refactor(tests): simplify apikeys_test — remove duplicates, collapse anchored-pattern tests

Pringled · Pringled · commit 14a9589d5231 · 2026-03-07T11:06:34.000+01:00
diff --git a/internal/scan/apikeys_test.go b/internal/scan/apikeys_test.go
@@ -139,20 +139,6 @@ func TestAPIKeyScanner_CredentialFileContentNotInFindings(t *testing.T) {
 	assertResource(t, result.Findings, credFile)
 }
 
-func TestAPIKeyScanner_NoCredentialFileNoFinding(t *testing.T) {
-	clearAllEnv(t)
-
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
-
-	if result.Skipped {
-		t.Error("APIKeyScanner must never return skipped=true")
-	}
-	if len(result.Findings) != 0 {
-		t.Errorf("expected 0 findings in empty home dir, got %d: %v", len(result.Findings), resourceSet(result.Findings))
-	}
-}
-
 func TestAPIKeyScanner_GCPCredentialsDirDetected(t *testing.T) {
 	home := t.TempDir()
 	gcloudDir := filepath.Join(home, ".config", "gcloud")
@@ -427,28 +413,61 @@ func TestAPIKeyScanner_ValuePatterns(t *testing.T) {
 	}
 }
 
-func TestAPIKeyScanner_NameRegex_FLY_Anchored(t *testing.T) {
-	clearHighRiskEnv(t)
-	t.Setenv("FLY_API_TOKEN", "real-token")
-	t.Setenv("MY_FLY_TOKEN", "also-real-token")
-	t.Setenv("BUTTERFLY_KEY", "not-a-fly-token")
-	t.Setenv("FLYWEIGHT_INDEX", "not-a-token")
+func TestAPIKeyScanner_NameRegex_AnchoredPatterns(t *testing.T) {
+	cases := []struct {
+		name           string
+		shouldMatch    map[string]string
+		shouldNotMatch map[string]string
+	}{
+		{
+			name:           "FLY_",
+			shouldMatch:    map[string]string{"FLY_API_TOKEN": "real-token", "MY_FLY_TOKEN": "also-real"},
+			shouldNotMatch: map[string]string{"BUTTERFLY_KEY": "v", "FLYWEIGHT_INDEX": "v"},
+		},
+		{
+			name:           "NEON_",
+			shouldMatch:    map[string]string{"NEON_API_KEY": "real-neon-key", "MY_NEON_KEY": "also-real"},
+			shouldNotMatch: map[string]string{"ANEMONE_CONFIG": "v", "NEONLIGHTS_COLOR": "v"},
+		},
+		{
+			name:           "LINEAR_",
+			shouldMatch:    map[string]string{"LINEAR_API_KEY": "real-linear-key", "MY_LINEAR_TOKEN": "also-real"},
+			shouldNotMatch: map[string]string{"BILINEAR_FILTER": "v"},
+		},
+		{
+			name:           "PALM_",
+			shouldMatch:    map[string]string{"PALM_API_KEY": "real-palm-key", "MY_PALM_KEY": "also-real"},
+			shouldNotMatch: map[string]string{"NAPALM_MODE": "v"},
+		},
+		{
+			name:           "XAI_",
+			shouldMatch:    map[string]string{"XAI_API_KEY": "real-xai-key", "MY_XAI_KEY": "also-real"},
+			shouldNotMatch: map[string]string{"PROXAI_ENDPOINT": "https://api.proxai.com", "RELAXAI_MODE": "true"},
+		},
+	}
 
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			clearAllEnv(t)
+			for k, v := range tc.shouldMatch {
+				t.Setenv(k, v)
+			}
+			for k, v := range tc.shouldNotMatch {
+				t.Setenv(k, v)
+			}
 
-	// FLY_API_TOKEN and MY_FLY_TOKEN must both be flagged.
-	assertResource(t, result.Findings, "FLY_API_TOKEN")
-	assertResource(t, result.Findings, "MY_FLY_TOKEN")
+			s := newScannerWithHome(t.TempDir())
+			result := s.Scan()
 
-	// BUTTERFLY_KEY and FLYWEIGHT_INDEX must NOT be flagged.
-	for _, f := range result.Findings {
-		if f.Resource == "BUTTERFLY_KEY" {
-			t.Error("BUTTERFLY_KEY should not be flagged by FLY_ pattern")
-		}
-		if f.Resource == "FLYWEIGHT_INDEX" {
-			t.Error("FLYWEIGHT_INDEX should not be flagged by FLY_ pattern")
-		}
+			for k := range tc.shouldMatch {
+				assertResource(t, result.Findings, k)
+			}
+			for k := range tc.shouldNotMatch {
+				if contains(result.Findings, k) {
+					t.Errorf("%s should not be flagged by %s pattern", k, tc.name)
+				}
+			}
+		})
 	}
 }
 
@@ -458,18 +477,33 @@ func TestAPIKeyScanner_NameRegex_NewProviders(t *testing.T) {
 		envVar string
 		value  string
 	}{
+		// Google / cloud AI
 		{"MY_GEMINI_KEY", "gemini-key-value"},
 		{"VERTEX_API_KEY", "vertex-key-value"},
 		{"BEDROCK_ACCESS_KEY", "bedrock-key-value"},
 		{"AZURE_OPENAI_KEY", "azure-openai-key"},
+		// Communication
 		{"RESEND_API_KEY", "resend-key-value"},
 		{"POSTMARK_TOKEN", "postmark-key-value"},
+		// Productivity / project tools
 		{"MY_LINEAR_TOKEN", "linear-key-value"},
 		{"NOTION_API_KEY", "notion-key-value"},
 		{"AIRTABLE_KEY", "airtable-key-value"},
+		// Database-as-a-service
 		{"SUPABASE_KEY", "supabase-key-value"},
 		{"NEON_API_KEY", "neon-key-value"},
 		{"PLANETSCALE_TOKEN", "ps-key-value"},
+		// Newer AI providers
+		{"OPENROUTER_API_KEY", "or-key-value"},
+		{"FIREWORKS_API_KEY", "fw-key-value"},
+		{"DEEPSEEK_API_KEY", "ds-key-value"},
+		{"PERPLEXITY_API_KEY", "pplx-key-value"},
+		{"CEREBRAS_API_KEY", "cb-key-value"},
+		{"DOPPLER_TOKEN", "dp-token-value"},
+		{"XAI_API_KEY", "xai-key-value"},
+		{"ASSEMBLYAI_API_KEY", "aai-key-value"},
+		{"AI21_API_KEY", "ai21-key-value"},
+		{"NVIDIA_NIM_API_KEY", "nim-key-value"},
 	}
 
 	for _, tc := range cases {
@@ -499,28 +533,6 @@ func TestAPIKeyScanner_ValuePattern_NoMatchWrongLength(t *testing.T) {
 	}
 }
 
-func TestAPIKeyScanner_ValuePattern_TwilioSID(t *testing.T) {
-	value := "SK" + strings.Repeat("f", 32) // total 34 chars
-	t.Setenv("CRED_SID", value)
-	clearHighRiskEnv(t)
-
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
-
-	assertResource(t, result.Findings, "CRED_SID")
-	for _, f := range result.Findings {
-		if f.Resource == "CRED_SID" {
-			if f.Severity != "UNCERTAIN" {
-				t.Errorf("expected UNCERTAIN severity for Twilio SID (broad SK prefix), got %q", f.Severity)
-			}
-			if !strings.Contains(f.Description, "Twilio") {
-				t.Errorf("expected description to contain %q, got %q", "Twilio", f.Description)
-			}
-		}
-	}
-	assertNoSecretValue(t, result.Findings, value)
-}
-
 func TestAPIKeyScanner_CrossPassDedup_NameRegexWins(t *testing.T) {
 	// CUSTOM_STRIPE_KEY matches the STRIPE name-regex.
 	// sk_live_ + 47 chars matches the Stripe live secret value pattern.
@@ -551,118 +563,6 @@ func TestAPIKeyScanner_CrossPassDedup_NameRegexWins(t *testing.T) {
 	}
 }
 
-func TestAPIKeyScanner_NameRegex_NEON_NarrowedPattern(t *testing.T) {
-	clearHighRiskEnv(t)
-	// These should NOT be flagged.
-	t.Setenv("ANEMONE_CONFIG", "some-value")
-	t.Setenv("NEONLIGHTS_COLOR", "blue")
-	// These SHOULD be flagged.
-	t.Setenv("NEON_API_KEY", "real-neon-key")
-	t.Setenv("MY_NEON_KEY", "also-real-neon-key")
-
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
-
-	assertResource(t, result.Findings, "NEON_API_KEY")
-	assertResource(t, result.Findings, "MY_NEON_KEY")
-	for _, f := range result.Findings {
-		if f.Resource == "ANEMONE_CONFIG" {
-			t.Error("ANEMONE_CONFIG should not be flagged by NEON_ pattern")
-		}
-		if f.Resource == "NEONLIGHTS_COLOR" {
-			t.Error("NEONLIGHTS_COLOR should not be flagged by NEON_ pattern")
-		}
-	}
-}
-
-func TestAPIKeyScanner_NameRegex_LINEAR_NarrowedPattern(t *testing.T) {
-	clearHighRiskEnv(t)
-	t.Setenv("BILINEAR_FILTER", "some-value")
-	t.Setenv("LINEAR_API_KEY", "real-linear-key")
-
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
-
-	assertResource(t, result.Findings, "LINEAR_API_KEY")
-	for _, f := range result.Findings {
-		if f.Resource == "BILINEAR_FILTER" {
-			t.Error("BILINEAR_FILTER should not be flagged by LINEAR_ pattern")
-		}
-	}
-}
-
-func TestAPIKeyScanner_NameRegex_PALM_NarrowedPattern(t *testing.T) {
-	clearHighRiskEnv(t)
-	t.Setenv("NAPALM_MODE", "some-value")
-	// These SHOULD be flagged.
-	t.Setenv("PALM_API_KEY", "real-palm-key")
-	t.Setenv("MY_PALM_KEY", "also-real-palm-key")
-
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
-
-	assertResource(t, result.Findings, "PALM_API_KEY")
-	assertResource(t, result.Findings, "MY_PALM_KEY")
-	for _, f := range result.Findings {
-		if f.Resource == "NAPALM_MODE" {
-			t.Error("NAPALM_MODE should not be flagged by PALM_ pattern")
-		}
-	}
-}
-
-func TestAPIKeyScanner_NameRegex_NewAIProviders(t *testing.T) {
-	clearHighRiskEnv(t)
-	cases := []struct {
-		envVar string
-		value  string
-	}{
-		{"OPENROUTER_API_KEY", "or-key-value"},
-		{"FIREWORKS_API_KEY", "fw-key-value"},
-		{"DEEPSEEK_API_KEY", "ds-key-value"},
-		{"PERPLEXITY_API_KEY", "pplx-key-value"},
-		{"CEREBRAS_API_KEY", "cb-key-value"},
-		{"DOPPLER_TOKEN", "dp-token-value"},
-		{"XAI_API_KEY", "xai-key-value"},
-		{"ASSEMBLYAI_API_KEY", "aai-key-value"},
-		{"AI21_API_KEY", "ai21-key-value"},
-		{"NVIDIA_NIM_API_KEY", "nim-key-value"},
-	}
-	for _, tc := range cases {
-		t.Setenv(tc.envVar, tc.value)
-	}
-
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
-
-	for _, tc := range cases {
-		assertResource(t, result.Findings, tc.envVar)
-	}
-}
-
-func TestAPIKeyScanner_NameRegex_XAI_Anchored(t *testing.T) {
-	clearAllEnv(t)
-	// XAI embedded mid-word with no credential suffix — should NOT be flagged.
-	t.Setenv("PROXAI_ENDPOINT", "https://api.proxai.com")
-	t.Setenv("RELAXAI_MODE", "true")
-	// These SHOULD be flagged.
-	t.Setenv("XAI_API_KEY", "real-xai-key")
-	t.Setenv("MY_XAI_KEY", "also-real-xai-key")
-
-	s := newScannerWithHome(t.TempDir())
-	result := s.Scan()
-
-	assertResource(t, result.Findings, "XAI_API_KEY")
-	assertResource(t, result.Findings, "MY_XAI_KEY")
-	for _, f := range result.Findings {
-		if f.Resource == "PROXAI_ENDPOINT" {
-			t.Error("PROXAI_ENDPOINT should not be flagged by XAI pattern")
-		}
-		if f.Resource == "RELAXAI_MODE" {
-			t.Error("RELAXAI_MODE should not be flagged by XAI pattern")
-		}
-	}
-}
-
 func TestAPIKeyScanner_ExtraEnvKeys_NoDuplicateWithNameRegex(t *testing.T) {
 	const key = "MY_OPENAI_KEY" // matches OPENAI nameRegexPattern AND is in ExtraEnvKeys
 	t.Setenv(key, "sk-test-value")
