@@ -365,11 +365,18 @@ func (s *APIKeyScanner) scanCredentialFiles() []models.Finding {
365365 // If home directory cannot be resolved, skip all ~-based paths to avoid
366366 // scanning incorrect root-relative paths (e.g. /.aws/credentials).
367367 homeDir := s .resolveHomeDir ()
368+ // seenPath is shared across built-in and extra loops so that an extra path
369+ // duplicating a built-in (e.g. ~/.netrc in both lists) produces only one finding.
370+ seenPath := make (map [string ]bool )
368371 for _ , cf := range credentialFiles {
369372 if homeDir == "" && len (cf .Path ) > 0 && cf .Path [0 ] == '~' {
370373 continue
371374 }
372- expanded := expandHome (cf .Path , homeDir )
375+ expanded := filepath .Clean (expandHome (cf .Path , homeDir ))
376+ if seenPath [expanded ] {
377+ continue
378+ }
379+ seenPath [expanded ] = true
373380 if fsutil .Exists (expanded ) {
374381 findings = append (findings , models.Finding {
375382 Scanner : "api_keys" ,
@@ -381,17 +388,15 @@ func (s *APIKeyScanner) scanCredentialFiles() []models.Finding {
381388 }
382389
383390 // Extra credential files from user config.
384- // Deduplicate by expanded path to avoid reporting the same file twice.
385- seenExtraPath := make (map [string ]bool , len (s .ExtraCredentialFiles ))
386391 for _ , cf := range s .ExtraCredentialFiles {
387392 if homeDir == "" && len (cf .Path ) > 0 && cf .Path [0 ] == '~' {
388393 continue
389394 }
390- expanded := expandHome (cf .Path , homeDir )
391- if seenExtraPath [expanded ] {
392- continue // duplicate path in extras list
395+ expanded := filepath . Clean ( expandHome (cf .Path , homeDir ) )
396+ if seenPath [expanded ] {
397+ continue // already reported by built- in or earlier extra
393398 }
394- seenExtraPath [expanded ] = true
399+ seenPath [expanded ] = true
395400 if fsutil .Exists (expanded ) {
396401 findings = append (findings , models.Finding {
397402 Scanner : "api_keys" ,
0 commit comments