There is the very rare valid secret in the form of
or just
etc.
where there are no quotes. We currently require quotes for high-entropy secrets, which is a sensible thing IMO, since it is one of the noisier plugin classes already.
I am not saying it is worth the increase in false-positives to catch these in general, simply that we should (a) add some documentation around it, and/or (b) investigate a more sophisticated approach than if we were to just remove the quote requirement all together, if feasible, i.e. handle the special cases where we might come across it. 🤔
I'd love to hear about if anyone else has encountered a valid secret of this form, and what the secret was, so that we could discuss possible solutions.
There is the very rare valid secret in the form of
or just
etc.
where there are no quotes. We currently require quotes for high-entropy secrets, which is a sensible thing IMO, since it is one of the noisier plugin classes already.
I am not saying it is worth the increase in false-positives to catch these in general, simply that we should (a) add some documentation around it, and/or (b) investigate a more sophisticated approach than if we were to just remove the quote requirement all together, if feasible, i.e. handle the special cases where we might come across it. 🤔
I'd love to hear about if anyone else has encountered a valid secret of this form, and what the secret was, so that we could discuss possible solutions.