Fix generic-api-key false positive on import/destructuring lines

Add secretGroup = 1 to the generic-api-key rule so allowlist checks run
against the captured secret value (group 1) instead of the full regex match.
Without this, lines like `from config import STRIPE_API_KEY, SECRET` trigger
a false positive because the full match contains commas/spaces that bypass
the plain-identifier allowlist.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Chhinna

changelog.md

@@ -1,5 +1,7 @@
 # Changelog
 
+## [0.4.6] - 17/04/2026
+- Secrets false positive
 
 ## [0.4.5] - 13/04/2026
 - Selected commits review

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeant-cli",
-  "version": "0.4.5",
+  "version": "0.4.6",
   "description": "Code review CLI tool",
   "type": "module",
   "bin": {

src/rules/secrets.toml

@@ -1173,6 +1173,11 @@ id = "generic-api-key"
 description = "Detected a Generic API Key, potentially exposing access to various services and sensitive operations."
 regex = '''(?i)[\w.-]{0,50}?(?:access|auth|(?-i:[Aa]pi|API)|credential|creds|key|passw(?:or)?d|secret|token)(?:[ \t\w.-]{0,20})[\s'"]{0,3}(?:=|>|:{1,3}=|\|\||:|=>|\?=|,)[\x60'"\s=]{0,5}([\w.=-]{10,150}|[a-z0-9][a-z0-9+/]{11,}={0,3})(?:\\?['"\x60]|[\s;]|\\[nr]|$)'''
 entropy = 3.5
+# secretGroup = 1: the regex captures the actual secret value in group 1.
+# Without this, the full match (including variable names, commas, spaces) is
+# treated as the "secret", causing allowlist checks like ^[a-zA-Z_.-]+$ to fail
+# on import/destructuring lines (e.g. "from config import STRIPE_API_KEY, SECRET").
+secretGroup = 1
 keywords = [
     "access",
     "api",

tests/secretsApiHelper.test.js

@@ -188,6 +188,39 @@ describe('Secrets detection e2e tests', () => {
       expect(result.secretsDetected.flatMap(f => f.secrets)).toHaveLength(0);
     }, 30000);
 
+    it('no secrets in Python import statements with keyword-like variable names', async () => {
+      writeFile('src/app.py', [
+        'import time',
+        'from fastapi import Request',
+        'from api.config import STRIPE_API_KEY, STRIPE_PAYMENT_WEBHOOK_SECRET',
+        'from mangum import Mangum',
+        'from starlette.responses import JSONResponse',
+        ''
+      ].join('\n'));
+      git('add src/app.py');
+
+      const result = await scanSecrets('staged-only');
+
+      const pyFile = result.secretsDetected.find(f => f.file_path === 'src/app.py');
+      const pySecrets = pyFile ? pyFile.secrets : [];
+      expect(pySecrets).toHaveLength(0);
+    }, 30000);
+
+    it('no secrets in JS destructured imports with keyword-like names', async () => {
+      writeFile('src/config-loader.js', [
+        'const { API_KEY, SECRET_TOKEN, AUTH_CREDENTIAL } = require("./config");',
+        'module.exports = { API_KEY, SECRET_TOKEN, AUTH_CREDENTIAL };',
+        ''
+      ].join('\n'));
+      git('add src/config-loader.js');
+
+      const result = await scanSecrets('staged-only');
+
+      const jsFile = result.secretsDetected.find(f => f.file_path === 'src/config-loader.js');
+      const jsSecrets = jsFile ? jsFile.secrets : [];
+      expect(jsSecrets).toHaveLength(0);
+    }, 30000);
+
     it('no secrets in placeholder/example values', async () => {
       writeFile('src/config.example.js', [
         'module.exports = {',