Fixed false positive secret detection

Author: Chrilleweb

CHANGELOG.md

@@ -7,27 +7,34 @@ This project follows [Keep a Changelog](https://keepachangelog.com/) and [Semant
 
 ### Added
 
-- 
+-
 
 ### Changed
 
-- 
+-
 
 ### Fixed
 
 -
 
 ## [2.3.12] - 2025-12-18
+
 ### Added
+
 - Added warnings count to scan usage stats.
 
 ### Changed
+
 - Updated dependencies to latest versions.
 - Moved `healthScore` further down on the console output for better visibility of issues.
 - Removed used variables output from scan usage to reduce noise.
 - Removed header output from scan usage to reduce noise.
 - Shortened config file path in CLI output to show only the filename.
 
+### Fixed
+
+- Fixed false positive secret detection for certain harmless attribute keys in codebase scanner.
+
 ## [2.3.11] - 2025-12-13
 
 ### Changed

src/core/secretDetectors.ts

@@ -44,6 +44,10 @@ const HARMLESS_URLS = [
   /xmlns=["']http:\/\/www\.w3\.org\/2000\/svg["']/i, // SVG namespace
 ];
 
+// Known harmless attribute keys commonly used in UI / analytics
+const HARMLESS_ATTRIBUTE_KEYS =
+  /\b(trackingId|trackingContext|data-testid|data-test|aria-label)\b/i;
+
 /**
  * Determines the severity of a secret finding.
  * @param kind 'pattern' | 'entropy'
@@ -256,7 +260,10 @@ export function detectSecretsInSource(
 
     // 1) Suspicious key literal assignments
     if (SUSPICIOUS_KEYS.test(line)) {
-      const m = line!.match(/=\s*["'`](.+?)["'`]/);
+      // Ignore known harmless UI / analytics attributes
+      if (HARMLESS_ATTRIBUTE_KEYS.test(line)) continue;
+
+      const m = line.match(/=\s*["'`](.+?)["'`]/);
       if (
         m &&
         m[1] &&

src/ui/scan/printStats.ts

@@ -27,9 +27,7 @@ export function printStats(
   console.log(
     chalk.magenta.dim(`   Unique variables: ${stats.uniqueVariables}`),
   );
-  console.log(
-    chalk.magenta.dim(`   Warnings: ${stats.warningsCount}`),
-  );
+  console.log(chalk.magenta.dim(`   Warnings: ${stats.warningsCount}`));
   console.log(
     chalk.magenta.dim(`   Scan duration: ${stats.duration.toFixed(2)}s`),
   );

test/e2e/cli.secrets.e2e.test.ts

@@ -270,4 +270,32 @@ describe('secrets detection (default scan mode)', () => {
     expect(res.status).toBe(0);
     expect(res.stdout).not.toContain('Potential secrets detected in codebase:');
   });
+  it('does not warn on UI tracking attributes containing auth keywords', () => {
+    const cwd = tmpDir();
+
+    fs.writeFileSync(path.join(cwd, '.env'), 'DUMMY=\n');
+    fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
+
+    fs.writeFileSync(
+      path.join(cwd, 'src', 'page.svelte'),
+      `
+    <script>
+      const trackingId = "users-reset-password-button";
+      const trackingContext = "users-reset-password-confirmation-modal";
+    </script>
+
+    <button
+      trackingId="users-reset-password-button"
+      trackingContext="users-reset-password-confirmation-modal"
+    >
+      Reset password
+    </button>
+    `.trimStart(),
+    );
+
+    const res = runCli(cwd, []);
+
+    expect(res.status).toBe(0);
+    expect(res.stdout).not.toContain('Potential secrets detected in codebase:');
+  });
 });