initial: Syntrex extraction from sentinel-community (615 files)

2026-05-08 11:02:37 +02:00 · 2026-03-11 15:12:02 +10:00 · 2026-03-11 15:12:02 +10:00 · 2c50c993b1
commit 2c50c993b1
175 changed files with 32396 additions and 0 deletions
--- a/internal/domain/oracle/secret_scanner_test.go
+++ b/internal/domain/oracle/secret_scanner_test.go
@ -0,0 +1,92 @@
+package oracle
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestScanForSecrets_CleanCode(t *testing.T) {
+	code := `package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("hello world")
+	x := 42
+	y := x + 1
+}
+`
+	result := ScanForSecrets(code)
+	assert.False(t, result.HasSecrets, "clean code should not trigger")
+	assert.Empty(t, result.Detections)
+}
+
+func TestScanForSecrets_APIKey(t *testing.T) {
+	code := `config := map[string]string{
+	"api_key": "sk-1234567890abcdefghijklmnopqrstuv",
+}`
+	result := ScanForSecrets(code)
+	assert.True(t, result.HasSecrets, "API key should be detected")
+	assert.NotEmpty(t, result.Detections)
+
+	found := false
+	for _, d := range result.Detections {
+		if strings.Contains(d, "PATTERN") {
+			found = true
+		}
+	}
+	assert.True(t, found, "should have PATTERN detection")
+}
+
+func TestScanForSecrets_GitHubPAT(t *testing.T) {
+	code := `TOKEN = "ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghij"
+`
+	result := ScanForSecrets(code)
+	assert.True(t, result.HasSecrets)
+}
+
+func TestScanForSecrets_OpenAIKey(t *testing.T) {
+	code := `OPENAI_KEY = "sk-abcdefghijklmnopqrstuvwxyz123456789"`
+	result := ScanForSecrets(code)
+	assert.True(t, result.HasSecrets)
+}
+
+func TestScanForSecrets_PrivateKey(t *testing.T) {
+	code := `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA...etc
+-----END RSA PRIVATE KEY-----`
+	result := ScanForSecrets(code)
+	assert.True(t, result.HasSecrets)
+}
+
+func TestScanForSecrets_HighEntropyLine(t *testing.T) {
+	// Random-looking base64 string (high entropy).
+	code := `data = "aJ7kL9mX2pQwR5tY8vB3nZ0cF6gH1iE4dA-s_uO+M/W*xU@!%^&"`
+	result := ScanForSecrets(code)
+	assert.True(t, result.HasSecrets, "high entropy line should trigger")
+	assert.Greater(t, result.MaxEntropy, 4.0)
+}
+
+func TestScanForSecrets_CommentsIgnored(t *testing.T) {
+	code := `// api_key = "sk-1234567890abcdefghijklmnopqrstuv"
+# secret = "very-long-secret-value-that-should-be-ignored"
+`
+	result := ScanForSecrets(code)
+	// Pattern matching still catches it in the raw content,
+	// but entropy check skips comments.
+	// The pattern matcher scans raw content, so this WILL trigger.
+	assert.True(t, result.HasSecrets)
+}
+
+func TestScanForSecrets_DBConnectionString(t *testing.T) {
+	code := `dsn := "postgres://user:password@localhost:5432/mydb?sslmode=disable"`
+	result := ScanForSecrets(code)
+	assert.True(t, result.HasSecrets)
+}
+
+func TestScanForSecrets_ScannerRuleCount(t *testing.T) {
+	result := ScanForSecrets("")
+	assert.Equal(t, 8, result.ScannerRules, "should have 8 pattern rules")
+}