tests: update tests to include reasons

Author: Saharsh1123

tests/test_apply_rules.py

@@ -1,22 +1,33 @@
 from detectors.rule_engine import apply_rules
 
 
+PASSWORD_REASON = (
+    "variable name matched password/pwd/passwd pattern and value met minimum length"
+)
+API_KEY_REASON = (
+    "variable name matched api_key/apikey pattern and value met minimum length"
+)
+TOKEN_REASON = "variable name matched token pattern and value met minimum length"
+SECRET_REASON = "variable name matched secret pattern and value met minimum length"
+AWS_REASON = "value matched AKIA-prefixed AWS access key pattern"
+
+
 # Detect password variable with valid value length
 def test_password_match():
     result = apply_rules("password", "abcdef")
-    assert result == [("Password", "HIGH", "abcdef")]
+    assert result == [("Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Detect password alias: pwd
 def test_pwd_alias_match():
     result = apply_rules("pwd", "abcdef")
-    assert result == [("Password", "HIGH", "abcdef")]
+    assert result == [("Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Detect password alias: passwd
 def test_passwd_alias_match():
     result = apply_rules("passwd", "abcdef")
-    assert result == [("Password", "HIGH", "abcdef")]
+    assert result == [("Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Ensure similar but unrelated variable names are not flagged
@@ -34,49 +45,49 @@ def test_short_password_value():
 # Ensure values exactly at minimum length are accepted
 def test_min_length_boundary_match():
     result = apply_rules("password", "abcd")
-    assert result == [("Password", "HIGH", "abcd")]
+    assert result == [("Password", "HIGH", "abcd", PASSWORD_REASON)]
 
 
 # Ensure case-insensitive variable matching
 def test_uppercase_variable_match():
     result = apply_rules("PASSWORD", "abcdef")
-    assert result == [("Password", "HIGH", "abcdef")]
+    assert result == [("Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Detect API key variable with underscore
 def test_api_key_match():
     result = apply_rules("api_key", "1234abcd")
-    assert result == [("API Key", "HIGH", "1234abcd")]
+    assert result == [("API Key", "HIGH", "1234abcd", API_KEY_REASON)]
 
 
 # Detect API key variable without underscore
 def test_apikey_match():
     result = apply_rules("apikey", "1234abcd")
-    assert result == [("API Key", "HIGH", "1234abcd")]
+    assert result == [("API Key", "HIGH", "1234abcd", API_KEY_REASON)]
 
 
 # Detect token with medium severity
 def test_token_match():
     result = apply_rules("token", "qwerty")
-    assert result == [("Token", "MEDIUM", "qwerty")]
+    assert result == [("Token", "MEDIUM", "qwerty", TOKEN_REASON)]
 
 
 # Detect secret with medium severity
 def test_secret_match():
     result = apply_rules("secret", "abcdef")
-    assert result == [("Secret", "MEDIUM", "abcdef")]
+    assert result == [("Secret", "MEDIUM", "abcdef", SECRET_REASON)]
 
 
 # Detect secret when embedded in a longer variable name
 def test_secret_embedded_variable_match():
     result = apply_rules("client_secret", "abcdef")
-    assert result == [("Secret", "MEDIUM", "abcdef")]
+    assert result == [("Secret", "MEDIUM", "abcdef", SECRET_REASON)]
 
 
 # Detect AWS access key by value, regardless of variable name
 def test_aws_access_key_value_match():
     result = apply_rules("random_var", "AKIAEXAMPLE123456789")
-    assert result == [("AWS Access Key", "HIGH", "AKIAEXAMPLE123456789")]
+    assert result == [("AWS Access Key", "HIGH", "AKIAEXAMPLE123456789", AWS_REASON)]
 
 
 # Ensure lowercase AWS-style value does not match case-sensitive AWS pattern
@@ -89,15 +100,17 @@ def test_lowercase_aws_access_key_no_match():
 def test_aws_access_key_with_api_key_variable():
     result = apply_rules("api_key", "AKIAEXAMPLE123456789")
     assert result == [
-        ("AWS Access Key", "HIGH", "AKIAEXAMPLE123456789"),
-        ("API Key", "HIGH", "AKIAEXAMPLE123456789"),
+        ("AWS Access Key", "HIGH", "AKIAEXAMPLE123456789", AWS_REASON),
+        ("API Key", "HIGH", "AKIAEXAMPLE123456789", API_KEY_REASON),
     ]
 
 
 # Ensure complex values with special characters are preserved
 def test_complex_password_value_match():
     result = apply_rules("password", "abc_def-123#$%^&*()")
-    assert result == [("Password", "HIGH", "abc_def-123#$%^&*()")]
+    assert result == [
+        ("Password", "HIGH", "abc_def-123#$%^&*()", PASSWORD_REASON)
+    ]
 
 
 # Ensure empty variable name does not trigger variable-based rules

tests/test_ast.py

@@ -1,52 +1,63 @@
 from detectors.find_secrets import detect_ast_secrets
 
 
+PASSWORD_REASON = (
+    "variable name matched password/pwd/passwd pattern and value met minimum length"
+)
+API_KEY_REASON = (
+    "variable name matched api_key/apikey pattern and value met minimum length"
+)
+TOKEN_REASON = "variable name matched token pattern and value met minimum length"
+SECRET_REASON = "variable name matched secret pattern and value met minimum length"
+AWS_REASON = "value matched AKIA-prefixed AWS access key pattern"
+
+
 # Detect a basic hardcoded password assignment
 def test_ast_basic_password():
     code = 'password = "abcdef"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Password", "HIGH", "abcdef")]
+    assert result == [(1, "Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Detect password assigned through a simple object attribute
 def test_ast_attribute_password():
     code = 'self.password = "abcdef"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Password", "HIGH", "abcdef")]
+    assert result == [(1, "Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Detect API key assigned through an attribute
 def test_ast_api_key():
     code = 'config.api_key = "12345678"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "API Key", "HIGH", "12345678")]
+    assert result == [(1, "API Key", "HIGH", "12345678", API_KEY_REASON)]
 
 
 # Detect token with correct MEDIUM severity
 def test_ast_token():
     code = 'user.token = "qwerty123"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Token", "MEDIUM", "qwerty123")]
+    assert result == [(1, "Token", "MEDIUM", "qwerty123", TOKEN_REASON)]
 
 
 # Detect generic secret assignment
 def test_ast_secret():
     code = 'client_secret = "abcdef"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Secret", "MEDIUM", "abcdef")]
+    assert result == [(1, "Secret", "MEDIUM", "abcdef", SECRET_REASON)]
 
 
 # Detect AWS access key by value, regardless of variable name
 def test_ast_aws_access_key_value():
     code = 'random_var = "AKIAEXAMPLE123456789"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "AWS Access Key", "HIGH", "AKIAEXAMPLE123456789")]
+    assert result == [(1, "AWS Access Key", "HIGH", "AKIAEXAMPLE123456789", AWS_REASON)]
 
 
 # Detect multiple classifications when both value and variable name match
@@ -55,8 +66,8 @@ def test_ast_aws_access_key_with_api_key_variable():
     result = detect_ast_secrets(code)
 
     assert result == [
-        (1, "AWS Access Key", "HIGH", "AKIAEXAMPLE123456789"),
-        (1, "API Key", "HIGH", "AKIAEXAMPLE123456789"),
+        (1, "AWS Access Key", "HIGH", "AKIAEXAMPLE123456789", AWS_REASON),
+        (1, "API Key", "HIGH", "AKIAEXAMPLE123456789", API_KEY_REASON),
     ]
 
 
@@ -94,9 +105,9 @@ def test_ast_multiple_assignments():
     result = detect_ast_secrets(code)
 
     assert result == [
-        (2, "Password", "HIGH", "abcdef"),
-        (3, "API Key", "HIGH", "12345678"),
-        (4, "Token", "MEDIUM", "qwerty123"),
+        (2, "Password", "HIGH", "abcdef", PASSWORD_REASON),
+        (3, "API Key", "HIGH", "12345678", API_KEY_REASON),
+        (4, "Token", "MEDIUM", "qwerty123", TOKEN_REASON),
     ]
 
 
@@ -113,15 +124,15 @@ def test_ast_uppercase_variable():
     code = 'PASSWORD = "abcdef"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Password", "HIGH", "abcdef")]
+    assert result == [(1, "Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Process multiple assignment targets correctly
 def test_ast_multiple_targets():
     code = 'a = password = "abcdef"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Password", "HIGH", "abcdef")]
+    assert result == [(1, "Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Process multiple sensitive targets assigned the same value
@@ -130,8 +141,8 @@ def test_ast_multiple_sensitive_targets():
     result = detect_ast_secrets(code)
 
     assert result == [
-        (1, "Password", "HIGH", "abcdef"),
-        (1, "Token", "MEDIUM", "abcdef"),
+        (1, "Password", "HIGH", "abcdef", PASSWORD_REASON),
+        (1, "Token", "MEDIUM", "abcdef", TOKEN_REASON),
     ]
 
 
@@ -140,15 +151,15 @@ def test_ast_nested_attribute():
     code = 'self.config.db.password = "abcdef"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Password", "HIGH", "abcdef")]
+    assert result == [(1, "Password", "HIGH", "abcdef", PASSWORD_REASON)]
 
 
 # Detect API keys in deeply nested attribute chains
 def test_ast_deep_nested_api_key():
     code = 'settings.auth.credentials.api_key = "12345678"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "API Key", "HIGH", "12345678")]
+    assert result == [(1, "API Key", "HIGH", "12345678", API_KEY_REASON)]
 
 
 # Ignore unsupported assignment targets such as subscript assignments
@@ -164,7 +175,9 @@ def test_ast_complex_password_value():
     code = 'password = "abc_def-123#$%^&*()"'
     result = detect_ast_secrets(code)
 
-    assert result == [(1, "Password", "HIGH", "abc_def-123#$%^&*()")]
+    assert result == [
+        (1, "Password", "HIGH", "abc_def-123#$%^&*()", PASSWORD_REASON)
+    ]
 
 
 # Handle indented multiline code by normalizing indentation
@@ -175,4 +188,4 @@ def test_ast_dedented_multiline_code():
     """
     result = detect_ast_secrets(code)
 
-    assert result == [(2, "Password", "HIGH", "abcdef")]
+    assert result == [(2, "Password", "HIGH", "abcdef", PASSWORD_REASON)]

tests/test_cli.py

@@ -3,6 +3,12 @@
 import sys
 
 
+PASSWORD_REASON = (
+    "variable name matched password/pwd/passwd pattern and value met minimum length"
+)
+TOKEN_REASON = "variable name matched token pattern and value met minimum length"
+
+
 def run_cli(*args):
     """
     Run the SentinelScan CLI with the provided arguments.
@@ -46,7 +52,7 @@ def test_cli_json_schema():
     assert isinstance(data, list)
     assert len(data) > 0
 
-    required_keys = {"line", "file", "rule", "severity", "value"}
+    required_keys = {"line", "file", "rule", "severity", "value", "reason"}
 
     for finding in data:
         assert required_keys.issubset(finding.keys())
@@ -68,6 +74,7 @@ def test_cli_json_field_types():
         assert isinstance(finding["rule"], str)
         assert isinstance(finding["severity"], str)
         assert isinstance(finding["value"], str)
+        assert isinstance(finding["reason"], str)
 
 
 # Ensure JSON mode does not include human-readable CLI text
@@ -79,6 +86,7 @@ def test_cli_json_output_is_pure_json():
     assert "Scanning" not in result.stdout
     assert "--- Findings ---" not in result.stdout
     assert "Total findings" not in result.stdout
+    assert "Reason:" not in result.stdout
 
     data = parse_json_output(result)
     assert isinstance(data, list)
@@ -95,14 +103,15 @@ def test_cli_text_output_contains_expected_sections():
     assert "Total findings" in result.stdout
 
 
-# Ensure normal CLI output contains finding details
+# Ensure normal CLI output contains finding details and reasons
 def test_cli_text_output_contains_finding_details():
     result = run_cli("test_dirs")
 
     assert result.returncode == 0
 
     assert "[HIGH]" in result.stdout
     assert "→" in result.stdout
+    assert "Reason:" in result.stdout
 
 
 # Ensure HIGH severity filtering works in JSON mode
@@ -115,6 +124,7 @@ def test_cli_json_severity_high_filter():
 
     assert len(data) > 0
     assert all(finding["severity"] == "HIGH" for finding in data)
+    assert all("reason" in finding for finding in data)
 
 
 # Ensure MEDIUM severity filtering works in JSON mode
@@ -127,6 +137,7 @@ def test_cli_json_severity_medium_filter():
 
     assert len(data) > 0
     assert all(finding["severity"] == "MEDIUM" for finding in data)
+    assert all("reason" in finding for finding in data)
 
 
 # Ensure HIGH severity filtering works in text mode
@@ -137,6 +148,7 @@ def test_cli_text_severity_high_filter():
 
     assert "[HIGH]" in result.stdout
     assert "[MEDIUM]" not in result.stdout
+    assert "Reason:" in result.stdout
 
 
 # Ensure MEDIUM severity filtering works in text mode
@@ -147,6 +159,7 @@ def test_cli_text_severity_medium_filter():
 
     assert "[MEDIUM]" in result.stdout
     assert "[HIGH]" not in result.stdout
+    assert "Reason:" in result.stdout
 
 
 # Ensure JSON output and severity filtering work together
@@ -159,6 +172,7 @@ def test_cli_json_and_severity_combined():
 
     assert len(data) > 0
     assert all(finding["severity"] == "HIGH" for finding in data)
+    assert all("reason" in finding for finding in data)
 
 
 # Ensure invalid severity values are rejected by argparse
@@ -186,6 +200,7 @@ def test_cli_no_findings_text_output(tmp_path):
     assert result.returncode == 0
 
     assert "No vulnerabilities found." in result.stdout
+    assert "Reason:" not in result.stdout
 
 
 # Ensure benign Python files produce an empty JSON list
@@ -220,6 +235,7 @@ def test_cli_detects_secret_in_temp_directory(tmp_path):
             "rule": "Password",
             "severity": "HIGH",
             "value": "abcdef",
+            "reason": PASSWORD_REASON,
         }
     ]
 
@@ -248,3 +264,4 @@ def test_cli_text_filter_with_no_matching_findings(tmp_path):
     assert result.returncode == 0
 
     assert "No vulnerabilities found." in result.stdout
+    assert "Reason:" not in result.stdout