77 "testing"
88)
99
10+ const testPath = "pkg/service/foo.go"
11+
1012func TestDetectContext (t * testing.T ) {
1113 cases := []struct {
1214 name string
@@ -15,12 +17,12 @@ func TestDetectContext(t *testing.T) {
1517 want string
1618 }{
1719 {"test file detection" , "pkg/service/foo_test.go" , "secret := \" foo\" " , "test_file" },
18- {"comment line" , "pkg/service/foo.go" , "// TODO: handle" , "comment" },
19- {"placeholder brace" , "pkg/service/foo.go" , "token := \" ${API_KEY}\" " , "placeholder" },
20- {"placeholder percent" , "pkg/service/foo.go" , "set %API_KEY%" , "placeholder" },
21- {"placeholder dollar" , "pkg/service/foo.go" , "token := \" $SECRET_TOKEN\" " , "placeholder" },
22- {"code with percent formatting" , "pkg/service/foo.go" , "fmt.Printf(\" token=%s\" , token)" , "code" },
23- {"pointer code not comment" , "pkg/service/foo.go" , "value := foo * bar" , "code" },
20+ {"comment line" , testPath , "// TODO: handle" , "comment" },
21+ {"placeholder brace" , testPath , "token := \" ${API_KEY}\" " , "placeholder" },
22+ {"placeholder percent" , testPath , "set %API_KEY%" , "placeholder" },
23+ {"placeholder dollar" , testPath , "token := \" $SECRET_TOKEN\" " , "placeholder" },
24+ {"code with percent formatting" , testPath , "fmt.Printf(\" token=%s\" , token)" , "code" },
25+ {"pointer code not comment" , testPath , "value := foo * bar" , "code" },
2426 {"markdown documentation" , "docs/setup.md" , "Example TOKEN=foo" , "documentation" },
2527 {"readme file" , "README.md" , "Set API_KEY=foo" , "documentation" },
2628 }
@@ -93,3 +95,77 @@ func TestNoFalsePositivesOnSafeFile(t *testing.T) {
9395 t .Fatalf ("expected no secrets, got %d" , len (secrets ))
9496 }
9597}
98+
99+ func TestMaybeRedactSecret (t * testing.T ) {
100+ s := Secret {
101+ FilePath : "src/app.py" ,
102+ LineNumber : 10 ,
103+ Line : "api_key = \" sk_live_abc123xyz789\" " ,
104+ Match : "sk_live_abc123xyz789" ,
105+ RuleID : "pattern-0" ,
106+ Confidence : "high" ,
107+ }
108+
109+ // Without redaction
110+ noRedact := maybeRedactSecret (s , false )
111+ if noRedact .Match != s .Match {
112+ t .Errorf ("expected Match to remain %q, got %q" , s .Match , noRedact .Match )
113+ }
114+ if noRedact .Line != s .Line {
115+ t .Errorf ("expected Line to remain unchanged, got %q" , noRedact .Line )
116+ }
117+
118+ // With redaction
119+ redacted := maybeRedactSecret (s , true )
120+ if redacted .Match != "****REDACTED****" {
121+ t .Errorf ("expected Match to be redacted, got %q" , redacted .Match )
122+ }
123+ if ! strings .Contains (redacted .Line , "****REDACTED****" ) {
124+ t .Errorf ("expected Line to contain redacted marker, got %q" , redacted .Line )
125+ }
126+ if strings .Contains (redacted .Line , "sk_live_abc123xyz789" ) {
127+ t .Errorf ("Line should not contain the raw secret after redaction" )
128+ }
129+ }
130+
131+ func TestConfidenceScore (t * testing.T ) {
132+ cases := []struct {
133+ level string
134+ want int
135+ }{
136+ {"critical" , 4 },
137+ {"high" , 3 },
138+ {"medium" , 2 },
139+ {"low" , 1 },
140+ {"CRITICAL" , 4 }, // case insensitive
141+ {"unknown" , 0 },
142+ }
143+ for _ , tc := range cases {
144+ got := confidenceScore (tc .level )
145+ if got != tc .want {
146+ t .Errorf ("confidenceScore(%q) = %d, want %d" , tc .level , got , tc .want )
147+ }
148+ }
149+ }
150+
151+ func TestMatchAnyGlob (t * testing.T ) {
152+ cases := []struct {
153+ path string
154+ patterns []string
155+ want bool
156+ }{
157+ {"vendor/github.com/foo" , []string {"vendor/*" }, true },
158+ {"vendor" , []string {"vendor/*" }, true },
159+ {"src/vendor/lib" , []string {"vendor/*" }, false }, // only matches top-level vendor
160+ {"test.go" , []string {"*.go" }, true },
161+ {"src/app/test.go" , []string {"*.go" }, true }, // matches basename
162+ {"README.md" , []string {"*.txt" , "*.md" }, true },
163+ {"main.py" , []string {"*.go" }, false },
164+ }
165+ for _ , tc := range cases {
166+ got := matchAnyGlob (tc .path , tc .patterns )
167+ if got != tc .want {
168+ t .Errorf ("matchAnyGlob(%q, %v) = %v, want %v" , tc .path , tc .patterns , got , tc .want )
169+ }
170+ }
171+ }
0 commit comments