Feat/exclude values

[chaimleib]

Adds .G101.keys and .G101.values fields to the PathExcludeRule type. If provided with a slice of regex patterns, G101 "Possible hardcoded credentials" issues will also be excluded if the hardcoded-value matches any of the values patterns, or if its key matches any of the keys patterns.

For example, the following code, common in test files, used to trigger an error:

const token = "fakeToken"

With this PR, a config can be set to exclude that issue when encountered in test files, based on the hardcoded value matching a pattern:

{
  "exclude-rules": [{
    "path": ".+_test\\.go$",
    "G101": {
      "values": [
        "(?i)^test",
        "(?i)^fake"
      ]
    }
  }]
}

Variable names can be excluded as well, even if the value looks like a credential:

testPassword := "|0oK5-l1k3_a=Pa5sw0Rd"

{
  "exclude-rules": [{
    "path": ".+_test\\.go$",
    "G101": {
      "keys": ["(?i)^test"]
    }
  }]
}

[github-actions]

🤖 Barry Security Review

[ccojocar]

Thanks for this contribution. This seems AI generated.

Why was required to rename the methods/functions? Can you reduce the size of the changes only to the hardcode credentials?

[chaimleib]

Thanks for this contribution. This seems AI generated.

Why was required to rename the methods/functions? Can you reduce the size of the changes only to the hardcode credentials?

This was not AI generated. I did not even use AI for autocomplete.

I renamed some symbols because they mentioned "Path Exclusion", but I was adding functionality not related to paths. To avoid the misleading implication that PathExclusion symbols dealt only with paths, I removed "Path" from the names.

This is still WIP, and I'm looking into whether I should push the config deeper to be more tightly coupled to G101. I also want to write tests.

EDIT 2026-05-07: Since I really want to restrict the exclusions to particular paths, path_filters.go is the most natural place to trigger the key-value excluder. But I separated the logic out to its own files as much as I could.

[ccojocar]

Please do first the minimum change required to incorporate the functionality you mentioned without refactoring. You can follow up with refactoring if it is needed afterwards. This will make reviewing the change much easier. Thanks

[codecov]

Codecov Report

❌ Patch coverage is 69.95885% with 73 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.25%. Comparing base (5f4eec9) to head (c8a4d2d).
⚠️ Report is 3 commits behind head on master.

Files with missing lines	Patch %	Lines
exclusion_filter.go	63.44%	49 Missing and 4 partials ⚠️
rules/hardcoded_credentials.go	83.72%	13 Missing and 1 partial ⚠️
cmd/gosec/main.go	25.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1663      +/-   ##
==========================================
- Coverage   80.57%   80.25%   -0.32%     
==========================================
  Files         109      109              
  Lines       10181    10260      +79     
==========================================
+ Hits         8203     8234      +31     
- Misses       1495     1541      +46     
- Partials      483      485       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ccojocar]

Can you please add some info in the README regarding the usage of this exclusion filter?

Is this introducing any breaking changes for the existing filter format?

[ccojocar]

Also make sure to update the https://github.com/securego/gosec/blob/master/RULES.md#g101 with the added functionality when is implemented.

[chaimleib]

Can you please add some info in the README regarding the usage of this exclusion filter?

Is this introducing any breaking changes for the existing filter format?

Done.

There should be no breaking changes for the existing filter format. The new feature is only configurable via JSON right now, via a new field in the path filter config. I weighed allowing configs via CLI arguments, but that seemed too complicated at this stage.

[chaimleib]

Also make sure to update the https://github.com/securego/gosec/blob/master/RULES.md#g101 with the added functionality when is implemented.

Done!