ccojocar
commented
3 months ago I would say, it is useful to rely on entropy when the pattern of the secret is not known but it looks more like a random value. In this situation entropy detection works the best.
If the secret pattern is known, it is better to use it to avoid false positives more likely caused by entropy detection.
Summary
I wanted to add an explicit check for Artifactory API token however gosec high entropy string detection also caught the samples I tried. Is there a criteria for choosing when to add a hardcoded secret pattern versus relying on high entropy detection? As an example gosec does have hardcoded secret patterns for AWS API Key but the entropy checker does detect this secret before the secret pattern check happens. Thanks