fix(detectors): skip GitLab v1 candidates with no digits to reduce false positives

[AlexanderSanin]

Summary

Fixes a false positive in the GitLab v1 detector where Dockerfile ARG variable names (e.g. MAVEN_SETTINGS_PROFILE) are reported as GitLab secrets.

Root cause: PrefixRegex matches up to 40 characters ahead of a gitlab keyword, including newlines. In a Dockerfile like:

ARG GITLAB_ACCESS_TOKEN_TYPE=Private-Token
ARG GITLAB_ACCESS_TOKEN
ARG MAVEN_SETTINGS_PROFILE=test

MAVEN_SETTINGS_PROFILE (22 chars, all [a-zA-Z0-9_]) falls within the 40-char window of the second GITLAB keyword and clears the Shannon-entropy check (~4.1 > 3.6 threshold) because its letters are varied. It is then emitted as a finding.

Fix: Add the detectors.KeyIsRandom guard that already exists elsewhere in the codebase. Real GitLab personal access tokens are random and always contain at least one digit; environment-variable names like MAVEN_SETTINGS_PROFILE never do. Candidates with no digits are now skipped before the (potentially network-bound) verification step.

Closes #4756

Test plan

• New pattern test no_false_positive_for_Dockerfile_ARG_variable_name_after_GITLAB_ACCESS_TOKEN reproduces the exact Dockerfile from the issue and asserts zero results
• Existing pattern tests (valid pattern, valid pattern (with = before secret)) continue to pass — real tokens contain digits and are unaffected
• go test ./pkg/detectors/gitlab/v1/... -run TestGitLab_Pattern -v → all PASS

Signed-off-by: Oleksandr Sanin alexaaander.sanin@gmail.com

---

Note

Low Risk
Local heuristic filter on detector candidates only; legitimate tokens with digits are unchanged.

Overview
The GitLab v1 detector now drops candidate matches that fail detectors.KeyIsRandom (no digit in the string), after the existing Shannon-entropy filter and before verification.

This targets false positives where Dockerfile ARG names (e.g. MAVEN_SETTINGS_PROFILE) sit within the PrefixRegex window of a gitlab keyword across newlines and still pass entropy. Real v1 tokens are expected to include at least one digit.

A pattern regression test covers the issue #4756 Dockerfile snippet and expects zero findings.

^{Reviewed by Cursor Bugbot for commit 52ba5e9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[AlexanderSanin]

Hey @camgunz @amanfcp. Could you, please, have a look at this?

[shahzadhaider1]

thank you