Address review: bound regex, revert scanFileForTokens, restore old-format test

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: hagould

lib/entry-points.js

@@ -52,15 +52,6 @@ test("isAuthToken", (t) => {
     ]),
     undefined,
   );
-  t.is(
-    isAuthToken(NEW_FORMAT_GHS_TOKEN, [
-      {
-        type: TokenType.ServerToServer,
-        pattern: /ghs_[A-Za-z0-9._-]{36,}/g,
-      },
-    ]),
-    TokenType.ServerToServer,
-  );
 });
 
 const testTokens = [
@@ -83,18 +74,29 @@ const testTokens = [
     type: TokenType.UserToServer,
     value: `ghu_${makeTestToken()}`,
   },
+  {
+    type: TokenType.ServerToServer,
+    value: `ghs_${makeTestToken()}`,
+    checkPattern: "Server-to-Server",
+    label: "legacy format",
+  },
   {
     type: TokenType.ServerToServer,
     value: NEW_FORMAT_GHS_TOKEN,
+    checkPattern: "Server-to-Server",
+    label: "new format",
   },
   {
     type: TokenType.Refresh,
     value: `ghr_${makeTestToken()}`,
   },
 ];
 
-for (const { type, value, checkPattern } of testTokens) {
-  test(`scanArtifactsForTokens detects GitHub ${type} tokens in files`, async (t) => {
+for (const { type, value, checkPattern, label } of testTokens) {
+  const testName = label
+    ? `scanArtifactsForTokens detects GitHub ${type} (${label}) tokens in files`
+    : `scanArtifactsForTokens detects GitHub ${type} tokens in files`;
+  test(testName, async (t) => {
     const logMessages = [];
     const logger = getRecordingLogger(logMessages, { logToConsole: false });
     const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "scanner-test-"));

src/artifact-scanner.test.ts

@@ -54,7 +54,7 @@ const GITHUB_TOKEN_PATTERNS: TokenPattern[] = [
   },
   {
     type: TokenType.ServerToServer,
-    pattern: /ghs_[A-Za-z0-9._-]{36,}/g,
+    pattern: /\bghs_[A-Za-z0-9._-]{36,516}(?![A-Za-z0-9._-])/g,
   },
   {
     type: TokenType.Refresh,
@@ -104,27 +104,16 @@ function scanFileForTokens(
   logger: Logger,
 ): TokenFinding[] {
   const findings: TokenFinding[] = [];
-  const seenMatches = new Set<number>();
   try {
     const content = fs.readFileSync(filePath, "utf8");
 
     for (const { type, pattern } of GITHUB_TOKEN_PATTERNS) {
-      const regex = new RegExp(pattern.source, pattern.flags);
-      let matchCount = 0;
-
-      for (const match of content.matchAll(regex)) {
-        const index = match.index;
-        if (index === undefined || seenMatches.has(index)) {
-          continue;
+      const matches = content.match(pattern);
+      if (matches) {
+        for (let i = 0; i < matches.length; i++) {
+          findings.push({ tokenType: type, filePath: relativePath });
         }
-
-        seenMatches.add(index);
-        findings.push({ tokenType: type, filePath: relativePath });
-        matchCount++;
-      }
-
-      if (matchCount > 0) {
-        logger.debug(`Found ${matchCount} ${type}(s) in ${relativePath}`);
+        logger.debug(`Found ${matches.length} ${type}(s) in ${relativePath}`);
       }
     }