chore: annotate secrets detection fixtures for gitleaks

lucarlig · lucarlig · commit 8df581451171 · 2026-03-25T10:29:07.000Z
Signed-off-by: lucarlig &lt;luca.carlig@ibm.com&gt;
diff --git a/plugins_rust/secrets_detection/src/patterns.rs b/plugins_rust/secrets_detection/src/patterns.rs
@@ -142,11 +142,11 @@ mod tests {
 
         // Valid Google API keys (AIza + exactly 35 chars)
         assert!(
-            pattern.is_match("AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"),
+            pattern.is_match("AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"), // gitleaks:allow
             "Should match valid Google API key"
         );
         assert!(
-            pattern.is_match("AIzaFAKE_KEY_FOR_TESTING_ONLY_fake56789"),
+            pattern.is_match("AIzaFAKE_KEY_FOR_TESTING_ONLY_fake56789"), // gitleaks:allow
             "Should match valid Google API key"
         );
 
@@ -212,7 +212,7 @@ mod tests {
         let pattern = PATTERNS.get("generic_api_key_assignment").unwrap();
 
         assert!(
-            pattern.is_match("X-API-Key: test12345678901234567890"),
+            pattern.is_match("X-API-Key: test12345678901234567890"), // gitleaks:allow
             "Should match X-API-Key header"
         );
         assert!(
@@ -269,19 +269,19 @@ mod tests {
 
         // Valid private key headers
         assert!(
-            pattern.is_match("-----BEGIN RSA PRIVATE KEY-----"),
+            pattern.is_match("-----BEGIN RSA PRIVATE KEY-----"), // gitleaks:allow
             "Should match RSA private key header"
         );
         assert!(
-            pattern.is_match("-----BEGIN DSA PRIVATE KEY-----"),
+            pattern.is_match("-----BEGIN DSA PRIVATE KEY-----"), // gitleaks:allow
             "Should match DSA private key header"
         );
         assert!(
-            pattern.is_match("-----BEGIN EC PRIVATE KEY-----"),
+            pattern.is_match("-----BEGIN EC PRIVATE KEY-----"), // gitleaks:allow
             "Should match EC private key header"
         );
         assert!(
-            pattern.is_match("-----BEGIN OPENSSH PRIVATE KEY-----"),
+            pattern.is_match("-----BEGIN OPENSSH PRIVATE KEY-----"), // gitleaks:allow
             "Should match OpenSSH private key header"
         );
 
@@ -398,7 +398,7 @@ mod tests {
 
         let text = r#"
             Authorization: Bearer eyJfake_header_12345.eyJfake_payload_1234.fake_signature_12345678
-            API_SECRET=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
+            API_SECRET=a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2  // gitleaks:allow
         "#;
 
         assert!(
diff --git a/plugins_rust/secrets_detection/src/scanner.rs b/plugins_rust/secrets_detection/src/scanner.rs
@@ -238,12 +238,12 @@ mod tests {
         };
 
         // Test that hex secrets are detected
-        let hex_text = "secret=0123456789abcdef0123456789abcdef";
+        let hex_text = "secret=0123456789abcdef0123456789abcdef"; // gitleaks:allow
         let (hex_findings, _) = detect_and_redact(hex_text, &cfg);
         assert!(!hex_findings.is_empty(), "Should detect hex secrets");
 
         // Test that base64 secrets are detected
-        let base64_text = "token=SGVsbG8gV29ybGQgdGhpcyBpcyBhIGxvbmcgYmFzZTY0IGVuY29kZWQgc3RyaW5n";
+        let base64_text = "token=SGVsbG8gV29ybGQgdGhpcyBpcyBhIGxvbmcgYmFzZTY0IGVuY29kZWQgc3RyaW5n"; // gitleaks:allow
         let (b64_findings, _) = detect_and_redact(base64_text, &cfg);
         assert!(!b64_findings.is_empty(), "Should detect base64 secrets");
     }
@@ -256,7 +256,7 @@ mod tests {
             ..Default::default()
         };
 
-        let text = "GOOGLE_API_KEY=AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345";
+        let text = "GOOGLE_API_KEY=AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"; // gitleaks:allow
         let (findings, redacted) = detect_and_redact(text, &cfg);
 
         assert!(!findings.is_empty());
@@ -272,7 +272,7 @@ mod tests {
             ..Default::default()
         };
 
-        let text = "SLACK_TOKEN=xoxr-fake-000000000-fake000000000-fakefakefakefake";
+        let text = "SLACK_TOKEN=xoxr-fake-000000000-fake000000000-fakefakefakefake"; // gitleaks:allow
         let (findings, redacted) = detect_and_redact(text, &cfg);
 
         assert!(!findings.is_empty());
@@ -287,7 +287,7 @@ mod tests {
             ..Default::default()
         };
 
-        let text = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA...";
+        let text = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA..."; // gitleaks:allow
         let (findings, redacted) = detect_and_redact(text, &cfg);
 
         assert!(!findings.is_empty());
@@ -444,7 +444,7 @@ mod tests {
         let items = vec![
             "AKIAFAKE12345EXAMPLE",
             "normal text",
-            "AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345",
+            "AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345", // gitleaks:allow
         ];
 
         let mut total_count = 0;
@@ -583,7 +583,7 @@ mod tests {
         // Test that findings accumulate correctly across multiple values
         let secrets = vec![
             "AKIAFAKE12345EXAMPLE",
-            "AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345",
+            "AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345", // gitleaks:allow
             "xoxr-fake-000000000-fake000000000-fakefakefakefake",
         ];
 
@@ -609,7 +609,7 @@ mod tests {
             ..Default::default()
         };
 
-        let text = "AWS: AKIAFAKE12345EXAMPLE Google: AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345";
+        let text = "AWS: AKIAFAKE12345EXAMPLE Google: AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"; // gitleaks:allow
         let (findings, redacted) = detect_and_redact(text, &cfg);
 
         // AWS pattern is disabled, so it should not be detected
@@ -635,7 +635,7 @@ mod tests {
             ..Default::default()
         };
 
-        let text = "AKIAFAKE12345EXAMPLE AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345";
+        let text = "AKIAFAKE12345EXAMPLE AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"; // gitleaks:allow
         let (findings, redacted) = detect_and_redact(text, &cfg);
 
         // No patterns enabled, so no findings
@@ -692,7 +692,7 @@ mod tests {
             ..Default::default()
         };
 
-        let text = "Google: AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345";
+        let text = "Google: AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"; // gitleaks:allow
         let (findings, redacted) = detect_and_redact(text, &cfg);
 
         // google_api_key is not in enabled map, so it should default to true (enabled)
@@ -732,7 +732,7 @@ mod tests {
         };
 
         // A base64 string that might also match hex pattern
-        let text = "secret=SGVsbG8gV29ybGQgdGhpcyBpcyBhIGxvbmcgYmFzZTY0IGVuY29kZWQgc3RyaW5n";
+        let text = "secret=SGVsbG8gV29ybGQgdGhpcyBpcyBhIGxvbmcgYmFzZTY0IGVuY29kZWQgc3RyaW5n"; // gitleaks:allow
         let (findings, redacted) = detect_and_redact(text, &cfg);
 
         // Should detect at least one pattern
diff --git a/tests/unit/plugins/test_secrets_detection.py b/tests/unit/plugins/test_secrets_detection.py
@@ -278,7 +278,7 @@ def test_detects_google_api_key(self, use_rust):
         from plugins.secrets_detection.secrets_detection import SecretsDetectionConfig, _scan_container
 
         config = SecretsDetectionConfig()
-        data = {"message": "AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"}
+        data = {"message": "AIzaFAKE_KEY_FOR_TESTING_ONLY_fake12345"}  # gitleaks:allow
 
         count, _redacted, findings = _scan_container(data, config, use_rust=use_rust)
 
