Reduce false positives with improved filtering and detection

- Skip Java generated docs (target/apidocs, target/site)
- Skip Python build artifacts (.egg-info/, PKG-INFO, METADATA)
- Skip backup files (.bak, .disabled, .orig, .old)
- Skip documentation files by name pattern (-documentation, -docs)
- Add --include-imports, --include-quantum-safe, --verbose flags
- Suppress quantum-safe algorithms (SHA-256, AES-256) by default
- Suppress library import findings by default
- Improve documentation string detection patterns
- Fix regex patterns for DES, DSA, and weak cipher detection
- Fix slice bounds panic in IsURLOrPath for short matches
- Add path component checking for nested build directories

Reduces noise by ~27% on real-world codebases while preserving
legitimate cryptographic findings.

Author: thebenignhacker

internal/cli/scan.go

@@ -17,19 +17,22 @@ import (
 )
 
 var (
-	outputFormat   string
-	outputFile     string
-	includeGlobs   string
-	excludeGlobs   string
-	maxDepth       int
-	showProgress   bool
-	minSeverity    string
-	noColor        bool
-	jsonPretty     bool
-	scanGitHistory bool
-	groupBy        string
-	contextLines   int
-	streamFindings bool
+	outputFormat       string
+	outputFile         string
+	includeGlobs       string
+	excludeGlobs       string
+	maxDepth           int
+	showProgress       bool
+	minSeverity        string
+	noColor            bool
+	jsonPretty         bool
+	scanGitHistory     bool
+	groupBy            string
+	contextLines       int
+	streamFindings     bool
+	includeImports     bool
+	includeQuantumSafe bool
+	verbose            bool
 )
 
 var scanCmd = &cobra.Command{
@@ -75,6 +78,9 @@ func init() {
 	scanCmd.Flags().StringVarP(&groupBy, "group-by", "g", "", "Group output by: file, severity, category, quantum")
 	scanCmd.Flags().IntVarP(&contextLines, "context", "c", 3, "Number of context lines to show around findings")
 	scanCmd.Flags().BoolVar(&streamFindings, "stream", true, "Show findings as they are discovered")
+	scanCmd.Flags().BoolVar(&includeImports, "include-imports", false, "Include library import findings (normally suppressed as low-value)")
+	scanCmd.Flags().BoolVar(&includeQuantumSafe, "include-quantum-safe", false, "Include quantum-safe algorithm findings (SHA-256, AES-256)")
+	scanCmd.Flags().BoolVarP(&verbose, "verbose", "v", false, "Show all findings including imports and quantum-safe algorithms")
 }
 
 func runScan(cmd *cobra.Command, args []string) error {
@@ -108,13 +114,15 @@ func runScan(cmd *cobra.Command, args []string) error {
 
 	// Create scanner config
 	cfg := scanner.Config{
-		Target:         target,
-		IncludeGlobs:   includes,
-		ExcludeGlobs:   excludes,
-		MaxDepth:       maxDepth,
-		ShowProgress:   showProgress,
-		ScanGitHistory: scanGitHistory,
-		MinSeverity:    parseSeverity(minSeverity),
+		Target:             target,
+		IncludeGlobs:       includes,
+		ExcludeGlobs:       excludes,
+		MaxDepth:           maxDepth,
+		ShowProgress:       showProgress,
+		ScanGitHistory:     scanGitHistory,
+		MinSeverity:        parseSeverity(minSeverity),
+		IncludeImports:     includeImports || verbose,     // Include if explicitly set or verbose mode
+		IncludeQuantumSafe: includeQuantumSafe || verbose, // Include if explicitly set or verbose mode
 	}
 
 	// Setup streaming output for text format (thread-safe for parallel scanning)

pkg/analyzer/context.go

@@ -83,6 +83,158 @@ func isStringContext(line string) bool {
 	return false
 }
 
+// IsHelpText detects if a line looks like help/usage text or documentation
+// These often mention algorithms but aren't actual crypto usage
+func IsHelpText(line string) bool {
+	lineLower := strings.ToLower(line)
+
+	// CLI help/usage patterns
+	helpPatterns := []string{
+		"usage:", "options:", "flags:", "arguments:", "commands:",
+		"--help", "-help", "help:", "synopsis:",
+		"description:", "default:", "example:",
+		"supported algorithms", "available algorithms", "algorithm:",
+		"choose from:", "one of:", "valid values:",
+		"allowed:", "accepts:", "supported:",
+	}
+	for _, p := range helpPatterns {
+		if strings.Contains(lineLower, p) {
+			return true
+		}
+	}
+
+	// API documentation / help text patterns
+	apiDocPatterns := []string{
+		"returns:", "parameters:", "response:", "request:",
+		"enum:", "type:", "format:", "schema:",
+		"api reference", "documentation", "specification",
+	}
+	for _, p := range apiDocPatterns {
+		if strings.Contains(lineLower, p) {
+			return true
+		}
+	}
+
+	// Common help text structures (algorithm lists in docs)
+	// e.g., "Supported: RSA, ECDSA, Ed25519"
+	if strings.Contains(line, ": ") && (strings.Contains(lineLower, "supported") ||
+		strings.Contains(lineLower, "available") ||
+		strings.Contains(lineLower, "allowed")) {
+		return true
+	}
+
+	return false
+}
+
+// IsURLOrPath detects if the match appears to be in a URL or file path context
+func IsURLOrPath(line, match string) bool {
+	matchLower := strings.ToLower(match)
+	lineLower := strings.ToLower(line)
+
+	// Find position of match in line
+	pos := strings.Index(lineLower, matchLower)
+	if pos == -1 {
+		return false
+	}
+
+	// Check if match is part of a URL
+	urlPrefixes := []string{"http://", "https://", "ftp://", "file://", "s3://", "gs://"}
+	for _, prefix := range urlPrefixes {
+		prefixPos := strings.LastIndex(lineLower[:pos+1], prefix)
+		if prefixPos != -1 && prefixPos < pos {
+			// Check if there's no space between URL prefix and match
+			segment := lineLower[prefixPos:pos]
+			if !strings.Contains(segment, " ") && !strings.Contains(segment, "\t") {
+				return true
+			}
+		}
+	}
+
+	// Check if match is part of a file path
+	// Look for path separators before/after the match
+	beforeMatch := ""
+	if pos > 0 {
+		beforeMatch = line[max(0, pos-20):pos]
+	}
+	afterMatch := ""
+	if pos+len(match) < len(line) {
+		afterMatch = line[pos+len(match):min(len(line), pos+len(match)+20)]
+	}
+
+	// Path indicators - must have actual path separator
+	if strings.Contains(beforeMatch, "/") || strings.Contains(beforeMatch, "\\") ||
+		strings.HasPrefix(afterMatch, "/") || strings.HasPrefix(afterMatch, "\\") {
+		return true
+	}
+
+	// Check for file extension pattern (e.g., "rsa.pem", "ecdsa.key")
+	// But NOT method calls (e.g., "rsa.GenerateKey")
+	if strings.HasPrefix(afterMatch, ".") && len(afterMatch) > 1 {
+		// Extract the extension/method name
+		extEnd := strings.IndexAny(afterMatch[1:], " \t\n(){}[]<>,;:\"'")
+		if extEnd == -1 {
+			extEnd = len(afterMatch)
+		} else {
+			extEnd++ // account for starting at index 1
+		}
+		if extEnd > 1 { // Ensure we have something to extract
+			ext := strings.ToLower(afterMatch[1:extEnd])
+			// File extensions that indicate a path
+			fileExts := map[string]bool{
+				"pem": true, "key": true, "crt": true, "cer": true, "der": true,
+				"p12": true, "pfx": true, "jks": true, "pub": true, "sig": true,
+				"txt": true, "json": true, "yaml": true, "yml": true, "xml": true,
+			}
+			if fileExts[ext] {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+// IsVariableOrFunctionName detects if the match is part of an identifier name
+// e.g., rsaKeySize, getRSAKey, showECDSAInfo - these are less actionable
+func IsVariableOrFunctionName(line, match string) bool {
+	matchLower := strings.ToLower(match)
+	lineLower := strings.ToLower(line)
+
+	pos := strings.Index(lineLower, matchLower)
+	if pos == -1 {
+		return false
+	}
+
+	// Check character before match (if exists)
+	if pos > 0 {
+		charBefore := line[pos-1]
+		// If preceded by a letter, it's part of an identifier
+		if (charBefore >= 'a' && charBefore <= 'z') || (charBefore >= 'A' && charBefore <= 'Z') {
+			return true
+		}
+	}
+
+	// Check character after match (if exists)
+	endPos := pos + len(match)
+	if endPos < len(line) {
+		charAfter := line[endPos]
+		// If followed by a letter (not just typical suffixes), might be identifier
+		if (charAfter >= 'a' && charAfter <= 'z') || (charAfter >= 'A' && charAfter <= 'Z') {
+			// Exception: common crypto suffixes that indicate actual usage
+			afterStr := strings.ToLower(line[endPos:min(len(line), endPos+10)])
+			validSuffixes := []string{"key", "cert", "sign", "encrypt", "decrypt", "hash"}
+			for _, suffix := range validSuffixes {
+				if strings.HasPrefix(afterStr, suffix) {
+					return false // This is likely real crypto usage
+				}
+			}
+			return true
+		}
+	}
+
+	return false
+}
+
 func isImportLine(line string, lang Language) bool {
 	switch lang {
 	case LangPython:

pkg/patterns/matcher.go

@@ -125,6 +125,25 @@ func (m *Matcher) MatchWithContext(line, file string, lineNum int, fileCtx *anal
 				}
 			}
 
+			// Check for help text / documentation context (high false positive rate)
+			if analyzer.IsHelpText(line) {
+				finding.Confidence = types.ConfidenceLow
+				finding.Severity = adjustSeverityDown(finding.Severity, 2)
+			}
+
+			// Check if match is in a URL or file path (not actionable)
+			if analyzer.IsURLOrPath(line, finding.Match) {
+				finding.Confidence = types.ConfidenceLow
+				finding.Severity = adjustSeverityDown(finding.Severity, 2)
+			}
+
+			// Check if match is part of a variable/function name (less actionable)
+			if analyzer.IsVariableOrFunctionName(line, finding.Match) {
+				if finding.Confidence == types.ConfidenceHigh {
+					finding.Confidence = types.ConfidenceMedium
+				}
+			}
+
 			if lineCtx != nil {
 				finding.Purpose = lineCtx.Purpose
 				// Override confidence from line context if not already set
@@ -288,11 +307,12 @@ func (m *Matcher) loadPatterns() {
 	})
 
 	// DSA Detection
+	// Note: Require key size suffix or crypto context to avoid false positives
 	m.patterns = append(m.patterns, Pattern{
 		ID:          "DSA-001",
 		Name:        "DSA Algorithm",
 		Category:    "Asymmetric Encryption",
-		Regex:       regexp.MustCompile(`(?i)\bDSA[-_]?(1024|2048|3072)?\b`),
+		Regex:       regexp.MustCompile(`(?i)\bDSA[-_](1024|2048|3072)\b|KeyPairGenerator\.getInstance\s*\(\s*["']DSA["']|ssh-dss\b|-----BEGIN\s+DSA|"crypto/dsa"`),
 		Severity:    types.SeverityHigh,
 		Quantum:     types.QuantumVulnerable,
 		Algorithm:   "DSA",
@@ -348,11 +368,12 @@ func (m *Matcher) loadPatterns() {
 	})
 
 	// DES/3DES (Deprecated)
+	// Note: Require mode suffix (CBC/ECB/CFB/OFB) or crypto context to avoid false positives
 	m.patterns = append(m.patterns, Pattern{
 		ID:          "DES-001",
 		Name:        "DES Algorithm",
 		Category:    "Deprecated Algorithm",
-		Regex:       regexp.MustCompile(`(?i)\bDES[-_]?(CBC|ECB|CFB|OFB)?\b`),
+		Regex:       regexp.MustCompile(`(?i)\bDES[-_](CBC|ECB|CFB|OFB)\b|\bDESede\b|Cipher\.getInstance\s*\(\s*["']DES["']|createCipher\s*\(\s*["']des|crypto\.createCipher.*["']des|\bDES\.(new|encrypt|decrypt)\b|\bDES\.MODE_`),
 		Severity:    types.SeverityCritical,
 		Quantum:     types.QuantumVulnerable,
 		Algorithm:   "DES",
@@ -482,11 +503,13 @@ func (m *Matcher) loadPatterns() {
 	})
 
 	// Weak Cipher Suites
+	// Note: Removed bare EXP[-_] and EXPORT[-_] as they cause false positives with JS export statements
+	// Only match these in proper cipher suite context (TLS_/SSL_ prefix)
 	m.patterns = append(m.patterns, Pattern{
 		ID:          "CIPHER-001",
 		Name:        "Weak Cipher Suite",
 		Category:    "Weak Cipher",
-		Regex:       regexp.MustCompile(`(?i)\b(EXP[-_]|EXPORT[-_]|TLS_.*EXPORT|SSL_.*EXPORT|NULL[-_]?(SHA|MD5)|DES[-_]CBC[-_]?(SHA|MD5)?|anon[-_]?DH|ADH[-_]|AECDH[-_])\b|CIPHER.*NULL`),
+		Regex:       regexp.MustCompile(`(?i)\b(TLS_[A-Z0-9_]*EXPORT[A-Z0-9_]*|SSL_[A-Z0-9_]*EXPORT[A-Z0-9_]*|TLS_NULL[A-Z0-9_]*|SSL_NULL[A-Z0-9_]*|TLS_[A-Z0-9_]*_anon_|SSL_[A-Z0-9_]*_anon_|TLS_RSA_WITH_NULL|ADH[-_][A-Z0-9]+|AECDH[-_][A-Z0-9]+)\b|(?i)\bCIPHER\s*[:=].*NULL`),
 		Severity:    types.SeverityCritical,
 		Quantum:     types.QuantumVulnerable,
 		Description: "Weak or export-grade cipher suite detected. These provide inadequate security.",