fix: scope (?i) to variable prefix only; move rancher to alphabetical order

sridhar-3009 · sridhar-3009 · commit df672a618cc3 · 2026-05-31T14:04:11.000+05:30
- keyPat: use (?i:...) to apply case-insensitivity only to the variable
  name prefix (CATTLE_TOKEN etc.), leaving the token capture group
  [a-z0-9]{54,64} strictly lowercase as intended
- defaults.go: move rancher import and Scanner{} registration to
  alphabetical position between ramp and rapidapi
diff --git a/pkg/detectors/rancher/rancher.go b/pkg/detectors/rancher/rancher.go
@@ -21,11 +21,12 @@ var (
 	// Use the SSRF-safe client that blocks requests to local/private IP ranges.
 	client = detectors.DetectorHttpClientWithNoLocalAddresses
 
-	// Rancher API tokens: 54–64 lowercase alphanumeric chars, named with cattle/rancher prefixes.
-	keyPat = regexp.MustCompile(`(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["']?([a-z0-9]{54,64})["']?`)
+	// Match variable name case-insensitively via (?i:...) scope, then require strictly
+	// lowercase alphanumeric token to avoid false positives from the broad character set.
+	keyPat = regexp.MustCompile(`(?i:(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[\w]*\s*[=:]\s*["']?)([a-z0-9]{54,64})["']?`)
 
 	// Server URL used for validation; must appear nearby in the same chunk.
-	serverPat = regexp.MustCompile(`(?i)(?:CATTLE_SERVER|RANCHER_URL|RANCHER_SERVER)\s*[=:]\s*["']?(https?://[^\s"']+)["']?`)
+	serverPat = regexp.MustCompile(`(?i:(?:CATTLE_SERVER|RANCHER_URL|RANCHER_SERVER)\s*[=:]\s*["']?)(https?://[^\s"']+)["']?`)
 )
 
 func (s Scanner) Keywords() []string {
diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go
@@ -609,6 +609,7 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rabbitmq"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/railwayapp"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/ramp"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rancher"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rapidapi"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rawg"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/razorpay"
@@ -709,7 +710,6 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/sonarcloud"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/sourcegraph"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/sourcegraphcody"
-	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rancher"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/spectralops"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/speechtextai"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/splunkobservabilitytoken"
@@ -1502,6 +1502,7 @@ func buildDetectorList() []detectors.Detector {
 		&rabbitmq.Scanner{},
 		&railwayapp.Scanner{},
 		&ramp.Scanner{},
+		&rancher.Scanner{},
 		&rapidapi.Scanner{},
 		// &raven.Scanner{},
 		&rawg.Scanner{},
@@ -1606,7 +1607,6 @@ func buildDetectorList() []detectors.Detector {
 		&sourcegraph.Scanner{},
 		&sourcegraphcody.Scanner{},
 		// &sparkpost.Scanner{},
-		&rancher.Scanner{},
 		&spectralops.Scanner{},
 		&speechtextai.Scanner{},
 		&splunkobservabilitytoken.Scanner{},
