Secret detection analyzer returns false positive for Hashicorp vault secret
Summary
When using the gitlab ci template for secret detection, we encountered false positives this week about it detecting Hashicorp vault secrets in our codebase. We do not have any Hashicorp vault secrets in our codebase but are using python. Some of our import lines seems to match the regex used to find Hashicorp vault secrets. We noticed this issue starting from the Secrets analyzer version 3.24.4.
It seems the rule got stricter in version 3.24.5 but this does not seem enough.
The concerned merge request is here: gitlab-org/security-products/analyzers/secrets!136 (merged)
Steps to reproduce
Run the secret detection job in a python codebase containing an import like this one
from anything_that_ends_with_an_s.BasicEventsSpecification import has_lot_id
Example Project
Provided is a link that proves the current regex for hashicorp vault secret match the example string: https://regex101.com/r/yBwWs0/1
What is the current bug behavior?
The secret detection jobs fails by detecting secrets when there are none.
What is the expected correct behavior?
The secret detection job should not fail with the provided example.
Possible fixes
Maybe restrict the regex to specify that the string should start with an s. instead of any random string containing an s.. Something along those lines: ^s\.[0-9a-zA-Z]{24}('|\"|\n|\r|\s)