trufflesecurity · kiranmagic7 · May 28, 2026
@@ -52,6 +52,11 @@ var (
 	connStrPartPattern                    = regexp.MustCompile(`([[:alpha:]]+)='(.+?)' ?`)
 )
 
+type uriMatch struct {
+	uri    string
+	params map[string]string
+}
+
 type Scanner struct {
 	detectors.DefaultMultiPartCredentialProvider
 	detectLoopback bool // Automated tests run against localhost, but we want to ignore those results in the wild
@@ -93,9 +98,10 @@ func (s Scanner) Keywords() []string {
 
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]detectors.Result, error) {
 	var results []detectors.Result
-	candidateParamSets := findUriMatches(data, s.ignorePatterns)
+	candidateMatches := findUriMatches(data, s.ignorePatterns)
 
-	for _, params := range candidateParamSets {
+	for _, candidate := range candidateMatches {
+		params := candidate.params
 		if common.IsDone(ctx) {
 			break
 		}
@@ -141,6 +147,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]dete
 			RawV2:        raw,
 			SecretParts:  map[string]string{"connection_string": string(raw)},
 		}
+		result.SetPrimarySecretValue(candidate.uri)
 
 		// We don't need to normalize the (deprecated) requiressl option into the (up-to-date) sslmode option - pq can
 		// do it for us - but we will do it anyway here so that when we later capture sslmode into ExtraData we will
@@ -199,8 +206,8 @@ func (s Scanner) IsFalsePositive(_ detectors.Result) (bool, string) {
 	return false, ""
 }
 
-func findUriMatches(data []byte, ignorePatterns []*regexp.Regexp) []map[string]string {
-	var matches []map[string]string
+func findUriMatches(data []byte, ignorePatterns []*regexp.Regexp) []uriMatch {
+	var matches []uriMatch
 	for _, uri := range uriPattern.FindAll(data, -1) {
 		if shouldIgnore(uri, ignorePatterns) {
 			continue
@@ -224,7 +231,10 @@ func findUriMatches(data []byte, ignorePatterns []*regexp.Regexp) []map[string]s
 		}
 
 		params[pgDbType] = dbType
-		matches = append(matches, params)
+		matches = append(matches, uriMatch{
+			uri:    string(uri),
+			params: params,
+		})
 	}
 	return matches
 }

@@ -130,6 +130,18 @@ func TestPostgres_ExtraData(t *testing.T) {
 	}
 }
 
+func TestPostgres_PrimarySecretUsesMatchedURI(t *testing.T) {
+	const uri = "postgresql://admin:secret@10.0.0.1/production"
+
+	s := Scanner{detectLoopback: true}
+	results, err := s.FromData(context.Background(), false, []byte(uri))
+	require.NoError(t, err)
+	require.Len(t, results, 1)
+
+	assert.Equal(t, "postgresql://admin:secret@10.0.0.1:5432", string(results[0].Raw))
+	assert.Equal(t, uri, results[0].GetPrimarySecretValue())
+}
+
 func TestPostgres_FromDataWithIgnorePattern(t *testing.T) {
 	s := New(
 		WithIgnorePattern([]string{

@@ -1508,6 +1508,18 @@ def test_something():
     assert connection_string == "postgres://master_user:master_password@hostname:1234/main"  # trufflehog:ignore`,
 			expectedFindings: 0,
 		},
+		{
+			name: "ignore at end of line without explicit postgres port",
+			content: `
+# tests/example_false_positive.py
+
+def test_something():
+    connection_string = "who-cares"
+
+    # Ignoring this does not work
+    assert connection_string == "postgres://master_user:master_password@hostname/main"  # trufflehog:ignore`,
+			expectedFindings: 0,
+		},
 		{
 			name: "ignore not on secret line",
 			content: `