Fix tests

Author: Pringled

internal/scan/apikeys_test.go

@@ -18,6 +18,19 @@ func clearHighRiskEnv(t *testing.T) {
 	}
 }
 
+// clearAllEnv sets every environment variable to empty for the duration of the test.
+// Use this in tests that assert 0 findings, since nameRegex patterns (e.g. (?i)GITHUB)
+// can match CI variables like GITHUB_WORKSPACE that aren't credentials.
+// t.Setenv restores original values after the test.
+func clearAllEnv(t *testing.T) {
+	t.Helper()
+	for _, entry := range os.Environ() {
+		if idx := strings.IndexByte(entry, '='); idx >= 0 {
+			t.Setenv(entry[:idx], "")
+		}
+	}
+}
+
 // newScannerWithHome creates an APIKeyScanner with HomeDir set to home and no extras.
 func newScannerWithHome(home string) *scan.APIKeyScanner {
 	s := scan.NewAPIKeyScanner()
@@ -66,7 +79,7 @@ func TestAPIKeyScanner_NeverStoresSecretValue(t *testing.T) {
 }
 
 func TestAPIKeyScanner_EmptyEnvNoFindings(t *testing.T) {
-	clearHighRiskEnv(t)
+	clearAllEnv(t)
 
 	s := newScannerWithHome(t.TempDir())
 	result := s.Scan()
@@ -131,7 +144,7 @@ func TestAPIKeyScanner_CredentialFileContentNotInFindings(t *testing.T) {
 }
 
 func TestAPIKeyScanner_NoCredentialFileNoFinding(t *testing.T) {
-	clearHighRiskEnv(t)
+	clearAllEnv(t)
 
 	s := newScannerWithHome(t.TempDir())
 	result := s.Scan()