fix: narrow XAI pattern to (^|_)XAI_ to avoid false positives on PROXAI_, RELAXAI_ etc

Author: Pringled

internal/scan/apikeys.go

@@ -16,7 +16,7 @@ import (
 // credentialSuffixRe matches env var names that contain a credential-related term.
 // Provider name patterns require this suffix to avoid false positives on non-credential
 // vars like GITHUB_WORKSPACE or OPENAI_BASE_URL.
-var credentialSuffixRe = regexp.MustCompile(`(?i)(KEY|TOKEN|SECRET|PASSWORD|CRED)`)
+var credentialSuffixRe = regexp.MustCompile(`(?i)(^|_)(KEY|TOKEN|SECRET|PASSWORD|CRED)(S?)(_|$)`)
 
 // providerNamePatterns matches env var names containing a known provider keyword.
 // These only produce a finding when the name also matches credentialSuffixRe.
@@ -39,7 +39,7 @@ var providerNamePatterns = []*regexp.Regexp{
 	regexp.MustCompile(`(?i)DEEPSEEK`),
 	regexp.MustCompile(`(?i)PERPLEXITY`),
 	regexp.MustCompile(`(?i)CEREBRAS`),
-	regexp.MustCompile(`(?i)XAI`),
+	regexp.MustCompile(`(?i)(^|_)XAI_`), // (^|_) avoids TAXI_KEY, PROXAI_TOKEN while matching XAI_API_KEY, MY_XAI_KEY
 	regexp.MustCompile(`(?i)ASSEMBLYAI`),
 	regexp.MustCompile(`(?i)AI21`),
 	regexp.MustCompile(`(?i)NVIDIA_NIM`),

internal/scan/apikeys_test.go

@@ -639,6 +639,30 @@ func TestAPIKeyScanner_NameRegex_NewAIProviders(t *testing.T) {
 	}
 }
 
+func TestAPIKeyScanner_NameRegex_XAI_Anchored(t *testing.T) {
+	clearAllEnv(t)
+	// XAI embedded mid-word with no credential suffix — should NOT be flagged.
+	t.Setenv("PROXAI_ENDPOINT", "https://api.proxai.com")
+	t.Setenv("RELAXAI_MODE", "true")
+	// These SHOULD be flagged.
+	t.Setenv("XAI_API_KEY", "real-xai-key")
+	t.Setenv("MY_XAI_KEY", "also-real-xai-key")
+
+	s := newScannerWithHome(t.TempDir())
+	result := s.Scan()
+
+	assertResource(t, result.Findings, "XAI_API_KEY")
+	assertResource(t, result.Findings, "MY_XAI_KEY")
+	for _, f := range result.Findings {
+		if f.Resource == "PROXAI_ENDPOINT" {
+			t.Error("PROXAI_ENDPOINT should not be flagged by XAI pattern")
+		}
+		if f.Resource == "RELAXAI_MODE" {
+			t.Error("RELAXAI_MODE should not be flagged by XAI pattern")
+		}
+	}
+}
+
 func TestAPIKeyScanner_ExtraEnvKeys_NoDuplicateWithNameRegex(t *testing.T) {
 	const key = "MY_OPENAI_KEY" // matches OPENAI nameRegexPattern AND is in ExtraEnvKeys
 	t.Setenv(key, "sk-test-value")
@@ -692,13 +716,17 @@ func TestAPIKeyScanner_NameRegex_ProviderWithoutSuffix_NotFlagged(t *testing.T)
 	t.Setenv("GITHUB_ACTIONS", "true")
 	t.Setenv("OPENAI_BASE_URL", "https://api.openai.com")
 	t.Setenv("STRIPE_WEBHOOK_ENDPOINT", "https://example.com/webhook")
+	// Substring false positives: MONKEY contains KEY, DONKEY contains KEY.
+	t.Setenv("GITHUB_MONKEY", "banana")
+	t.Setenv("OPENAI_DONKEY", "hee-haw")
 
 	s := newScannerWithHome(t.TempDir())
 	result := s.Scan()
 
 	for _, f := range result.Findings {
 		switch f.Resource {
-		case "GITHUB_WORKSPACE", "GITHUB_ACTIONS", "OPENAI_BASE_URL", "STRIPE_WEBHOOK_ENDPOINT":
+		case "GITHUB_WORKSPACE", "GITHUB_ACTIONS", "OPENAI_BASE_URL", "STRIPE_WEBHOOK_ENDPOINT",
+			"GITHUB_MONKEY", "OPENAI_DONKEY":
 			t.Errorf("%s should not be flagged (provider keyword without credential suffix)", f.Resource)
 		}
 	}