fix(postgres): honor ignore tag without explicit port

[kiranmagic7]

What changed

• Preserved the exact matched Postgres URI as the result primary secret for line-location purposes.
• Kept the existing normalized Raw/RawV2 value unchanged, including the default :5432 port.
• Added regression coverage for # trufflehog:ignore on a Postgres URI without an explicit port.

Why

Postgres detector output normalizes missing ports into :5432. For a source line like:

DB=postgresql://user:secret@host/db  # trufflehog:ignore

that normalized value does not appear verbatim in the source chunk, so the engine cannot locate the finding line and the same-line ignore tag is skipped. Using the matched URI as the line-location primary secret lets the engine find the original source text while preserving the existing normalized finding identity.

Fixes #4962.

Tests run

• Before the fix: PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -run TestEngineignoreLine -count=1 failed on the new no-port regression with expected: 0, actual: 1.
• PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" gofmt -w pkg/detectors/postgres/postgres.go pkg/detectors/postgres/postgres_test.go pkg/engine/engine_test.go.
• PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/detectors/postgres -run 'TestPostgres_(Pattern|ExtraData|PrimarySecretUsesMatchedURI|FromDataWithIgnorePattern)' -count=1 passed.
• PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -run TestEngineignoreLine -count=1 passed.
• PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/detectors/postgres -count=1 passed.
• PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -run 'Test(FragmentLineOffset|AssignDuplicateLineOffsets|EngineignoreLine)' -count=1 passed.
• PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/detectors/postgres ./pkg/engine -run 'TestPostgres_|TestFragmentLineOffset|TestAssignDuplicateLineOffsets|TestEngineignoreLine' -count=1 passed.
• PATH="/opt/homebrew/opt/go@1.25/bin:$PATH" go test ./pkg/engine -count=1 passed.
• git diff --check passed.

CLI proof on the built branch binary:

no-port-ignore exit=0
with-port-ignore exit=0
no-ignore exit=183
no-ignore finding lines=1

Compatibility and risk

This does not change the emitted Postgres Raw, RawV2, SecretParts, verification parameters, or default-port normalization. The matched URI is only used for line-number and ignore-tag lookup, matching the engine's existing primary-secret path for detectors whose displayed result differs from the exact source match.

---

Note

Low Risk
Scoped to Postgres line-location metadata; normalized secret output and verification paths are unchanged.

Overview
The Postgres detector now records the exact URI substring from the scan as the result’s primary secret, while Raw / RawV2 / SecretParts stay normalized (including default :5432 when the source omits a port).

That lets the engine locate the secret on the source line and honor # trufflehog:ignore on the same line when normalization would otherwise change the matched text. Regression tests cover primary-secret behavior and an end-to-end ignore case for URIs without an explicit port.

^{Reviewed by Cursor Bugbot for commit 7a5ac7c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}