Investigate when valid high-entropy secrets do not have quotes (outside of yaml/ini files)

[KevinHock]

There is the very rare valid secret in the form of

foo bar HIGH-ENTROPY

or just

HIGH-ENTROPY

etc.

where there are no quotes. We currently require quotes for high-entropy secrets, which is a sensible thing IMO, since it is one of the noisier plugin classes already.

I am not saying it is worth the increase in false-positives to catch these in general, simply that we should (a) add some documentation around it, and/or (b) investigate a more sophisticated approach than if we were to just remove the quote requirement all together, if feasible, i.e. handle the special cases where we might come across it. 🤔

I'd love to hear about if anyone else has encountered a valid secret of this form, and what the secret was, so that we could discuss possible solutions.

[KevinHock]

In the interest of transparency, I've only found 1 secret like this and it was in a file that did not have an extension and was autogenerated.

I believe we do find high-entropy secrets without quotes in valid Yaml or ini files, as shown in test_data/, this issue is specifically for non-ini and non-yaml files.

[lorenzodb1]

This could be addressed by https://github.com/Yelp/detect-secrets/pull/697.