configContentLooksLiteral returns true when the inline config.content has a literal portion that would be published as-is, leaking the value to consumers of the OCI artifact. We piggyback on the keyword detector's value regex (`[^${\s].+[^}\s]`) by passing a fake "password" key to ScanMap — the reg
(content string, detector secrets.Detector)
| 554 | // (templates like `key=${SECRET}`), or shorter than 3 chars, which neatly |
| 555 | // matches our notion of "looks like a template, not a literal". |
| 556 | func configContentLooksLiteral(content string, detector secrets.Detector) bool { |
| 557 | hits, _ := detector.ScanMap(map[string]string{"password": replaceDollarEscape(content)}) |
| 558 | return len(hits) > 0 |
| 559 | } |
| 560 | |
| 561 | // replaceDollarEscape substitutes the compose-spec `$$` escape (which |
| 562 | // represents a literal `$` in the resolved value) with a placeholder. The |
no test coverage detected