fixyoursecret 0.3.1-developer-preview.1

package/detectors/twilio.js

@@ -0,0 +1,16 @@
+const TWILIO_KEY_REGEX = /\bSK[0-9a-fA-F]{32}\b/g;
+
+export function detectTwilio(content) {
+  const findings = [];
+  for (const match of content.matchAll(TWILIO_KEY_REGEX)) {
+    findings.push({
+      rule: "twilio-api-key",
+      issue: "Twilio API key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "twilio",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/fixtures/benchmark/negative.json

@@ -0,0 +1,12 @@
+[
+  "build_configuration_identifier_2026_release",
+  "component_configuration_identifier_for_docs",
+  "http://localhost:3000/api",
+  "NEXT_PUBLIC_ANALYTICS_ID=public_demo_id",
+  "pk_test_1234567890abcdefghijklmnopqrstuvwxyz",
+  "pk_live_1234567890abcdefghijklmnopqrstuvwxyz",
+  "const uuid = '550e8400-e29b-41d4-a716-446655440000'",
+  "const hash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4'",
+  "github_pat_example_not_real",
+  "xoxb-example-not-real-token"
+]

package/fixtures/benchmark/positive.json

@@ -0,0 +1,18 @@
+[
+  { "rule": "openai-key", "parts": ["sk-proj-", "abcdefghijklmnopqrstuvwxyz123456"], "note": "OpenAI" },
+  { "rule": "google-key", "parts": ["AIza", "abcdefghijklmnopqrstuvwxyzABCDE12345"], "note": "Google" },
+  { "rule": "aws-access-key-id", "parts": ["AKIA", "ABCDEFGHIJKLMNOP"], "note": "AWS" },
+  { "rule": "stripe-secret-key", "parts": ["sk_live_", "1234567890abcdefghijklmnop"], "note": "Stripe" },
+  { "rule": "slack-token", "parts": ["xox", "b-1234567890-abcdefghijklmnop"], "note": "Slack" },
+  { "rule": "github-token", "parts": ["ghp_", "abcdefghijklmnopqrstuvwxyzABCD12"], "note": "GitHub" },
+  { "rule": "gitlab-token", "parts": ["glpat-", "abcdefghijklmnopqrstuvwxyz1234"], "note": "GitLab" },
+  { "rule": "twilio-api-key", "parts": ["SK", "0123456789abcdef0123456789abcdef"], "note": "Twilio" },
+  { "rule": "sendgrid-api-key", "parts": ["SG.", "ABCDEFGHIJKLMNOPQRSTUV", ".", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopq"], "note": "SendGrid" },
+  { "rule": "mailgun-api-key", "parts": ["key-", "1234567890abcdef1234567890abcdef"], "note": "Mailgun" },
+  { "rule": "anthropic-api-key", "parts": ["sk-ant-", "abcdefghijklmnopqrstuvwxyz123456"], "note": "Anthropic" },
+  { "rule": "cohere-api-key", "parts": ["co_", "abcdefghijklmnopqrstuvwxyz123456"], "note": "Cohere" },
+  { "rule": "huggingface-token", "parts": ["hf_", "abcdefghijklmnopqrstuvwxyz123456"], "note": "HuggingFace" },
+  { "rule": "telegram-bot-token", "parts": ["123456789", ":", "abcdefghijklmnopqrstuvwxyzABCDE1234"], "note": "Telegram" },
+  { "rule": "npm-token", "parts": ["npm_", "abcdefghijklmnopqrstuvwxyz1234567890"], "note": "npm" },
+  { "rule": "private-key-block", "parts": ["-----BEGIN PRIVATE KEY-----", "\\n", "MIIB", "\\n", "-----END PRIVATE KEY-----"], "note": "Private key" }
+]

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "fixyoursecret",
+  "version": "0.3.1-developer-preview.1",
+  "description": "Developer Preview: CLI tool to detect leaked secrets, frontend exposure, and generate safe fixes.",
+  "type": "module",
+  "bin": {
+    "fixyoursecret": "bin/index.js",
+    "secretlint": "bin/index.js"
+  },
+  "files": [
+    "bin/",
+    "commands/",
+    "detectors/",
+    "templates/",
+    "utils/",
+    "fixtures/benchmark/",
+    "scripts/benchmark.js",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "exports": {
+    ".": "./bin/index.js"
+  },
+  "scripts": {
+    "start": "node ./bin/index.js",
+    "scan": "node ./bin/index.js scan",
+    "fix": "node ./bin/index.js fix",
+    "rotate": "node ./bin/index.js rotate openai",
+    "history": "node ./bin/index.js history 20",
+    "ci": "node ./bin/index.js ci",
+    "benchmark": "node ./scripts/benchmark.js",
+    "quality": "npm test && npm run benchmark",
+    "test": "node --test",
+    "tune:multi": "node ./scripts/multi-repo-tune.js --repos-file ./fixtures/tuning/repos.default.json --output ./docs/tuning/multi-repo-report.json --fp-review ./docs/tuning/false-positive-review.md",
+    "tune:weekly": "npm run benchmark && npm run tune:multi"
+  },
+  "keywords": [
+    "security",
+    "cli",
+    "secrets",
+    "lint",
+    "devsecops",
+    "sast"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ssanidhya0407/fixyoursecret.git"
+  },
+  "homepage": "https://github.com/ssanidhya0407/fixyoursecret#readme",
+  "bugs": {
+    "url": "https://github.com/ssanidhya0407/fixyoursecret/issues"
+  },
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public",
+    "tag": "preview"
+  },
+  "dependencies": {
+    "chalk": "^5.4.1",
+    "commander": "^14.0.1",
+    "glob": "^11.0.3"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}

package/scripts/benchmark.js

@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+import fs from "node:fs/promises";
+import path from "node:path";
+import { runDetectors } from "../utils/detectorRunner.js";
+import { DEFAULT_CONFIG } from "../utils/config.js";
+import { shouldSkipAsNonSecret } from "../utils/verifier.js";
+
+const cwd = process.cwd();
+const posPath = path.join(cwd, "fixtures/benchmark/positive.json");
+const negPath = path.join(cwd, "fixtures/benchmark/negative.json");
+
+const minRecall = Number(process.env.BENCH_MIN_RECALL || "0.95");
+const minPrecision = Number(process.env.BENCH_MIN_PRECISION || "0.95");
+
+const positives = JSON.parse(await fs.readFile(posPath, "utf8"));
+const negatives = JSON.parse(await fs.readFile(negPath, "utf8"));
+
+const cfg = {
+  ...DEFAULT_CONFIG,
+  ignoreDetectors: [],
+};
+
+let tp = 0;
+let fn = 0;
+let fp = 0;
+let tn = 0;
+
+const missingByRule = new Map();
+
+for (const sample of positives) {
+  const value = Array.isArray(sample.parts) ? sample.parts.join("") : String(sample.value || "");
+  const content = `const leaked = "${value}";`;
+  const matches = runDetectors(content, cfg).filter((m) => !shouldSkipAsNonSecret(m, content, "src/app.js", cfg.ignoreValueHints));
+  const matchedExpected = matches.some((m) => m.rule === sample.rule);
+  if (matchedExpected) tp += 1;
+  else {
+    fn += 1;
+    missingByRule.set(sample.rule, (missingByRule.get(sample.rule) || 0) + 1);
+  }
+}
+
+for (const sample of negatives) {
+  const content = `const value = "${sample}";`;
+  const matches = runDetectors(content, cfg).filter((m) => !shouldSkipAsNonSecret(m, content, "src/app.js", cfg.ignoreValueHints));
+  if (matches.length > 0) fp += 1;
+  else tn += 1;
+}
+
+const recall = tp / Math.max(1, tp + fn);
+const precision = tp / Math.max(1, tp + fp);
+const negativePassRate = tn / Math.max(1, tn + fp);
+
+console.log("FixYourSecret Benchmark");
+console.log(`- positives: ${positives.length}`);
+console.log(`- negatives: ${negatives.length}`);
+console.log(`- true positives: ${tp}`);
+console.log(`- false negatives: ${fn}`);
+console.log(`- false positives: ${fp}`);
+console.log(`- true negatives: ${tn}`);
+console.log(`- recall: ${recall.toFixed(3)}`);
+console.log(`- precision: ${precision.toFixed(3)}`);
+console.log(`- negative-pass-rate: ${negativePassRate.toFixed(3)}`);
+
+if (missingByRule.size > 0) {
+  console.log("- missing rules:");
+  for (const [rule, count] of missingByRule.entries()) {
+    console.log(`  - ${rule}: ${count}`);
+  }
+}
+
+if (recall < minRecall || precision < minPrecision) {
+  console.error(`Benchmark gate failed. Required recall>=${minRecall} precision>=${minPrecision}`);
+  process.exit(1);
+}
+
+console.log("Benchmark gate passed.");

package/templates/expressProxy.js

@@ -0,0 +1,40 @@
+export function expressProxyTemplate() {
+  return `const express = require("express");
+
+const app = express();
+app.use(express.json());
+
+app.post("/api/ai", async (req, res) => {
+  try {
+    const apiKey = process.env.OPENAI_API_KEY;
+    if (!apiKey) {
+      return res.status(500).json({ error: "Missing OPENAI_API_KEY" });
+    }
+
+    const payload = {
+      model: req.body?.model || "gpt-4.1-mini",
+      messages: req.body?.messages || []
+    };
+
+    const upstream = await fetch("https://api.openai.com/v1/chat/completions", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": "Bearer " + apiKey
+      },
+      body: JSON.stringify(payload)
+    });
+
+    const data = await upstream.json();
+    return res.status(upstream.status).json(data);
+  } catch (error) {
+    return res.status(500).json({ error: "Proxy request failed", details: error.message });
+  }
+});
+
+const port = process.env.PORT || 3001;
+app.listen(port, () => {
+  console.log("Secretlint proxy running on http://localhost:" + port);
+});
+`;
+}

package/utils/config.js

@@ -0,0 +1,109 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+
+export const CONFIG_FILENAMES = [".fixyoursecretrc.json", ".secretlintrc.json"];
+export const BASELINE_FILENAMES = [".fixyoursecret-baseline.json", ".secretlint-baseline.json"];
+
+export const DEFAULT_CONFIG = {
+  ignorePaths: ["node_modules/**", ".git/**", "dist/**", "build/**", ".next/**", "coverage/**"],
+  allowedExtensions: [".js", ".ts", ".jsx", ".tsx", ".env", ".swift"],
+  maxFileSizeKB: 256,
+  entropyThreshold: 3.8,
+  failOn: "high",
+  verifyMode: "none",
+  suppressions: [
+    { path: "test/" },
+    { path: "tests/" },
+    { path: "__tests__/" },
+    { path: "fixtures/" }
+  ],
+  ignoreDetectors: [],
+  ignoreValueHints: ["example", "dummy", "fake", "sample", "replace_in_runtime_only"],
+};
+
+export async function loadConfig(projectPath, configPath) {
+  const candidates = configPath
+    ? [path.resolve(configPath)]
+    : CONFIG_FILENAMES.map((name) => path.join(projectPath, name));
+
+  for (const candidate of candidates) {
+    try {
+      const raw = await fs.readFile(candidate, "utf8");
+      const parsed = JSON.parse(raw);
+      const config = {
+        ...DEFAULT_CONFIG,
+        ...parsed,
+        ignorePaths: normalizeStringArray(parsed.ignorePaths, DEFAULT_CONFIG.ignorePaths),
+        allowedExtensions: normalizeStringArray(parsed.allowedExtensions, DEFAULT_CONFIG.allowedExtensions),
+        suppressions: normalizeSuppressions(parsed.suppressions),
+        ignoreDetectors: normalizeStringArray(parsed.ignoreDetectors, DEFAULT_CONFIG.ignoreDetectors),
+        ignoreValueHints: normalizeStringArray(parsed.ignoreValueHints, DEFAULT_CONFIG.ignoreValueHints),
+        maxFileSizeKB: toPositiveInt(parsed.maxFileSizeKB, DEFAULT_CONFIG.maxFileSizeKB),
+        entropyThreshold: toPositiveNumber(parsed.entropyThreshold, DEFAULT_CONFIG.entropyThreshold),
+        failOn: normalizeFailOn(parsed.failOn, DEFAULT_CONFIG.failOn),
+        verifyMode: normalizeVerifyMode(parsed.verifyMode, DEFAULT_CONFIG.verifyMode),
+      };
+      return { config, path: candidate, loaded: true };
+    } catch {
+      // try next config candidate
+    }
+  }
+
+  return { config: { ...DEFAULT_CONFIG }, path: candidates[0], loaded: false };
+}
+
+export function resolveBaselinePath(projectPath, explicitBaselinePath) {
+  if (explicitBaselinePath) return path.resolve(projectPath, explicitBaselinePath);
+  return path.resolve(projectPath, BASELINE_FILENAMES[0]);
+}
+
+export function isSuppressed(finding, suppressions = [], fileLines = []) {
+  if (hasInlineDisable(fileLines, finding.line)) return true;
+  return suppressions.some((rule) => {
+    if (!rule || typeof rule !== "object") return false;
+    if (rule.rule && rule.rule !== finding.rule) return false;
+    if (rule.path && !finding.file.includes(String(rule.path))) return false;
+    if (rule.line && Number(rule.line) !== finding.line) return false;
+    return true;
+  });
+}
+
+function hasInlineDisable(lines, currentLine) {
+  const previous = lines[currentLine - 2] || "";
+  const current = lines[currentLine - 1] || "";
+  return (
+    /secretlint-disable-next-line|fixyoursecret-disable-next-line/.test(previous) ||
+    /secretlint-disable-line|fixyoursecret-disable-line/.test(current)
+  );
+}
+
+function normalizeSuppressions(value) {
+  if (!Array.isArray(value)) return DEFAULT_CONFIG.suppressions;
+  return value.filter((item) => item && typeof item === "object");
+}
+
+function normalizeStringArray(value, fallback) {
+  return Array.isArray(value) ? value.filter((v) => typeof v === "string") : fallback;
+}
+
+function toPositiveInt(value, fallback) {
+  return Number.isInteger(value) && value > 0 ? value : fallback;
+}
+
+function toPositiveNumber(value, fallback) {
+  return typeof value === "number" && value > 0 ? value : fallback;
+}
+
+function normalizeFailOn(value, fallback) {
+  const safe = String(value || "").toLowerCase();
+  return ["low", "medium", "high"].includes(safe) ? safe : fallback;
+}
+
+function normalizeVerifyMode(value, fallback) {
+  const safe = String(value || "").toLowerCase();
+  return ["none", "safe"].includes(safe) ? safe : fallback;
+}
+
+export function defaultConfigTemplate() {
+  return JSON.stringify(DEFAULT_CONFIG, null, 2) + "\n";
+}

package/utils/detectorRunner.js

@@ -0,0 +1,13 @@
+import { DETECTOR_REGISTRY } from "../detectors/registry.js";
+
+export function runDetectors(content, config) {
+  const all = [];
+  for (const detector of DETECTOR_REGISTRY) {
+    if (config.ignoreDetectors.includes(detector.key)) continue;
+    const matches = detector.key === "generic"
+      ? detector.run(content, { entropyThreshold: config.entropyThreshold })
+      : detector.run(content);
+    all.push(...matches);
+  }
+  return all;
+}

package/utils/fileScanner.js

@@ -0,0 +1,74 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { glob } from "glob";
+
+const DEFAULT_EXTENSIONS = [".js", ".ts", ".jsx", ".tsx", ".env", ".swift"];
+
+export async function collectProjectFiles(projectPath, options = {}) {
+  const extensions = Array.isArray(options.allowedExtensions) && options.allowedExtensions.length > 0
+    ? options.allowedExtensions
+    : DEFAULT_EXTENSIONS;
+  const allowedExtensions = new Set(extensions.map((e) => String(e).toLowerCase()));
+  const ignore = options.ignorePaths || ["node_modules/**", ".git/**", "dist/**", "build/**"];
+  const includeOnly = normalizeSet(options.includeOnly);
+  const maxFileSizeBytes = (options.maxFileSizeKB || 256) * 1024;
+
+  const entries = await glob("**/*", {
+    cwd: projectPath,
+    nodir: true,
+    dot: true,
+    ignore,
+  });
+
+  const files = [];
+  for (const relativePath of entries) {
+    const normalizedRelative = normalizePath(relativePath);
+    if (includeOnly && !includeOnly.has(normalizedRelative)) continue;
+
+    const ext = path.extname(normalizedRelative).toLowerCase();
+    if (!allowedExtensions.has(ext)) continue;
+
+    const absolutePath = path.join(projectPath, normalizedRelative);
+    let stat;
+    try {
+      stat = await fs.stat(absolutePath);
+    } catch {
+      continue;
+    }
+    if (!stat.isFile() || stat.size > maxFileSizeBytes) continue;
+
+    const content = await fs.readFile(absolutePath, "utf8").catch(() => "");
+    if (!content) continue;
+
+    files.push({
+      absolutePath,
+      relativePath: normalizedRelative,
+      content,
+      lines: content.split("\n"),
+    });
+  }
+
+  return files;
+}
+
+export function lineColFromIndex(content, index) {
+  const start = Math.max(0, index);
+  const prefix = content.slice(0, start);
+  const lines = prefix.split("\n");
+  const line = lines.length;
+  const column = lines[lines.length - 1].length + 1;
+  return { line, column };
+}
+
+function normalizePath(p) {
+  return p.split(path.sep).join("/");
+}
+
+function normalizeSet(values) {
+  if (!Array.isArray(values) || values.length === 0) return null;
+  const normalized = values
+    .filter((v) => typeof v === "string")
+    .map((v) => v.replace(/^\.\//, ""))
+    .map((v) => v.split(path.sep).join("/"));
+  return new Set(normalized);
+}

package/utils/gitScanner.js

@@ -0,0 +1,26 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+
+const execFileAsync = promisify(execFile);
+
+export async function getStagedFiles(projectPath) {
+  return runGitFileList(projectPath, ["diff", "--cached", "--name-only", "--diff-filter=ACMRT"]);
+}
+
+export async function getTrackedFiles(projectPath) {
+  return runGitFileList(projectPath, ["ls-files"]);
+}
+
+export async function getRecentChangedFiles(projectPath, commitCount = 20) {
+  const safeCount = Number.isInteger(commitCount) && commitCount > 0 ? commitCount : 20;
+  return runGitFileList(projectPath, ["log", `-${safeCount}`, "--name-only", "--pretty=format:"]);
+}
+
+async function runGitFileList(projectPath, args) {
+  try {
+    const { stdout } = await execFileAsync("git", args, { cwd: projectPath });
+    return Array.from(new Set(stdout.split("\n").map((line) => line.trim()).filter(Boolean)));
+  } catch {
+    return [];
+  }
+}

package/utils/logger.js

@@ -0,0 +1,32 @@
+import chalk from "chalk";
+
+export const logger = {
+  log: (...args) => console.log(...args),
+  warn: (...args) => console.log(chalk.yellow(...args)),
+  error: (...args) => console.error(chalk.red(...args)),
+  safe: (...args) => console.log(chalk.green(...args)),
+};
+
+export function printFinding(f) {
+  const label = f.severity === "HIGH" ? chalk.red("[HIGH]") : f.severity === "MEDIUM" ? chalk.yellow("[WARNING]") : chalk.blue("[LOW]");
+
+  console.log(label);
+  console.log(`File: ${f.file}:${f.line}:${f.column}`);
+  console.log(`Issue: ${f.issue}`);
+  if (f.rule) console.log(`Rule: ${f.rule}`);
+  console.log(`Risk: ${f.severity}`);
+  console.log(`Snippet: ${chalk.gray(f.snippet)}`);
+  if (f.reason) console.log(`Reason: ${f.reason}`);
+  console.log(`Fix: ${f.recommendation}`);
+  console.log("");
+}
+
+export function printSummary(findings) {
+  const high = findings.filter((f) => f.severity === "HIGH").length;
+  const medium = findings.filter((f) => f.severity === "MEDIUM").length;
+  const low = findings.filter((f) => f.severity === "LOW").length;
+  const total = findings.length;
+  const color = high > 0 ? chalk.red : medium > 0 ? chalk.yellow : chalk.green;
+
+  console.log(color(`${total} issues found (${high} high risk, ${medium} medium, ${low} low)`));
+}

package/utils/riskAnalyzer.js

@@ -0,0 +1,42 @@
+const FRONTEND_HINTS = ["/src/", "/components/", "/pages/", "/public/", "/app/"];
+const BACKEND_HINTS = ["/api/", "/server/", "/backend/", "/services/"];
+const PUBLIC_ENV_HINTS = ["NEXT_PUBLIC_", "VITE_", "NUXT_PUBLIC_", "PUBLIC_"];
+
+export function analyzeRisk(relativePath, match, snippet) {
+  const normalized = `/${relativePath.toLowerCase()}`;
+  const isBackendPath = BACKEND_HINTS.some((segment) => normalized.includes(segment));
+  const isEnvFile = normalized.endsWith(".env");
+  const inFrontendPath = FRONTEND_HINTS.some((segment) => normalized.includes(segment));
+  const hasPublicEnvLeak = PUBLIC_ENV_HINTS.some((prefix) => snippet.includes(prefix));
+  const inFrontend = !isBackendPath && (inFrontendPath || hasPublicEnvLeak) && !isEnvFile;
+
+  if (match.type === "private-key") {
+    return {
+      severity: "HIGH",
+      fix: "Delete private key from source immediately, revoke/replace credentials, and move keys to a secure secret manager.",
+      reason: "Private key material should never be stored in source code",
+    };
+  }
+
+  if (inFrontend && match.type !== "generic") {
+    return {
+      severity: "HIGH",
+      fix: "Move secret to backend proxy and call internal endpoint instead.",
+      reason: "Sensitive key appears in likely frontend context",
+    };
+  }
+
+  if (match.type === "generic") {
+    return {
+      severity: "MEDIUM",
+      fix: "Verify if token is sensitive; if yes, move it to environment variables.",
+      reason: "High entropy token pattern",
+    };
+  }
+
+  return {
+    severity: "HIGH",
+    fix: "Rotate the key and store it only in backend environment variables.",
+    reason: "Known provider key format",
+  };
+}

package/utils/sarif.js

@@ -0,0 +1,55 @@
+export function findingsToSarif(findings, toolName = "fixyoursecret") {
+  const rulesMap = new Map();
+
+  for (const finding of findings) {
+    const id = finding.rule || "unknown-rule";
+    if (!rulesMap.has(id)) {
+      rulesMap.set(id, {
+        id,
+        shortDescription: { text: finding.issue },
+        fullDescription: { text: finding.recommendation || finding.issue },
+        defaultConfiguration: {
+          level: sarifLevel(finding.severity),
+        },
+      });
+    }
+  }
+
+  return {
+    $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: toolName,
+            version: "0.3.0-developer-preview.1",
+            rules: Array.from(rulesMap.values()),
+          },
+        },
+        results: findings.map((finding) => ({
+          ruleId: finding.rule || "unknown-rule",
+          level: sarifLevel(finding.severity),
+          message: { text: `${finding.issue}. ${finding.recommendation || ""}`.trim() },
+          locations: [
+            {
+              physicalLocation: {
+                artifactLocation: { uri: finding.file },
+                region: {
+                  startLine: finding.line,
+                  startColumn: finding.column,
+                },
+              },
+            },
+          ],
+        })),
+      },
+    ],
+  };
+}
+
+function sarifLevel(severity) {
+  if (severity === "HIGH") return "error";
+  if (severity === "MEDIUM") return "warning";
+  return "note";
+}

package/utils/verifier.js

@@ -0,0 +1,73 @@
+export function verifyFinding(match, fileContent = "", snippet = "") {
+  switch (match.rule) {
+    case "openai-key":
+      return formatResult(/^(?:sk-(?:proj-)?)?[A-Za-z0-9_-]{24,}$/.test(match.value) && /\d/.test(match.value), "format");
+    case "google-key":
+      return formatResult(/^AIza[0-9A-Za-z_-]{35}$/.test(match.value), "format");
+    case "aws-access-key-id":
+      return formatResult(/^(AKIA|ASIA)[A-Z0-9]{16}$/.test(match.value), "format");
+    case "stripe-secret-key":
+      return formatResult(/^sk_live_[0-9A-Za-z]{16,}$/.test(match.value), "format");
+    case "slack-token":
+      return formatResult(/^xox(?:b|p|a|r|s)-[0-9A-Za-z-]{10,}$/.test(match.value), "format");
+    case "github-token":
+      return formatResult(/^(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{20,}$|^github_pat_[A-Za-z0-9_]{20,}$/.test(match.value), "format");
+    case "gitlab-token":
+      return formatResult(/^glpat-[A-Za-z0-9_-]{20,}$/.test(match.value), "format");
+    case "twilio-api-key":
+      return formatResult(/^SK[0-9a-fA-F]{32}$/.test(match.value), "format");
+    case "sendgrid-api-key":
+      return formatResult(/^SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}$/.test(match.value), "format");
+    case "mailgun-api-key":
+      return formatResult(/^key-[A-Za-z0-9]{32}$/.test(match.value), "format");
+    case "anthropic-api-key":
+      return formatResult(/^sk-ant-[A-Za-z0-9_-]{20,}$/.test(match.value), "format");
+    case "cohere-api-key":
+      return formatResult(/^co_[A-Za-z0-9]{30,}$/.test(match.value), "format");
+    case "huggingface-token":
+      return formatResult(/^hf_[A-Za-z0-9]{30,}$/.test(match.value), "format");
+    case "telegram-bot-token":
+      return formatResult(/^\d{8,10}:[A-Za-z0-9_-]{35}$/.test(match.value), "format");
+    case "npm-token":
+      return formatResult(/^npm_[A-Za-z0-9]{36}$/.test(match.value), "format");
+    case "private-key-block": {
+      const hasEnd = /-----END (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/.test(fileContent.slice(match.index));
+      return formatResult(hasEnd, "pem-structure");
+    }
+    case "generic-high-entropy":
+      return formatResult(false, "unsupported");
+    default:
+      return formatResult(false, "unknown");
+  }
+}
+
+function formatResult(verified, method) {
+  return {
+    verified,
+    verificationMethod: method,
+  };
+}
+
+export function normalizeVerifyMode(mode) {
+  const safe = String(mode || "none").toLowerCase();
+  return ["none", "safe"].includes(safe) ? safe : "none";
+}
+
+export function shouldSkipAsNonSecret(match, snippet = "", filePath = "", hints = []) {
+  const lowerSnippet = snippet.toLowerCase();
+  const lowerPath = filePath.toLowerCase();
+
+  const builtinHints = ["example", "dummy", "fake", "sample", "not_secret", "replace_in_runtime_only", "docs_only"];
+  const allHints = [...builtinHints, ...hints.map((h) => String(h).toLowerCase())];
+
+  if (allHints.some((hint) => lowerSnippet.includes(hint))) return true;
+
+  if (
+    match.rule === "generic-high-entropy" &&
+    ["/test/", "/tests/", "/__tests__/", "/fixtures/", "/docs/"].some((segment) => lowerPath.includes(segment))
+  ) {
+    return true;
+  }
+
+  return false;
+}