Merge pull request #1 from twosigma/filterExpansion

Filter expansion

Author: lukeatayde

.gitleaksignore

@@ -1,40 +1,23 @@
 418edf165dbb63d6f46993ae8f8818ffd87ea582:cmd/generate/config/rules/jwt.go:jwt:17
 418edf165dbb63d6f46993ae8f8818ffd87ea582:cmd/generate/config/rules/jwt.go:jwt:19
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:46
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:48
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:50
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:52
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:54
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:55
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:56
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:57
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:22
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:23
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:24
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:28
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:29
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-sensitive-url:164
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-sensitive-url:170
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-secret:120
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-secret:126
-525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-secret:142
 31650f01e76858ce7a0490943426e84a0824bbc8:config/config_test.go:aws-access-token:31
 5ed010c944ccc715cb9245abafd4e97d98d75e9f:config/config_test.go:aws-access-token:31
 ad7509e3b47331ce9586743ace635422843b695b:cmd/generate/config/rules/privatekey.go:private-key:22
 717cf1b10be1625875199eca8cdf48883348985f:README.md:aws-access-token:23
 3474c58c9e25fe2b1cee855a35bd1bf8a8c0fae8:cmd/generate/config/rules/generic.go:clojars-api-token:38
 a42b32bdf11b6f4ea5c32ec76a1731b4b0c5e52a:cmd/generate/config/rules/generic.go:generic-api-key:40
 a42b32bdf11b6f4ea5c32ec76a1731b4b0c5e52a:cmd/generate/config/rules/generic.go:generic-api-key:41
+17b5540fb16bd9816d2a3a83f65cedf5918eaf70:detect/detect_test.go:pypi-upload-token:27
+17b5540fb16bd9816d2a3a83f65cedf5918eaf70:detect/detect_test.go:pypi-upload-token:32
+17b5540fb16bd9816d2a3a83f65cedf5918eaf70:detect/detect_test.go:pypi-upload-token:33
 3e5e63956ea770be734dcb7642cf515910154fb5:detect/detect_test.go:aws-access-token:50
 3e5e63956ea770be734dcb7642cf515910154fb5:detect/detect_test.go:aws-access-token:60
 3e5e63956ea770be734dcb7642cf515910154fb5:detect/detect_test.go:aws-access-token:61
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:pypi-upload-token:29
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:51
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:73
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:81
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:89
-33082a996774ba4c8ad4ba26fd219d77497eb960:README.md:sidekiq-secret:43
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:98
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-secret:120
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-secret:126
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-secret:142
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-sensitive-url:164
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:detect/detect_test.go:sidekiq-sensitive-url:170
 57d2d345b6b6ea220be9d99792b21a75359555c0:detect/detect_test.go:aws-access-token:235
 57d2d345b6b6ea220be9d99792b21a75359555c0:detect/detect_test.go:aws-access-token:236
 57d2d345b6b6ea220be9d99792b21a75359555c0:detect/detect_test.go:aws-access-token:253
@@ -45,18 +28,6 @@ a42b32bdf11b6f4ea5c32ec76a1731b4b0c5e52a:cmd/generate/config/rules/generic.go:ge
 57d2d345b6b6ea220be9d99792b21a75359555c0:detect/detect_test.go:aws-access-token:344
 57d2d345b6b6ea220be9d99792b21a75359555c0:detect/detect_test.go:aws-access-token:362
 57d2d345b6b6ea220be9d99792b21a75359555c0:detect/detect_test.go:aws-access-token:363
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:pypi-upload-token:27
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:49
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:71
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:79
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:87
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:120
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:96
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:128
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:118
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:150
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:126
-6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:166
 6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:175
 6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:183
 6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:238
@@ -69,13 +40,28 @@ c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token
 6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:357
 6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:375
 6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:376
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:148
-17b5540fb16bd9816d2a3a83f65cedf5918eaf70:detect/detect_test.go:pypi-upload-token:27
-17b5540fb16bd9816d2a3a83f65cedf5918eaf70:detect/detect_test.go:pypi-upload-token:32
-17b5540fb16bd9816d2a3a83f65cedf5918eaf70:detect/detect_test.go:pypi-upload-token:33
-c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:164
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:51
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:73
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:81
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:aws-access-token:89
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:120
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:128
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:150
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:166
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:discord-api-token:98
+6e72472b6019d29eaa4b76b39700cd2418741f0c:detect/detect_test.go:pypi-upload-token:29
 c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:173
 c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:181
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:49
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:71
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:79
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:aws-access-token:87
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:118
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:126
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:148
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:164
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:discord-api-token:96
+c9bc6b46087e700a42eb3492cf2053b7da4a6d9e:detect/detect_test.go:pypi-upload-token:27
 ce42947cae32cda8d5d8813c1a8ce82eb06f018e:detect/git_test.go:aws-access-token:43
 ce42947cae32cda8d5d8813c1a8ce82eb06f018e:detect/git_test.go:aws-access-token:60
 ce42947cae32cda8d5d8813c1a8ce82eb06f018e:detect/git_test.go:aws-access-token:85
@@ -132,16 +118,70 @@ f0b8d26c9988af725132c100dda5051586a3026e:README.md:discord-client-secret:225
 6adc045580c3911a7a936be7b977979a5519aa29:testdata/expect/basic/results_files_at_208ae46.json:aws-access-token:22
 6adc045580c3911a7a936be7b977979a5519aa29:testdata/expect/basic/results_no_git.json:aws-access-token:3
 6adc045580c3911a7a936be7b977979a5519aa29:testdata/expect/basic/results_no_git.json:aws-access-token:5
+33082a996774ba4c8ad4ba26fd219d77497eb960:README.md:sidekiq-secret:43
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:22
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:23
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:24
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:28
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:29
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:46
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:48
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:50
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:52
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:54
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:55
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:56
+525d9792b1e3670b4630b8fcc385ca22e8544f9b:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:57
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:22
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:23
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:24
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:28
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-secret:29
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:46
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:48
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:50
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:52
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:54
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:55
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:56
+cd5226711335c68be1e720b318b7bc3135a30eb2:cmd/generate/config/rules/sidekiq.go:sidekiq-sensitive-url:57
+7f9f5bd14e4410e195dcc65a1d5d9eca4d31e2d6:detect/detect_test.go:aws-access-token:324
+7f9f5bd14e4410e195dcc65a1d5d9eca4d31e2d6:detect/detect_test.go:aws-access-token:325
+7f9f5bd14e4410e195dcc65a1d5d9eca4d31e2d6:detect/detect_test.go:aws-access-token:326
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:aws-access-token:26
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:aws-access-token:31
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:aws-access-token:40
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:aws-access-token:46
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:aws-access-token:52
+93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:discord-api-token:109
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:discord-api-token:59
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:discord-api-token:74
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:discord-api-token:80
 93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:discord-api-token:95
-93f292c3dfa2649ef91f8925b623e79546fa992e:detect/detect_test.go:discord-api-token:109
+cd5226711335c68be1e720b318b7bc3135a30eb2:detect/detect_test.go:sidekiq-secret:120
+cd5226711335c68be1e720b318b7bc3135a30eb2:detect/detect_test.go:sidekiq-secret:126
+cd5226711335c68be1e720b318b7bc3135a30eb2:detect/detect_test.go:sidekiq-secret:142
+cd5226711335c68be1e720b318b7bc3135a30eb2:detect/detect_test.go:sidekiq-sensitive-url:164
+cd5226711335c68be1e720b318b7bc3135a30eb2:detect/detect_test.go:sidekiq-sensitive-url:170
+cfb170eae0c31f53889ddb9363d9810b32a9f1ae:detect/detect_test.go:aws-access-token:352
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:aws-access-token:112
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:aws-access-token:371
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:aws-access-token:393
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:aws-access-token:419
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:aws-access-token:497
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:aws-access-token:519
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:aws-access-token:67
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:discord-api-token:229
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:discord-api-token:260
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:pypi-upload-token:89
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:sidekiq-secret:135
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:sidekiq-secret:159
+e19dbc263dc6831d335e44360b20f84e735210e0:detect/detect_test.go:sidekiq-sensitive-url:182
+f60e1631721d9359d0bb636b82bbb32505e1a067:detect/detect_test.go:aws-access-token:325
+f60e1631721d9359d0bb636b82bbb32505e1a067:detect/detect_test.go:aws-access-token:334
+f60e1631721d9359d0bb636b82bbb32505e1a067:detect/detect_test.go:aws-access-token:343
+f60e1631721d9359d0bb636b82bbb32505e1a067:detect/detect_test.go:aws-access-token:343
+f60e1631721d9359d0bb636b82bbb32505e1a067:detect/detect_test.go:aws-access-token:352
 6adc045580c3911a7a936be7b977979a5519aa29:testdata/expect/basic/results_no_git.json:aws-access-token:20
 6adc045580c3911a7a936be7b977979a5519aa29:testdata/expect/basic/results_no_git.json:aws-access-token:22
 6adc045580c3911a7a936be7b977979a5519aa29:testdata/expect/basic/results_unstaged.json:aws-access-token:3

README.md

@@ -339,6 +339,14 @@ regexes = [
   '''process''',
   '''getenv''',
 ]
+# note: Enclosing lines regex patterns targets all of the lines enclosing a given secret. These patterns allow you
+# to match on all the lines that the secret is found on.
+enclosinglinesregexes = [
+   "NON_SENSITIVE_PREFIX_",
+   "_NON_SENSITIVE_INFIX_",
+   "_NON_SENSITIVE_SUFFIX",
+   "CIRCUMFIX_START_.*_CIRCUMFIX_END"]
+
 # note: stopwords targets the extracted secret, not the entire regex match
 # like 'regexes' does. (stopwords introduced in 8.8.0)
 stopwords = [
@@ -362,6 +370,13 @@ regexes = [
   '''078-05-1120''',
   '''(9[0-9]{2}|666)-\d{2}-\d{4}''',
 ]
+# note: Enclosing lines regex patterns targets all of the lines enclosing a given secret. These patterns allow you
+# to match on all the lines that the secret is found on.
+enclosinglinesregexes = [
+   "NON_SENSITIVE_PREFIX_",
+   "_NON_SENSITIVE_INFIX_",
+   "_NON_SENSITIVE_SUFFIX",
+   "CIRCUMFIX_START_.*_CIRCUMFIX_END"]
 # note: stopwords targets the extracted secret, not the entire regex match
 # like 'regexes' does. (stopwords introduced in 8.8.0)
 stopwords = [

config/allowlist.go

@@ -14,6 +14,11 @@ type Allowlist struct {
 	// Regexes is slice of content regular expressions that are allowed to be ignored.
 	Regexes []*regexp.Regexp
 
+	// EnclosingLinesRegexes is a slice of regular expressions used to ignore findings.
+	// These Regex patterns filter out findings based on the lines that enclose a particular match.
+	// This is different from the Regexes slice, which only acts on the subexpression labeled as the "secret" in a match
+	EnclosingLinesRegexes []*regexp.Regexp
+
 	// Paths is a slice of path regular expressions that are allowed to be ignored.
 	Paths []*regexp.Regexp
 
@@ -49,6 +54,11 @@ func (a *Allowlist) RegexAllowed(s string) bool {
 	return anyRegexMatch(s, a.Regexes)
 }
 
+// EnclosingLinesRegexAllowed returns true if the regex matching on the enclosing lines is allowed to be ignored.
+func (a *Allowlist) EnclosingLinesRegexAllowed(s string) bool {
+	return anyRegexMatch(s, a.EnclosingLinesRegexes)
+}
+
 func (a *Allowlist) ContainsStopWord(s string) bool {
 	s = strings.ToLower(s)
 	for _, stopWord := range a.StopWords {

config/allowlist_test.go

@@ -66,6 +66,33 @@ func TestRegexAllowed(t *testing.T) {
 	}
 }
 
+func TestEnclosingLinesRegexAllowed(t *testing.T) {
+	tests := []struct {
+		allowlist       Allowlist
+		enclosedSecret  string
+		encRegexAllowed bool
+	}{
+		{
+			allowlist: Allowlist{
+				EnclosingLinesRegexes: []*regexp.Regexp{regexp.MustCompile("a.*done")},
+			},
+			enclosedSecret:  "a secret: notrealsecret, done",
+			encRegexAllowed: true,
+		},
+		{
+			allowlist: Allowlist{
+				EnclosingLinesRegexes: []*regexp.Regexp{regexp.MustCompile("a.*done")},
+			},
+			enclosedSecret:  "a secret",
+			encRegexAllowed: false,
+		},
+	}
+	for _, tt := range tests {
+		assert.Equal(t, tt.encRegexAllowed, tt.allowlist.EnclosingLinesRegexAllowed(tt.enclosedSecret))
+	}
+
+}
+
 func TestPathAllowed(t *testing.T) {
 	tests := []struct {
 		allowlist   Allowlist