fix(postgres): honor ignore tag without explicit port#4989
Open
kiranmagic7 wants to merge 2 commits into
Open
Conversation
|
|
MuneebUllahKhan222
approved these changes
Jun 4, 2026
Contributor
MuneebUllahKhan222
left a comment
MuneebUllahKhan222
left a comment
There was a problem hiding this comment.
@kiranmagic7 Thanks for the contribution, this PR looks solid. I’ve added one comment that should be addressed.
| RawV2: raw, | ||
| SecretParts: map[string]string{"connection_string": string(raw)}, | ||
| } | ||
| result.SetPrimarySecretValue(candidate.uri) |
Contributor
There was a problem hiding this comment.
Can you add this comment above this line
Set the un-normalized raw match as the primary secret value.
This ensures that the engine's line-offset and ignore-tag matching logic
(which searches the source document for the exact string) can locate the match,
even though Raw/RawV2 are stored in a normalized form.
Author
There was a problem hiding this comment.
Added in b8bd18e. I kept the wording concise and reran go test ./pkg/detectors/postgres -count=1, go test ./pkg/engine -count=1, and git diff --check.
MuneebUllahKhan222
added
the
review/product-eng
shahzadhaider1
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Raw/RawV2value unchanged, including the default:5432port.# trufflehog:ignoreon a Postgres URI without an explicit port.Why
Postgres detector output normalizes missing ports into
:5432. For a source line like:that normalized value does not appear verbatim in the source chunk, so the engine cannot locate the finding line and the same-line ignore tag is skipped and also the line number is ignored making it hard to locate secret from sources that support line number. Using the matched URI as the line-location primary secret lets the engine find the original source text while preserving the existing normalized finding identity.
Fixes #4962.
Tests run
PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -run TestEngineignoreLine -count=1failed on the new no-port regression withexpected: 0,actual: 1.PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" gofmt -w pkg/detectors/postgres/postgres.go pkg/detectors/postgres/postgres_test.go pkg/engine/engine_test.go.PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/detectors/postgres -run 'TestPostgres_(Pattern|ExtraData|PrimarySecretUsesMatchedURI|FromDataWithIgnorePattern)' -count=1passed.PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -run TestEngineignoreLine -count=1passed.PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/detectors/postgres -count=1passed.PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -run 'Test(FragmentLineOffset|AssignDuplicateLineOffsets|EngineignoreLine)' -count=1passed.PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/detectors/postgres ./pkg/engine -run 'TestPostgres_|TestFragmentLineOffset|TestAssignDuplicateLineOffsets|TestEngineignoreLine' -count=1passed.PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -count=1passed.git diff --checkpassed.CLI proof on the built branch binary:
Compatibility and risk
This does not change the emitted Postgres
Raw,RawV2,SecretParts, verification parameters, or default-port normalization. The matched URI is only used for line-number and ignore-tag lookup, matching the engine's existing primary-secret path for detectors whose displayed result differs from the exact source match.Note
Low Risk
Scoped to Postgres line-location metadata; normalized secret output and verification paths are unchanged per PR intent.
Overview
Fixes Postgres findings where the detector normalizes URIs (e.g. injects default
:5432) so the emittedRawno longer appears verbatim in the source. The engine could not match the secret to a line, so# trufflehog:ignoreon the same line failed and line numbers were wrong when the URI omitted an explicit port.The detector now keeps the exact matched URI as the primary secret (via
SetPrimarySecretValue) for line-offset and ignore-tag lookup, whileRaw/RawV2/ verification behavior stay normalized as before.findUriMatchesreturnsuriMatchpairs of original URI plus parsed params. Regression tests cover primary-secret vs normalizedRawand an engine case for ignore tags on URIs without an explicit port.Reviewed by Cursor Bugbot for commit b8bd18e. Bugbot is set up for automated code reviews on this repo. Configure here.