@@ -690,6 +690,32 @@ const email = "user@example.com";
690690 expect ( hasSuspiciousKeyFinding ( findings ) ) . toBe ( true ) ;
691691 } ) ;
692692
693+ // Regression: a version digit (v1/v2) or token like `k8s` inside an
694+ // otherwise lowercase kebab slug used to push it to two character classes
695+ // (lowercase + digit) and trip the class-count check. Delimited lowercase
696+ // identifiers must be rejected regardless of embedded digits.
697+ it . each ( [
698+ [ 'secret-rotation-v2-rotate-secrets' , 'src/queue-service.ts' ] ,
699+ [ 'secret-scanning-v2-full-scan' , 'src/queue-service.ts' ] ,
700+ [ 'inject-k8s-sa-auth-token' , 'src/gateway/types.ts' ] ,
701+ [ 'infisical-secret-value-blind-index-v1' , 'src/blind-index.ts' ] ,
702+ ] ) (
703+ 'does not flag a lowercase delimited slug with an embedded digit (%s)' ,
704+ ( value , file ) => {
705+ const source = `const SECRET_KIND = "${ value } ";` ;
706+ const findings = detectSecretsInSource ( file , source ) ;
707+
708+ expect ( hasSuspiciousKeyFinding ( findings ) ) . toBe ( false ) ;
709+ } ,
710+ ) ;
711+
712+ it ( 'does not flag a snake_case slug with an embedded digit' , ( ) => {
713+ const source = 'const TOKEN_KIND = "auth_token_rotation_v2";' ;
714+ const findings = detectSecretsInSource ( 'src/enums.ts' , source ) ;
715+
716+ expect ( hasSuspiciousKeyFinding ( findings ) ) . toBe ( false ) ;
717+ } ) ;
718+
693719 it ( 'flags a single-class value carrying a known credential prefix' , ( ) => {
694720 // `xoxb-` prefix marks it as a real token even though it is lowercase-only
695721 // and below the entropy threshold, so the prefix branch must admit it.
0 commit comments