feat: add subscript usage detection

Author: Saharsh1123

detectors/ast_analyzer.py

@@ -84,7 +84,7 @@ def extract_variable_path(node):
                 temp_node = temp_node.value
 
             # Ignore unsupported roots such as function calls or subscripts.
-            if not isinstance(temp_node, ast.Name):
+            if not isinstance(temp_node, ast.Name) or isinstance(temp_node, ast.Subscript):
                 continue
 
             full_path.append(temp_node.id.lower())
@@ -93,7 +93,15 @@ def extract_variable_path(node):
         # Handle direct variable assignment.
         elif isinstance(var, ast.Name):
             full_path.append(var.id.lower())
+        
+        elif isinstance(var, ast.Subscript):
+            key = var.slice
 
+            if not (isinstance(key, ast.Constant) and isinstance(key.value, str)):
+                continue
+
+            full_path.append(key.value.lower())
+            
         if full_path:
             yield full_path
 

test_dirs/test_repo/open_vulns.py

@@ -6,4 +6,3 @@
 api_key = "12dwdqwdqwdqw3"
 token = "xyzgggggg"  # noqa: E702
 TOKEN = "abc1234567890j"
-

tests/test_ast/__init__.py

@@ -0,0 +1,80 @@
+from detectors.find_secrets import detect_ast_secrets  # noqa: F401
+
+PASSWORD_REASON = (
+    "variable name matched password/pwd/passwd pattern and value met minimum length"
+)
+API_KEY_REASON = (
+    "variable name matched api_key/apikey pattern and value met minimum length"
+)
+TOKEN_REASON = "variable name matched token pattern and value met minimum length"
+SECRET_REASON = "variable name matched secret pattern and value met minimum length"
+AWS_REASON = "value matched AKIA-prefixed AWS access key pattern"
+
+SUPPORTED_CONFIDENCE = {"LOW", "MEDIUM", "HIGH"}
+
+
+def get_entropy(finding):
+    """
+    Return entropy metadata from a Finding.
+
+    Supports either `entropy` or `entropy_score` if the field name changes
+    during refactoring.
+    """
+    if hasattr(finding, "entropy"):
+        return finding.entropy
+
+    if hasattr(finding, "entropy_score"):
+        return finding.entropy_score
+
+    raise AssertionError("Finding is missing entropy metadata")
+
+
+def assert_entropy_metadata(finding):
+    """
+    Assert that entropy metadata exists and is numeric.
+    """
+    entropy = get_entropy(finding)
+
+    assert isinstance(entropy, (int, float))
+    assert entropy >= 0
+
+
+def assert_finding(
+    finding,
+    *,
+    line_number,
+    file_path=None,
+    var_name,
+    value,
+    rule_id,
+    rule_name,
+    severity,
+    reason,
+    confidence=None,
+):
+    """
+    Assert stable Finding fields while allowing future metadata fields.
+    """
+    assert finding.file_path == file_path
+    assert finding.line_number == line_number
+    assert finding.var_name == var_name
+    assert finding.value == value
+    assert finding.rule_id == rule_id
+    assert finding.rule_name == rule_name
+    assert finding.severity == severity
+    assert finding.reason == reason
+
+    if confidence is None:
+        assert finding.confidence in SUPPORTED_CONFIDENCE
+    else:
+        assert finding.confidence == confidence
+
+    assert_entropy_metadata(finding)
+
+
+def assert_single_finding(result, **expected):
+    """
+    Assert that detection produced exactly one expected finding.
+    """
+    assert len(result) == 1
+    assert_finding(result[0], **expected)

tests/test_ast/ast_helpers.py

@@ -0,0 +1,89 @@
+from tests.test_ast.ast_helpers import (
+    API_KEY_REASON,
+    PASSWORD_REASON,
+    TOKEN_REASON,
+    assert_single_finding,
+    detect_ast_secrets,
+)
+
+
+def test_ast_attribute_password():
+    code = 'self.password = "abcdef"'
+    result = detect_ast_secrets(code)
+
+    assert_single_finding(
+        result,
+        line_number=1,
+        var_name="password",
+        value="abcdef",
+        rule_id="PASSWORD",
+        rule_name="Password",
+        severity="HIGH",
+        reason=PASSWORD_REASON,
+        confidence="LOW",
+    )
+
+
+def test_ast_attribute_api_key():
+    code = 'config.api_key = "12345678"'
+    result = detect_ast_secrets(code)
+
+    assert_single_finding(
+        result,
+        line_number=1,
+        var_name="api_key",
+        value="12345678",
+        rule_id="API_KEY",
+        rule_name="API Key",
+        severity="HIGH",
+        reason=API_KEY_REASON,
+    )
+
+
+def test_ast_attribute_token():
+    code = 'user.token = "qwerty123"'
+    result = detect_ast_secrets(code)
+
+    assert_single_finding(
+        result,
+        line_number=1,
+        var_name="token",
+        value="qwerty123",
+        rule_id="TOKEN",
+        rule_name="Token",
+        severity="MEDIUM",
+        reason=TOKEN_REASON,
+    )
+
+
+def test_ast_nested_attribute_password():
+    code = 'self.config.db.password = "abcdef"'
+    result = detect_ast_secrets(code)
+
+    assert_single_finding(
+        result,
+        line_number=1,
+        var_name="password",
+        value="abcdef",
+        rule_id="PASSWORD",
+        rule_name="Password",
+        severity="HIGH",
+        reason=PASSWORD_REASON,
+        confidence="LOW",
+    )
+
+
+def test_ast_deep_nested_attribute_api_key():
+    code = 'settings.auth.credentials.api_key = "12345678"'
+    result = detect_ast_secrets(code)
+
+    assert_single_finding(
+        result,
+        line_number=1,
+        var_name="api_key",
+        value="12345678",
+        rule_id="API_KEY",
+        rule_name="API Key",
+        severity="HIGH",
+        reason=API_KEY_REASON,
+    )