignoring templated DB URL credentials in regex/context detectors

Author: en0ndev

src/leaklens/detectors/context.py

@@ -47,6 +47,8 @@ def scan_line(self, file_path: str, line_number: int, line: str) -> list[Detecti
 
         for match in CONNECTION_STRING_PATTERN.finditer(line):
             value = match.group(0)
+            if _is_templated_connection_string(value):
+                continue
             hits.append(
                 DetectionMatch(
                     finding_type="Connection String Credential",
@@ -233,6 +235,19 @@ def _should_skip_assignment_value(value: str) -> bool:
     return False
 
 
+def _is_templated_connection_string(value: str) -> bool:
+    lowered = value.lower()
+    if "${" in value or "{{" in value or "{" in value or "}" in value:
+        return True
+    if "<" in value or ">" in value or "..." in value:
+        return True
+    if "os.getenv(" in lowered or "process.env" in lowered:
+        return True
+    if "example" in lowered or "placeholder" in lowered:
+        return True
+    return False
+
+
 def _looks_secret_like_literal(value: str) -> bool:
     if len(value) < 16:
         return False

src/leaklens/detectors/regex.py

@@ -175,6 +175,9 @@ def _passes_rule_heuristics(rule_name: str, value: str, line: str, line_lower: s
         marker = "-----BEGIN RSA PRIVATE KEY-----"
         return _is_unquoted_marker_line(line, marker)
 
+    if rule_name == "db_url_with_creds":
+        return not _is_templated_connection_string(normalized)
+
     return True
 
 
@@ -232,6 +235,19 @@ def _looks_like_jwt_header(token: str) -> bool:
     return "alg" in payload or "typ" in payload
 
 
+def _is_templated_connection_string(value: str) -> bool:
+    lowered = value.lower()
+    if "${" in value or "{{" in value or "{" in value or "}" in value:
+        return True
+    if "<" in value or ">" in value or "..." in value:
+        return True
+    if "os.getenv(" in lowered or "process.env" in lowered:
+        return True
+    if "example" in lowered or "placeholder" in lowered:
+        return True
+    return False
+
+
 def _decode_base64url(segment: str) -> str | None:
     padding = "=" * (-len(segment) % 4)
     try:

tests/test_context.py

@@ -39,3 +39,13 @@ def test_context_detector_ignores_auth_keyword_text_literal() -> None:
     matches = detector.scan_line("pyproject.toml", 8, line)
 
     assert not any(match.finding_type == "Auth Context Secret Literal" for match in matches)
+
+
+def test_context_detector_ignores_templated_connection_strings() -> None:
+    detector = ContextDetector()
+    line = (
+        'autofix = "postgresql://{os.getenv(\'DB_USER\')}:{os.getenv(\'DB_PASSWORD\')}@..."'
+    )
+    matches = detector.scan_line("detector.py", 21, line)
+
+    assert not any(match.finding_type == "Connection String Credential" for match in matches)

tests/test_regex.py

@@ -45,3 +45,13 @@ def test_regex_detector_requires_jwt_context_keyword() -> None:
     matches = detector.scan_line("app.py", 5, line)
 
     assert not any(match.finding_type == "JWT Token" for match in matches)
+
+
+def test_regex_detector_ignores_templated_connection_strings() -> None:
+    detector = RegexDetector(builtin_rules())
+    line = (
+        'autofix = "postgresql://{os.getenv(\'DB_USER\')}:{os.getenv(\'DB_PASSWORD\')}@..."'
+    )
+    matches = detector.scan_line("detector.py", 6, line)
+
+    assert not any(match.finding_type == "Database URL Credentials" for match in matches)