@oculum/scanner 1.0.11 → 1.0.13

package/src/{layer1 → detect/secrets}/entropy.ts

@@ -3,7 +3,8 @@
  * Uses Shannon entropy to detect potential secrets that don't match known patterns
  */
 
-import type { Vulnerability } from '../types'
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isTestOrMockFile,
   isComment,
@@ -11,7 +12,10 @@ import {
   isExampleFile,
   isFixtureFile,
   isExampleDirectory,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+// Base confidence for entropy-based findings (statistical, requires AI validation)
+const BASE_CONFIDENCE = 0.30
 
 // Shannon entropy calculation
 export function calculateEntropy(str: string): number {
@@ -151,19 +155,23 @@ function isTemplateWithCode(str: string, lineContent: string): boolean {
   if (!lineContent.includes('`') && !lineContent.includes('${')) {
     return false
   }
-  
+
+  // Multiple interpolations (3+) = formatting string, not a secret
+  const interpolationCount = (lineContent.match(/\$\{/g) || []).length
+  if (interpolationCount >= 3) {
+    return true
+  }
+
   // Common code patterns inside template literals that create high entropy
   const codePatterns = [
-    /\$\{[^}]*\.(toString|padStart|padEnd|toFixed|toLocaleString)\s*\(/i,  // Method calls
+    /\$\{[^}]*\.\w+\s*\(/,  // Method call inside interpolation: ${x.foo()}
+    /\$\{\w+\s*\(/,  // Function call inside interpolation: ${funcName(...)}
     /\$\{[^}]*\?\.[^}]*\}/,  // Optional chaining
     /\$\{[^}]*\s*\?\s*[^:]+\s*:\s*[^}]+\}/,  // Ternary operators
     /var\s*\(\s*\$\{/,  // CSS var() with template
-    /\$\{[^}]*\.find\s*\(/i,  // Array methods
-    /\$\{[^}]*\.map\s*\(/i,
-    /\$\{[^}]*\.filter\s*\(/i,
-    /\$\{new\s+Date\(\)/i,  // Date formatting
+    /\$\{new\s+\w+\(/i,  // Constructor calls: ${new Date()}
   ]
-  
+
   return codePatterns.some(pattern => pattern.test(lineContent))
 }
 
@@ -331,11 +339,14 @@ function isDocumentationFile(filePath: string): boolean {
   return docPatterns.some(p => p.test(filePath))
 }
 
-// Check if string is a console.log/debug statement content
+// Check if string is a logging/output statement content
 function isDebugLogContent(lineContent: string): boolean {
   const debugPatterns = [
     /console\.(log|debug|info|warn|error)\s*\(/i,
     /logger\.(log|debug|info|warn|error)\s*\(/i,
+    /\bthis\.log\s*\(/i,                          // Instance method logging
+    /\bcore\.(info|debug|warning|error|notice)\s*\(/i,  // GitHub Actions core
+    /\bvscode\.window\.show(Information|Warning|Error)Message\s*\(/i,  // VS Code API
     /\[.*Debug.*\]/i,
     /\[.*Log.*\]/i,
   ]
@@ -373,6 +384,161 @@ function isCommandLineSnippet(value: string, lineContent: string): boolean {
   return (hasCommandContext || looksLikeEnvAssignment || looksLikeCommand) && hasMultipleTokens
 }
 
+/**
+ * Check if string is a SQL query (not a secret)
+ * SQL queries have high entropy due to mixed case keywords and table names
+ */
+function isSQLQuery(value: string, lineContent: string): boolean {
+  const sqlPatterns = [
+    /\bSELECT\s+/i,
+    /\bINSERT\s+INTO\b/i,
+    /\bUPDATE\s+.*\bSET\b/i,
+    /\bDELETE\s+FROM\b/i,
+    /\bCREATE\s+(TABLE|INDEX|DATABASE)\b/i,
+    /\bALTER\s+TABLE\b/i,
+    /\bDROP\s+(TABLE|INDEX|DATABASE)\b/i,
+    /\bJOIN\s+.*\bON\b/i,
+    /\bWHERE\s+/i,
+    /\bGROUP\s+BY\b/i,
+    /\bORDER\s+BY\b/i,
+    /\bHAVING\s+/i,
+    /\bUNION\s+/i,
+  ]
+
+  // Tagged template literal SQL context
+  const sqlContextPatterns = [
+    /\bsql`/i,           // Drizzle, Kysely, etc.
+    /\bprisma\.\$queryRaw/i,
+    /\.query\s*\(/i,
+    /\.execute\s*\(/i,
+    /\.raw\s*\(/i,
+  ]
+
+  return (
+    sqlPatterns.some(p => p.test(value)) ||
+    sqlContextPatterns.some(p => p.test(lineContent))
+  )
+}
+
+/**
+ * Check if string is an i18n/translation string (not a secret)
+ * Internationalization strings can have high entropy
+ */
+function isI18nString(value: string, lineContent: string): boolean {
+  const i18nPatterns = [
+    /defaultMessage\s*:/i,
+    /\bt\s*\(/i,             // t('key')
+    /\bi18n\./i,
+    /\buseTranslation/i,
+    /\bformatMessage\s*\(/i,
+    /\bintl\./i,
+    /\bmsg`/i,               // Lingui msg tagged template
+    /\btrans\s*\(/i,
+    /\b_\s*\(/i,             // Common i18n alias
+    /description\s*:/i,       // Often i18n context
+    /\bLocale/i,
+  ]
+
+  // Check if file is in i18n/locales directory
+  const isI18nFile = /\/(i18n|locales?|translations?|messages?)\//i.test(value)
+
+  return i18nPatterns.some(p => p.test(lineContent)) || isI18nFile
+}
+
+/**
+ * Check if string is a CSS transform or animation value (not a secret)
+ */
+function isCSSTransformOrAnimation(value: string): boolean {
+  const transformPatterns = [
+    /\btranslate(?:3d|X|Y|Z)?\s*\(/i,
+    /\brotate(?:3d|X|Y|Z)?\s*\(/i,
+    /\bscale(?:3d|X|Y|Z)?\s*\(/i,
+    /\bskew(?:X|Y)?\s*\(/i,
+    /\bmatrix(?:3d)?\s*\(/i,
+    /\bperspective\s*\(/i,
+    /\bcubic-bezier\s*\(/i,
+    /\bsteps\s*\(/i,
+    /\b(ease|linear|ease-in|ease-out|ease-in-out)\b/i,
+    /\btransform:\s*/i,
+    /\banimation:\s*/i,
+    /\btransition:\s*/i,
+    /\b@keyframes\b/i,
+  ]
+
+  return transformPatterns.some(p => p.test(value))
+}
+
+/**
+ * Check if string is a URL template/path pattern (not a secret)
+ * API routes and URL patterns can have high entropy
+ */
+function isURLTemplate(value: string): boolean {
+  // URL path with template variables
+  const urlTemplatePatterns = [
+    /^\/[a-zA-Z0-9_-]+(?:\/[a-zA-Z0-9_-]+)*(?:\/\$\{[^}]+\}|\/:[\w]+)+/,  // /api/users/${id} or /api/users/:id
+    /^https?:\/\/[^/]+\/.*\$\{/,  // Full URL with template
+    /\/\[[\w]+\]\//,              // Next.js dynamic routes: /[slug]/
+    /\/\[\.\.\.[^\]]+\]/,         // Next.js catch-all: /[...slug]
+    /\/:[\w]+\//,                 // Express-style params: /:id/
+    /\{[\w]+\}/,                  // OpenAPI-style params: {userId}
+  ]
+
+  return urlTemplatePatterns.some(p => p.test(value))
+}
+
+/**
+ * Check if string is a blockchain address (not a secret)
+ * Public blockchain addresses have high entropy but are meant to be public
+ */
+function isBlockchainAddress(value: string): boolean {
+  const blockchainPatterns = [
+    // Ethereum addresses (0x followed by 40 hex chars)
+    /^0x[a-fA-F0-9]{40}$/,
+    // Bitcoin addresses (various formats)
+    /^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$/,      // Legacy P2PKH
+    /^3[a-km-zA-HJ-NP-Z1-9]{25,34}$/,          // P2SH
+    /^bc1[a-z0-9]{39,59}$/,                    // Bech32
+    // Solana addresses (base58, 32-44 chars)
+    /^[1-9A-HJ-NP-Za-km-z]{32,44}$/,
+  ]
+
+  return blockchainPatterns.some(p => p.test(value))
+}
+
+/**
+ * Check if string is shader/WebGL code (not a secret)
+ * Shader code has high entropy due to mathematical notation
+ */
+function isShaderCode(value: string, lineContent: string): boolean {
+  const shaderPatterns = [
+    // GLSL keywords and functions
+    /\bgl_\w+\b/,                  // gl_Position, gl_FragColor, etc.
+    /\bvec[234]\s*\(/,             // vec2(), vec3(), vec4()
+    /\bmat[234]\s*\(/,             // mat2(), mat3(), mat4()
+    /\buniform\s+\w+/,             // uniform declarations
+    /\bvarying\s+\w+/,             // varying declarations
+    /\battribute\s+\w+/,           // attribute declarations
+    /\bprecision\s+(highp|mediump|lowp)/,
+    /\bfloat\s+\w+\s*=/,          // float variable declarations
+    /\bsampler2D\b/,
+    /\btexture2D\s*\(/,
+    /\bnormalize\s*\(/,
+    /\bdot\s*\(/,
+    /\bcross\s*\(/,
+    /\bmix\s*\(/,
+    /\bclamp\s*\(/,
+    /\bstep\s*\(/,
+    /\bsmoothstep\s*\(/,
+    // WebGL context indicators
+    /\bWebGLRenderingContext\b/,
+    /\.createShader\s*\(/,
+    /\.shaderSource\s*\(/,
+    /\.compileShader\s*\(/,
+  ]
+
+  return shaderPatterns.some(p => p.test(value) || p.test(lineContent))
+}
+
 
 // Check if string is inline style (JSX or HTML)
 function isInlineStyle(lineContent: string): boolean {
@@ -478,12 +644,68 @@ function isEnvVarPlaceholder(lineContent: string, value: string): boolean {
   )
 }
 
+/**
+ * Check if string is a CSS calc pattern or similar dynamic expression
+ * These can have high entropy but are not secrets
+ */
+function isCSSCalcOrExpression(value: string, lineContent: string): boolean {
+  const calcPatterns = [
+    // CSS calc with template literal: `${(100 / steps.length) * order}%`
+    /\$\{[^}]*\/[^}]*\}.*%/,
+    // CSS calc function
+    /calc\s*\(/i,
+    // Window env injection: `window.__ENV__ = ${JSON.stringify(env)}`
+    /window\.__[A-Z_]+__\s*=/,
+    // Boolean expressions with process.env
+    /&&.*process\.env\.|process\.env\.\w+\s*&&/,
+    // Path construction patterns: `/path/${var}/endpoint`
+    /\/[^/]+\/\$\{[^}]+\}\/[^/]+/,
+    // Array/object destructuring patterns
+    /\[\s*\d+\s*\]\s*=/,
+    // Numeric calculations in template literals
+    /\$\{\s*\d+\s*[\/*+-]\s*\d+/,
+    // JSON.stringify in template
+    /JSON\.stringify\s*\(/,
+    // Object spread/spread operator patterns
+    /\.\.\.\w+/,
+  ]
+
+  return calcPatterns.some(p => p.test(value) || p.test(lineContent))
+}
+
+/**
+ * Check if file is minified JavaScript
+ * Minified files have high entropy strings that are NOT secrets
+ */
+function isMinifiedFile(filePath: string): boolean {
+  const minifiedPatterns = [
+    /\.min\.js$/i,
+    /\.min\.mjs$/i,
+    /\.min\.cjs$/i,
+    /\.bundle\.js$/i,
+    /-min\.js$/i,
+    /\.packed\.js$/i,
+    /\.compressed\.js$/i,
+    /\/dist\/.*\.js$/i,    // dist/ typically contains bundled/minified output
+    /\/build\/.*\.js$/i,   // build/ output directories
+    /\/vendor\//i,         // vendor directories
+    /\/node_modules\//i,   // node_modules should never be scanned anyway
+  ]
+  return minifiedPatterns.some(p => p.test(filePath))
+}
+
 export function detectHighEntropyStrings(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
+  // Skip minified files - they have high entropy but no actual secrets
+  if (isMinifiedFile(filePath)) {
+    return vulnerabilities
+  }
+
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) {
     return vulnerabilities
@@ -533,6 +755,9 @@ export function detectHighEntropyStrings(
     // Skip environment variable placeholders (shell scripts, test files)
     if (isEnvVarPlaceholder(lineContent, value)) continue
 
+    // Skip CSS calc patterns and dynamic expressions
+    if (isCSSCalcOrExpression(value, lineContent)) continue
+
     // Skip safe patterns
     if (isSafePattern(value)) continue
 
@@ -548,6 +773,24 @@ export function detectHighEntropyStrings(
     // Skip CLI command/usage snippets (flags/commands can look high-entropy)
     if (isCommandLineSnippet(value, lineContent)) continue
 
+    // Skip SQL queries (SELECT, INSERT, etc. have high entropy but aren't secrets)
+    if (isSQLQuery(value, lineContent)) continue
+
+    // Skip i18n/translation strings
+    if (isI18nString(value, lineContent)) continue
+
+    // Skip CSS transforms/animations
+    if (isCSSTransformOrAnimation(value)) continue
+
+    // Skip URL templates and path patterns
+    if (isURLTemplate(value)) continue
+
+    // Skip blockchain addresses (public, not secrets)
+    if (isBlockchainAddress(value)) continue
+
+    // Skip shader/WebGL code (high entropy but not secrets)
+    if (isShaderCode(value, lineContent)) continue
+
     // Skip regex/route matcher patterns
     if (isRegexPattern(value)) continue
 
@@ -608,7 +851,9 @@ export function detectHighEntropyStrings(
           description: `High-entropy string found (entropy: ${entropy.toFixed(2)}). This may be a hardcoded secret, API key, or password.${inTestFile ? ' (in test file)' : ''}`,
           suggestedFix: 'Move this value to an environment variable and access it via process.env',
           confidence,
+          baseConfidence: BASE_CONFIDENCE,
           layer: 1,
+        source: 'secrets' as const,
           requiresAIValidation: true,  // Entropy findings must be validated by AI
         })
       }

package/src/{layer1 → detect/secrets}/index.ts

@@ -4,27 +4,24 @@
  * file flags, comment analysis, URL detection, and weak crypto detection
  */
 
-import type { Vulnerability, ScanFile, CancellationToken } from '../types'
-import type { ProgressCallback } from '../index'
+import type { Vulnerability, ScanFile, CancellationToken } from '../../shared/types'
+import type { ProgressCallback } from '../../shared/types'
 import { detectHighEntropyStrings } from './entropy'
 import { detectKnownPatterns } from './patterns'
 import { auditConfiguration } from './config-audit'
-import { detectDangerousFiles } from './file-flags'
-import { detectAICommentPatterns } from './comments'
-import { detectSensitiveURLs } from './urls'
+import { detectDangerousFiles } from '../config/file-flags'
+import { detectAICommentPatterns } from '../config/comments'
+import { detectSensitiveURLs } from '../config/urls'
 import { detectWeakCrypto } from './weak-crypto'
 import { detectMCPConfigIssues } from './config-mcp-audit'
-import {
-  type TierStats,
-  computeTierStats,
-  formatTierStats,
-  getLayer1DetectorTier,
-  type Layer1DetectorName,
-} from '../tiers'
+import { detectAgentSkillInjection } from '../config/agent-skill-injection'
+// Tier system removed in Phase 2B — confidence scoring handles routing
 import {
   filterFindingsByPath,
   type ExclusionConfig,
-} from '../utils/path-exclusions'
+} from '../../parse/path-exclusions'
+import { severityRank } from '../../shared/parsed-file'
+import { ParsedFile } from '../../shared/parsed-file'
 
 /**
  * Layer 1 detector stats for raw finding counts before deduplication
@@ -34,8 +31,6 @@ export interface Layer1Stats {
   raw: Record<string, number>
   /** Deduped finding counts per category */
   deduped: Record<string, number>
-  /** Tier breakdown of deduped findings */
-  tiers: TierStats
   /** Number of findings suppressed by path exclusions */
   suppressedByPath: number
 }
@@ -48,8 +43,18 @@ export interface Layer1Result {
   stats: Layer1Stats
 }
 
-// Extended stats type to include MCP config detector
-type Layer1StatsRecord = Record<Layer1DetectorName, number> & { mcp_config: number }
+// Layer 1 detector stat keys
+type Layer1StatsRecord = {
+  known_secrets: number
+  weak_crypto: number
+  sensitive_urls: number
+  entropy: number
+  config_audit: number
+  file_flags: number
+  ai_comments: number
+  mcp_config: number
+  agent_skill: number
+}
 
 // Process a single file through all Layer 1 detectors
 function processFileLayer1(file: ScanFile): {
@@ -65,16 +70,21 @@ function processFileLayer1(file: ScanFile): {
     file_flags: 0,
     ai_comments: 0,
     mcp_config: 0,
+    agent_skill: 0,
   }
 
-  const entropyFindings = detectHighEntropyStrings(file.content, file.path)
-  const patternFindings = detectKnownPatterns(file.content, file.path)
-  const configFindings = auditConfiguration(file.content, file.path)
-  const fileFlags = detectDangerousFiles(file.content, file.path)
-  const commentFindings = detectAICommentPatterns(file.content, file.path)
-  const urlFindings = detectSensitiveURLs(file.content, file.path)
-  const cryptoFindings = detectWeakCrypto(file.content, file.path)
-  const mcpConfigFindings = detectMCPConfigIssues(file.content, file.path)
+  // Create ParsedFile once for all detectors to share
+  const parsed = ParsedFile.from(file)
+
+  const entropyFindings = detectHighEntropyStrings(file.content, file.path, { parsed })
+  const patternFindings = detectKnownPatterns(file.content, file.path, { parsed })
+  const configFindings = auditConfiguration(file.content, file.path, { parsed })
+  const fileFlags = detectDangerousFiles(file.content, file.path, { parsed })
+  const commentFindings = detectAICommentPatterns(file.content, file.path, { parsed })
+  const urlFindings = detectSensitiveURLs(file.content, file.path, { parsed })
+  const cryptoFindings = detectWeakCrypto(file.content, file.path, { parsed })
+  const mcpConfigFindings = detectMCPConfigIssues(file.content, file.path, { parsed })
+  const agentSkillFindings = detectAgentSkillInjection(file.content, file.path, { parsed })
 
   stats.entropy = entropyFindings.length
   stats.known_secrets = patternFindings.length
@@ -84,6 +94,7 @@ function processFileLayer1(file: ScanFile): {
   stats.sensitive_urls = urlFindings.length
   stats.weak_crypto = cryptoFindings.length
   stats.mcp_config = mcpConfigFindings.length
+  stats.agent_skill = agentSkillFindings.length
 
   return {
     findings: [
@@ -95,6 +106,7 @@ function processFileLayer1(file: ScanFile): {
       ...urlFindings,
       ...cryptoFindings,
       ...mcpConfigFindings,
+      ...agentSkillFindings,
     ],
     stats,
   }
@@ -123,6 +135,7 @@ export async function runLayer1Scan(
     file_flags: 0,
     ai_comments: 0,
     mcp_config: 0,
+    agent_skill: 0,
   }
 
   // Track progress for frequent updates
@@ -175,13 +188,6 @@ export async function runLayer1Scan(
     dedupedStats[cat] = (dedupedStats[cat] || 0) + 1
   }
 
-  // Compute tier breakdown (all Layer 1 findings have layer: 1)
-  const tierStats = computeTierStats(
-    uniqueVulnerabilities.map(v => ({ category: v.category, layer: 1 as const }))
-  )
-
-  // Heuristic breakdown available in stats.raw and stats.tiers for debugging
-
   return {
     vulnerabilities: uniqueVulnerabilities,
     filesScanned: files.length,
@@ -189,7 +195,6 @@ export async function runLayer1Scan(
     stats: {
       raw: rawStats,
       deduped: dedupedStats,
-      tiers: tierStats,
       suppressedByPath: suppressed.length,
     },
   }
@@ -212,22 +217,14 @@ function deduplicateFindings(vulnerabilities: Vulnerability[]): Vulnerability[]
   return Array.from(seen.values())
 }
 
-function severityRank(severity: string): number {
-  const ranks: Record<string, number> = {
-    critical: 5,
-    high: 4,
-    medium: 3,
-    low: 2,
-    info: 1,
-  }
-  return ranks[severity] || 0
-}
+// severityRank imported from utils/parsed-file
 
 export { detectHighEntropyStrings } from './entropy'
 export { detectKnownPatterns } from './patterns'
 export { auditConfiguration } from './config-audit'
-export { detectDangerousFiles } from './file-flags'
-export { detectAICommentPatterns } from './comments'
-export { detectSensitiveURLs } from './urls'
+export { detectDangerousFiles } from '../config/file-flags'
+export { detectAICommentPatterns } from '../config/comments'
+export { detectSensitiveURLs } from '../config/urls'
 export { detectWeakCrypto } from './weak-crypto'
 export { detectMCPConfigIssues } from './config-mcp-audit'
+export { detectAgentSkillInjection } from '../config/agent-skill-injection'

package/src/{layer1 → detect/secrets}/patterns.ts

@@ -3,7 +3,8 @@
  * Curated library of high-fidelity regex patterns for detecting secrets
  */
 
-import type { SecretPattern, Vulnerability } from '../types'
+import type { SecretPattern, Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isServerOnlyFile,
   isExampleFile,
@@ -15,7 +16,14 @@ import {
   isScannerOrFixtureFile,
   isBYOKContext,
   getServiceRoleKeyContext,
-} from '../utils/context-helpers'
+  isPythonFile,
+  isInsidePythonDocstring,
+} from '../../parse/file-classifier'
+
+// Base confidence for known API key format patterns (AWS, GitHub, Stripe, etc.)
+const BASE_CONFIDENCE_KNOWN = 0.70
+// Base confidence for generic secret patterns (api_key=, secret_key=, etc.)
+const BASE_CONFIDENCE_GENERIC = 0.50
 
 // Check if file is documentation/README
 function isDocumentationFile(filePath: string): boolean {
@@ -43,8 +51,33 @@ function isDocumentationFile(filePath: string): boolean {
   return docPatterns.some(p => p.test(filePath))
 }
 
+// Check if value is a masked/redacted string (for safe logging)
+function isMaskedOrRedactedString(value: string): boolean {
+  const maskedPatterns = [
+    /\*{3,}/,                      // Three or more asterisks: ***
+    /^\w+:\/\/\*+$/,               // Protocol with just asterisks: redis://***
+    /^\w+:\/\/\*{3,}$/,            // Same pattern
+    /\[REDACTED\]/i,               // [REDACTED]
+    /\[MASKED\]/i,                 // [MASKED]
+    /\[HIDDEN\]/i,                 // [HIDDEN]
+    /\[REMOVED\]/i,                // [REMOVED]
+    /\[SECRET\]/i,                 // [SECRET]
+    /<REDACTED>/i,                 // <REDACTED>
+    /<MASKED>/i,                   // <MASKED>
+    /x{4,}/i,                      // xxxx (4+ x's)
+    /^\*+:/,                       // ***: at start (masked user)
+  ]
+
+  return maskedPatterns.some(p => p.test(value))
+}
+
 // Check if line contains example/sample placeholder values (not real secrets)
 function isExamplePlaceholder(line: string, value: string): boolean {
+  // First check if this is a masked/redacted string for safe logging
+  if (isMaskedOrRedactedString(value)) {
+    return true
+  }
+
   const placeholderPatterns = [
     // Common placeholder indicators in the line context
     /example/i,
@@ -291,9 +324,11 @@ export const SECRET_PATTERNS: SecretPattern[] = [
   },
   {
     name: 'Database Connection String',
-    pattern: /(mongodb|postgres|mysql|redis|amqp):\/\/[^\s"']+/gi,
+    // Only match connection strings WITH credentials (user:pass@ pattern)
+    // Skip credential-less URLs like redis://redis:6379 (Docker internal)
+    pattern: /(mongodb|postgres|mysql|redis|amqp)(\+srv)?:\/\/[^:@\s"']+:[^@\s"']+@[^\s"']+/gi,
     severity: 'high',
-    description: 'Database connection string detected - may contain credentials',
+    description: 'Database connection string with credentials detected',
   },
   // Additional patterns from checklist
   {
@@ -354,10 +389,11 @@ export const SECRET_PATTERNS: SecretPattern[] = [
 
 export function detectKnownPatterns(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
 
   // Skip example files entirely
   if (isExampleFile(filePath)) {
@@ -377,12 +413,19 @@ export function detectKnownPatterns(
   // Check context for file-level decisions
   const isServerFile = isServerOnlyFile(filePath)
   const isTestFile = isTestOrMockFile(filePath)
+  const isPython = isPythonFile(filePath)
 
   for (const secretPattern of SECRET_PATTERNS) {
     lines.forEach((line, index) => {
       // Skip comments
       if (isComment(line)) return
 
+      // Skip Python docstrings - they often contain example connection strings
+      // and other documentation that shouldn't be flagged
+      if (isPython && isInsidePythonDocstring(lines, index)) {
+        return
+      }
+
       // Reset regex state
       const regex = new RegExp(secretPattern.pattern.source, secretPattern.pattern.flags)
       let match
@@ -505,7 +548,9 @@ export function detectKnownPatterns(
           description: adjustedDescription,
           suggestedFix: 'Move this secret to an environment variable. Never commit secrets to version control.',
           confidence: adjustedConfidence,
+          baseConfidence: isGenericPattern ? BASE_CONFIDENCE_GENERIC : BASE_CONFIDENCE_KNOWN,
           layer: 1,
+        source: 'secrets' as const,
           requiresAIValidation: finalRequiresAIValidation,
         })
       }