refactor(rules): deduplicate hardcoded-secret regex (closes #274) (#277)

* feat(pq): expand seed lists and fix fabric attribution (refs #262)

- Add Cargo seeds: k256, secp256k1, libsecp256k1, ed448-goldilocks (tier 1), openssl (tier 2)
- Add pip seeds: pyjwt, authlib, python-jose, jwcrypto (0.8), m2crypto (0.6)
- Fix fabric: drop misleading RSA algorithm (wraps paramiko, no crypto itself)

* feat(sarif): include depName in SARIF properties (refs #262)

* docs(pq): note dev-dependencies limitation in Cargo rule description (refs #262)

* refactor(pq): dedup BFS reached_seeds with HashMap (refs #262)

* style(pq): reorder PIP_PACKAGES by descending confidence (refs #262)

* refactor(rules): deduplicate hardcoded-secret regex across languages (closes #274)

Extract shared HARDCODED_SECRET_PATTERN and CSHARP_HARDCODED_SECRET_PATTERN
constants into common.rs; replace inline copies in all 10 language rule files.
Adds test asserting the C# pattern is a superset of the base pattern.
Also normalises PHP to the full keyword set (was missing auth, credential,
private_key).

* fix: cargo fmt imports and deterministic seed selection

- Fix import formatting in javascript.rs and python.rs
- Make reached_seeds best-pick deterministic by breaking
  confidence ties on seed name

---------

Co-authored-by: Peak Twilight <doruk@doruk.ch>

Author: Darkroom4364

src/rules/common.rs

@@ -50,6 +50,18 @@ pub fn shannon_entropy(s: &str) -> f32 {
     entropy
 }
 
+/// Base regex pattern shared by all `*/no-hardcoded-secret` rules.
+///
+/// Each language rule file should use this constant (or
+/// [`CSHARP_HARDCODED_SECRET_PATTERN`] for C#) instead of inlining its
+/// own copy of the pattern.
+pub const HARDCODED_SECRET_PATTERN: &str =
+    r"(?i)(password|secret|api_?key|token|auth|credential|private_?key)";
+
+/// Extended variant for C# that adds `connection_?string` /
+/// `connectionstring` to the base keyword set.
+pub const CSHARP_HARDCODED_SECRET_PATTERN: &str = r"(?i)(password|secret|api_?key|token|auth|credential|private_?key|connection_?string|connectionstring)";
+
 /// Default minimum length for strings flagged as a hardcoded secret.
 ///
 /// Historically this was hardcoded as `>= 4` across every language-specific
@@ -338,4 +350,31 @@ mod tests {
         assert_eq!(confidence_for_hops(3), 0.6);
         assert_eq!(confidence_for_hops(10), 0.6);
     }
+
+    #[test]
+    fn csharp_pattern_is_superset_of_base() {
+        let base = regex::Regex::new(HARDCODED_SECRET_PATTERN).unwrap();
+        let extended = regex::Regex::new(CSHARP_HARDCODED_SECRET_PATTERN).unwrap();
+
+        // Every keyword the base pattern matches must also match the C# pattern.
+        for kw in &[
+            "password",
+            "secret",
+            "api_key",
+            "apikey",
+            "token",
+            "auth",
+            "credential",
+            "private_key",
+            "privatekey",
+        ] {
+            assert!(base.is_match(kw), "base should match {kw}");
+            assert!(extended.is_match(kw), "csharp should match {kw}");
+        }
+        // C#-specific extras
+        for kw in &["connection_string", "connectionstring"] {
+            assert!(!base.is_match(kw), "base should NOT match {kw}");
+            assert!(extended.is_match(kw), "csharp should match {kw}");
+        }
+    }
 }

src/rules/csharp.rs

@@ -1,5 +1,7 @@
 use crate::impl_rule;
-use crate::rules::common::{is_secret_value_long_enough, make_finding, walk_tree};
+use crate::rules::common::{
+    is_secret_value_long_enough, make_finding, walk_tree, CSHARP_HARDCODED_SECRET_PATTERN,
+};
 use crate::{Language, Severity};
 use regex::Regex;
 
@@ -443,10 +445,7 @@ impl_rule! {
     fn check(_self, source, tree) {
 
         let mut findings = Vec::new();
-        let secret_pattern = Regex::new(
-            r"(?i)(password|secret|api_?key|apikey|token|credential|private_?key|connection_?string|connectionstring)",
-        )
-        .unwrap();
+        let secret_pattern = Regex::new(CSHARP_HARDCODED_SECRET_PATTERN).unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {
             // variable_declarator: string password = "hardcoded"

src/rules/go.rs

@@ -2,7 +2,7 @@ use crate::impl_rule;
 use crate::rules::common::AliasTable;
 use crate::rules::common::{
     get_source_line, is_secret_value_long_enough, make_finding, make_finding_from_offsets,
-    walk_tree,
+    walk_tree, HARDCODED_SECRET_PATTERN,
 };
 use crate::rules::go_taint::{
     self, go_aliases_from_tree, go_taint_sources, NodeMatcher as GoNodeMatcher,
@@ -149,7 +149,7 @@ impl_rule! {
 
         let mut findings = Vec::new();
         let secret_pattern =
-            Regex::new(r"(?i)(password|secret|api_?key|token|auth|credential|private_?key)")
+            Regex::new(HARDCODED_SECRET_PATTERN)
                 .unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {

src/rules/java.rs

@@ -1,6 +1,7 @@
 use crate::impl_rule;
 use crate::rules::common::{
     is_secret_value_long_enough, make_finding, make_finding_from_offsets, walk_tree,
+    HARDCODED_SECRET_PATTERN,
 };
 use crate::{Language, Severity};
 use regex::Regex;
@@ -604,7 +605,7 @@ impl_rule! {
 
         let mut findings = Vec::new();
         let secret_pattern =
-            Regex::new(r"(?i)(password|secret|api_?key|apiKey|token|auth|credential|private_?key)")
+            Regex::new(HARDCODED_SECRET_PATTERN)
                 .unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {

src/rules/javascript.rs

@@ -1,5 +1,7 @@
 use crate::impl_rule;
-use crate::rules::common::{get_source_line, is_secret_value_long_enough, make_finding, walk_tree};
+use crate::rules::common::{
+    get_source_line, is_secret_value_long_enough, make_finding, walk_tree, HARDCODED_SECRET_PATTERN,
+};
 use crate::rules::FileContext;
 use crate::{Finding, Language, Severity};
 use regex::Regex;
@@ -56,7 +58,7 @@ impl_rule! {
 
         let mut findings = Vec::new();
         let secret_pattern =
-            Regex::new(r"(?i)(password|secret|api_?key|token|auth|credential|private_?key)")
+            Regex::new(HARDCODED_SECRET_PATTERN)
                 .unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {

src/rules/kotlin.rs

@@ -1,6 +1,7 @@
 use crate::impl_rule;
 use crate::rules::common::{
     is_secret_value_long_enough, make_finding, make_finding_from_offsets, walk_tree,
+    HARDCODED_SECRET_PATTERN,
 };
 use crate::{Finding, Language, Severity};
 use regex::Regex;
@@ -521,7 +522,7 @@ impl_rule! {
 
         let mut findings = Vec::new();
         let secret_pattern =
-            Regex::new(r"(?i)(password|secret|api_?key|apiKey|token|auth|credential|private_?key)")
+            Regex::new(HARDCODED_SECRET_PATTERN)
                 .unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {

src/rules/manifest.rs

@@ -307,7 +307,14 @@ impl Rule for CargoLockPqCrypto {
                         continue;
                     };
                     if let Some(entry) = seed_map.get(neighbor_name) {
-                        reached_seeds.entry(entry.name).or_insert(entry);
+                        reached_seeds
+                            .entry(entry.name)
+                            .and_modify(|existing| {
+                                if entry.confidence > existing.confidence {
+                                    *existing = entry;
+                                }
+                            })
+                            .or_insert(entry);
                     } else {
                         queue.push_back(neighbor);
                     }
@@ -319,9 +326,13 @@ impl Rule for CargoLockPqCrypto {
             }
 
             // Pick the highest-confidence seed
-            let best = reached_seeds
-                .values()
-                .max_by(|a, b| a.confidence.total_cmp(&b.confidence))
+            let (_, best) = reached_seeds
+                .iter()
+                .max_by(|(k1, v1), (k2, v2)| {
+                    v1.confidence
+                        .total_cmp(&v2.confidence)
+                        .then_with(|| k1.cmp(k2))
+                })
                 .unwrap();
 
             // Find byte offset of this package entry.

src/rules/php.rs

@@ -1,5 +1,7 @@
 use crate::impl_rule;
-use crate::rules::common::{is_secret_value_long_enough, make_finding, walk_tree};
+use crate::rules::common::{
+    is_secret_value_long_enough, make_finding, walk_tree, HARDCODED_SECRET_PATTERN,
+};
 use crate::{Language, Severity};
 use regex::Regex;
 
@@ -359,7 +361,7 @@ impl_rule! {
     fn check(_self, source, tree) {
 
         let mut findings = Vec::new();
-        let secret_pattern = Regex::new(r"(?i)(password|secret|api_?key|token)").unwrap();
+        let secret_pattern = Regex::new(HARDCODED_SECRET_PATTERN).unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {
             // Detect: $password = "hardcoded";

src/rules/python.rs

@@ -1,5 +1,7 @@
 use crate::impl_rule;
-use crate::rules::common::{get_source_line, is_secret_value_long_enough, make_finding, walk_tree};
+use crate::rules::common::{
+    get_source_line, is_secret_value_long_enough, make_finding, walk_tree, HARDCODED_SECRET_PATTERN,
+};
 use crate::rules::FileContext;
 use crate::{Finding, Language, Severity};
 use regex::Regex;
@@ -75,7 +77,7 @@ impl_rule! {
 
         let mut findings = Vec::new();
         let secret_pattern =
-            Regex::new(r"(?i)(password|secret|api_?key|token|auth|credential|private_?key)")
+            Regex::new(HARDCODED_SECRET_PATTERN)
                 .unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {

src/rules/ruby.rs

@@ -1,5 +1,7 @@
 use crate::impl_rule;
-use crate::rules::common::{is_secret_value_long_enough, make_finding, walk_tree};
+use crate::rules::common::{
+    is_secret_value_long_enough, make_finding, walk_tree, HARDCODED_SECRET_PATTERN,
+};
 use crate::{Language, Severity};
 use regex::Regex;
 
@@ -484,7 +486,7 @@ impl_rule! {
 
         let mut findings = Vec::new();
         let secret_pattern =
-            Regex::new(r"(?i)(password|secret|api_?key|token|auth|credential|private_?key)")
+            Regex::new(HARDCODED_SECRET_PATTERN)
                 .unwrap();
 
         walk_tree(tree.root_node(), source, &mut |node, src| {