Opus finding
isDotEnv regex matches paths like 'env.local' or '.environment' falsely / misses real .env files
mediumbughigh
- src/ci/rules.ts:16-22
The regex /(^|\/)\.env(?:\.|$)/i requires a literal '.env' segment followed by '.' or end-of-string. This is mostly correct but it also matches '.env.example' first via the substring '.env.', which is then rescued only because isEnvExample is checked. However it MISSES common variants like '.env_local' or 'envfile' (those shouldn't match anyway), and it FAILS to match '.environment' files (those also shouldn't match — good). The real bug: '.env.example.bak' would be classified as a real dotenv because isEnvExample requires the path to END with .env.example. Backup/copy files of env examples will be flagged as 'high severity secret file' incorrectly. Conversely, '.env.production' is correctly flagged. The bigger concern is that a file literally named '.env' (no extension) matches the pattern via the '$' branch — good — but a file named 'env' (no leading dot) doesn't match — good. Overall: '.env.example~', '.env.sample.bak', or editor swap files like '.env.example.swp' would all be flagged as 'high' dotenv leaks falsely.
Recommendation
Either tighten isEnvExample to allow trailing suffixes (~, .bak, .swp) or extract the basename and match exact filenames.