fix

Author: m1rl0k

main.go

@@ -358,18 +358,16 @@ func scanFileForSecrets(path string, pipeline *verification.Pipeline) ([]Secret,
 						// Update confidence based on LLM verification
 						confidence = result.Confidence
 
-						// Only report if LLM confirms it's a real secret
-						if result.IsRealSecret {
-							secrets = append(secrets, Secret{
-								File:       fmt.Sprintf("%s (%s) [LLM: %s]", path, secretType, result.Reasoning),
-								LineNumber: lineNumber,
-								Line:       line,
-								Type:       secretPatterns[index],
-								Confidence: confidence,
-								Entropy:    entropy,
-								Context:    context,
-							})
-						}
+						// LLM is advisory-only: attach reasoning but do not suppress regex hits.
+						secrets = append(secrets, Secret{
+							File:       fmt.Sprintf("%s (%s) [LLM: %s]", path, secretType, result.Reasoning),
+							LineNumber: lineNumber,
+							Line:       line,
+							Type:       secretPatterns[index],
+							Confidence: confidence,
+							Entropy:    entropy,
+							Context:    context,
+						})
 					} else {
 						// Fall back to non-LLM if verification fails
 						if confidence != "low" {
@@ -415,8 +413,6 @@ func AdditionalSecretPatterns() []string {
 		`(?i)(\b(?:or|and)\b\s*[\w-]*\s*=\s*[\w-]*\s*\b(?:or|and)\b\s*[^\s]+)`, // SQL injection
 		`(?i)(['"\s]exec(?:ute)?\s*[(\s]*\s*@\w+\s*)`,                          // SQL injection (EXEC, EXECUTE)
 		`(?i)(['"\s]union\s*all\s*select\s*[\w\s,]+(?:from|into|where)\s*\w+)`, // SQL injection (UNION ALL SELECT)
-		`(?i)example_pattern_1\s*=\s*"([a-zA-Z0-9\-]+\.example)"`,
-		`(?i)example_pattern_2\s*=\s*"([0-9]{12}-[a-zA-Z0-9_]{32})"`,
 		// Private SSH keys
 		`-----BEGIN\sRSA\sPRIVATE\sKEY-----[\s\S]+-----END\sRSA\sPRIVATE\sKEY-----`,
 		// S3 Bucket URLs

main_test.go

@@ -1,6 +1,11 @@
 package main
 
-import "testing"
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
 
 func TestDetectContext(t *testing.T) {
 	cases := []struct {
@@ -29,3 +34,62 @@ func TestDetectContext(t *testing.T) {
 		})
 	}
 }
+
+// Regression test: the demo file should have all fake secrets detected by the core scanner
+// without relying on the LLM pipeline.
+func TestDemoSecretsDetected(t *testing.T) {
+	path := filepath.Join("examples", "demo_secrets", "demo_app.py")
+
+	secrets, err := scanFileForSecrets(path, nil)
+	if err != nil {
+		t.Fatalf("scanFileForSecrets error: %v", err)
+	}
+
+	expected := []string{
+		"AKIAIOSFODNN7EXAMPLE",
+		"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+		"ghp_1234567890abcdef1234567890abcdef1234",
+		"AIzaSyA1234567890abcdefGHIJKLMNOPQRSTUV123",
+		"sk_live_51M8c7uExampleExampleExample0000",
+		"xoxb-123456789012-1234567890123-ABCDEFGHIJKLMNOPQRSTUV",
+		"-----BEGIN PRIVATE KEY-----",
+		"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
+		"P@ssw0rd123!",
+		"password123",
+	}
+
+	found := make(map[string]bool)
+	for _, s := range secrets {
+		for _, marker := range expected {
+			if strings.Contains(s.Line, marker) {
+				found[marker] = true
+			}
+		}
+	}
+
+	for _, marker := range expected {
+		if !found[marker] {
+			t.Errorf("expected secret containing %q to be detected", marker)
+		}
+	}
+}
+
+// Basic negative test: a plain text file with no obvious secrets should not produce findings.
+func TestNoFalsePositivesOnSafeFile(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "safe.txt")
+	content := "this file intentionally contains no secrets, just some example code and configuration values"
+
+	if err := os.WriteFile(path, []byte(content), 0o644); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	secrets, err := scanFileForSecrets(path, nil)
+	if err != nil {
+		t.Fatalf("scanFileForSecrets error: %v", err)
+	}
+
+	if len(secrets) != 0 {
+		t.Fatalf("expected no secrets, got %d", len(secrets))
+	}
+}