Refine bearer token and JWT token detection patterns to enforce minimum character...

Updated tests to reflect changes in bearer token format

diff --git a/src/secrets/detect.test.ts b/src/secrets/detect.test.ts
index 18ba9fc71e254a75878a96163d2a39c3e5c93bb6..8347123238d04af060b49122fde2adc2d49a167f 100644 (file)
--- a/src/secrets/detect.test.ts
+++ b/src/secrets/detect.test.ts
@@ -319,7 +319,7 @@ describe("detectSecrets - Bearer Tokens", () => {
   });
 
   test("detects bearer token (lowercase)", () => {
-    const text = "bearer abcdefghijklmnopqrstuvwxyz1234567890";
+    const text = "bearer abcdefghijklmnopqrstuvwxyz1234567890ABCD";
     const result = detectSecrets(text, bearerConfig);
     expect(result.detected).toBe(true);
     expect(result.matches[0].type).toBe("BEARER_TOKEN");

diff --git a/src/secrets/detect.ts b/src/secrets/detect.ts
index 73fdc8e869932fded6eea2dfff5520d0ebc7e680..59c03905dcae6bf2b3a15a0baf5817d46e780663 100644 (file)
--- a/src/secrets/detect.ts
+++ b/src/secrets/detect.ts
@@ -184,16 +184,16 @@ export function detectSecrets(
   }
 
   // JWT tokens: three base64url segments separated by dots
-  // Header starts with eyJ (base64 for {"...)
+  // Header starts with eyJ (base64 for {"...), minimum 20 chars per segment
   if (entitiesToDetect.has("JWT_TOKEN")) {
-    const jwtPattern = /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+/g;
+    const jwtPattern = /eyJ[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,}/g;
     detectPattern(textToScan, jwtPattern, "JWT_TOKEN", matches, redactions);
   }
 
   // Bearer tokens in Authorization-style contexts
-  // Matches "Bearer " followed by a token (at least 20 chars)
+  // Matches "Bearer " followed by a token (at least 40 chars to reduce placeholder matches)
   if (entitiesToDetect.has("BEARER_TOKEN")) {
-    const bearerPattern = /Bearer\s+[a-zA-Z0-9._-]{20,}/gi;
+    const bearerPattern = /Bearer\s+[a-zA-Z0-9._-]{40,}/gi;
     detectPattern(textToScan, bearerPattern, "BEARER_TOKEN", matches, redactions);
   }