(t *testing.T)
| 291 | } |
| 292 | |
| 293 | func Test_collectEnvCheckFindings(t *testing.T) { |
| 294 | tests := []struct { |
| 295 | name string |
| 296 | files map[string]string |
| 297 | wantSuspicious map[string][]string // service -> sorted suspicious keys |
| 298 | wantEnvFile []string // services with env_file |
| 299 | wantLiteralCfgs []string // config names with literal content |
| 300 | }{ |
| 301 | { |
| 302 | name: "benign literals are silent", |
| 303 | files: map[string]string{ |
| 304 | "compose.yaml": `name: test |
| 305 | services: |
| 306 | web: |
| 307 | image: alpine |
| 308 | environment: |
| 309 | LOG_LEVEL: info |
| 310 | NODE_ENV: production |
| 311 | PORT: "8080" |
| 312 | `, |
| 313 | }, |
| 314 | }, |
| 315 | { |
| 316 | name: "interpolated values are silent even on suspicious keys", |
| 317 | files: map[string]string{ |
| 318 | "compose.yaml": `name: test |
| 319 | services: |
| 320 | web: |
| 321 | image: alpine |
| 322 | environment: |
| 323 | DB_PASSWORD: "${DB_PASSWORD}" |
| 324 | API_KEY: "$API_KEY" |
| 325 | `, |
| 326 | }, |
| 327 | }, |
| 328 | { |
| 329 | name: "literal value on suspicious key is flagged", |
| 330 | files: map[string]string{ |
| 331 | "compose.yaml": `name: test |
| 332 | services: |
| 333 | db: |
| 334 | image: mysql |
| 335 | environment: |
| 336 | MYSQL_ROOT_PASSWORD: toto |
| 337 | MYSQL_DATABASE: appdb |
| 338 | `, |
| 339 | }, |
| 340 | wantSuspicious: map[string][]string{ |
| 341 | "db": {"MYSQL_ROOT_PASSWORD"}, |
| 342 | }, |
| 343 | }, |
| 344 | { |
| 345 | name: "demo placeholder changeme is flagged (security: literal still leaks)", |
| 346 | files: map[string]string{ |
| 347 | "compose.yaml": `name: test |
| 348 | services: |
| 349 | demo: |
| 350 | image: postgres |
nothing calls this directly
no test coverage detected