|
1 | 1 | package main |
2 | 2 |
|
3 | | -import "testing" |
| 3 | +import ( |
| 4 | + "os" |
| 5 | + "path/filepath" |
| 6 | + "strings" |
| 7 | + "testing" |
| 8 | +) |
4 | 9 |
|
5 | 10 | func TestDetectContext(t *testing.T) { |
6 | 11 | cases := []struct { |
@@ -29,3 +34,62 @@ func TestDetectContext(t *testing.T) { |
29 | 34 | }) |
30 | 35 | } |
31 | 36 | } |
| 37 | + |
| 38 | +// Regression test: the demo file should have all fake secrets detected by the core scanner |
| 39 | +// without relying on the LLM pipeline. |
| 40 | +func TestDemoSecretsDetected(t *testing.T) { |
| 41 | + path := filepath.Join("examples", "demo_secrets", "demo_app.py") |
| 42 | + |
| 43 | + secrets, err := scanFileForSecrets(path, nil) |
| 44 | + if err != nil { |
| 45 | + t.Fatalf("scanFileForSecrets error: %v", err) |
| 46 | + } |
| 47 | + |
| 48 | + expected := []string{ |
| 49 | + "AKIAIOSFODNN7EXAMPLE", |
| 50 | + "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", |
| 51 | + "ghp_1234567890abcdef1234567890abcdef1234", |
| 52 | + "AIzaSyA1234567890abcdefGHIJKLMNOPQRSTUV123", |
| 53 | + "sk_live_51M8c7uExampleExampleExample0000", |
| 54 | + "xoxb-123456789012-1234567890123-ABCDEFGHIJKLMNOPQRSTUV", |
| 55 | + "-----BEGIN PRIVATE KEY-----", |
| 56 | + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", |
| 57 | + "P@ssw0rd123!", |
| 58 | + "password123", |
| 59 | + } |
| 60 | + |
| 61 | + found := make(map[string]bool) |
| 62 | + for _, s := range secrets { |
| 63 | + for _, marker := range expected { |
| 64 | + if strings.Contains(s.Line, marker) { |
| 65 | + found[marker] = true |
| 66 | + } |
| 67 | + } |
| 68 | + } |
| 69 | + |
| 70 | + for _, marker := range expected { |
| 71 | + if !found[marker] { |
| 72 | + t.Errorf("expected secret containing %q to be detected", marker) |
| 73 | + } |
| 74 | + } |
| 75 | +} |
| 76 | + |
| 77 | +// Basic negative test: a plain text file with no obvious secrets should not produce findings. |
| 78 | +func TestNoFalsePositivesOnSafeFile(t *testing.T) { |
| 79 | + dir := t.TempDir() |
| 80 | + path := filepath.Join(dir, "safe.txt") |
| 81 | + content := "this file intentionally contains no secrets, just some example code and configuration values" |
| 82 | + |
| 83 | + if err := os.WriteFile(path, []byte(content), 0o644); err != nil { |
| 84 | + t.Fatalf("WriteFile: %v", err) |
| 85 | + } |
| 86 | + |
| 87 | + secrets, err := scanFileForSecrets(path, nil) |
| 88 | + if err != nil { |
| 89 | + t.Fatalf("scanFileForSecrets error: %v", err) |
| 90 | + } |
| 91 | + |
| 92 | + if len(secrets) != 0 { |
| 93 | + t.Fatalf("expected no secrets, got %d", len(secrets)) |
| 94 | + } |
| 95 | +} |
0 commit comments