internal/audit/scanner.go currently scans each dotfile for AWS keys by seeing if the file contains AKIA, and the patterns slice never gets exercised. The scanner prints very generic messages and only looks at .bashrc/.zshrc/.profile. It would be much more useful to actually run the regexes (e.g., AWS key regex, api_key patterns) across every .env* file, .netrc, .aws/credentials, etc., and highlight the exact line or masked text the pattern matched.
A contributor could replace the naive strings.Contains check with the existing regex list (compiled once) or a more comprehensive secret detection library, include more files (".env.local", "config.json", "terraform.tfvars"), and emit warnings that cite the matching regex and file.
internal/audit/scanner.gocurrently scans each dotfile for AWS keys by seeing if the file containsAKIA, and thepatternsslice never gets exercised. The scanner prints very generic messages and only looks at.bashrc/.zshrc/.profile. It would be much more useful to actually run the regexes (e.g., AWS key regex,api_keypatterns) across every.env*file,.netrc,.aws/credentials, etc., and highlight the exact line or masked text the pattern matched.A contributor could replace the naive
strings.Containscheck with the existing regex list (compiled once) or a more comprehensive secret detection library, include more files (".env.local", "config.json", "terraform.tfvars"), and emit warnings that cite the matching regex and file.