Checkmarx · cx-leonardo-fontes · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026 · Jan 23, 2026
@@ -135,13 +135,13 @@ func shannonEntropy(data string) (entropy float64) {
 	return entropy
 }
 
-// filter will dedupe, redact, and remove empty secret findings
+// filter will dedupe, redact, and remove empty secret/line findings
 func filter(findings []report.Finding, redact uint) []report.Finding {
 	var retFindings []report.Finding
 	for i := range findings {
 		f := &findings[i]
-		// Skip findings with empty secrets
-		if f.Secret == "" {
+		// Skip findings with empty/whitespace-only secrets or lines
+		if strings.TrimSpace(f.Secret) == "" || strings.TrimSpace(f.Line) == "" {
 			continue
 		}
 		include := true

@@ -0,0 +1,134 @@
+package detect
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/zricethezav/gitleaks/v8/report"
+)
+
+func TestFilter(t *testing.T) {
+	tests := []struct {
+		name           string
+		findings       []report.Finding
+		redact         uint
+		expectedCount  int
+		expectedSecret string // for single finding tests
+	}{
+		{
+			name: "valid finding passes through",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: "password=my-secret", RuleID: "test-rule"},
+			},
+			redact:         0,
+			expectedCount:  1,
+			expectedSecret: "my-secret",
+		},
+		{
+			name: "empty secret is filtered out",
+			findings: []report.Finding{
+				{Secret: "", Line: "some line content", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "empty line is filtered out",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: "", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "whitespace-only secret is filtered out",
+			findings: []report.Finding{
+				{Secret: "   ", Line: "some line content", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "whitespace-only line is filtered out",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: "   ", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "newline-only line is filtered out",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: "\n", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "carriage-return-only line is filtered out",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: "\r", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "newline and carriage return line is filtered out",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: "\r\n", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "tab-only line is filtered out",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: "\t", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "mixed whitespace line is filtered out",
+			findings: []report.Finding{
+				{Secret: "my-secret", Line: " \t\n\r ", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "newline-only secret is filtered out",
+			findings: []report.Finding{
+				{Secret: "\n", Line: "some line content", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 0,
+		},
+		{
+			name: "mixed valid and invalid findings",
+			findings: []report.Finding{
+				{Secret: "valid-secret", Line: "password=valid-secret", RuleID: "test-rule"},
+				{Secret: "", Line: "some line", RuleID: "test-rule"},
+				{Secret: "another-secret", Line: "", RuleID: "test-rule"},
+				{Secret: "   ", Line: "line", RuleID: "test-rule"},
+				{Secret: "good-secret", Line: "api_key=good-secret", RuleID: "test-rule"},
+			},
+			redact:        0,
+			expectedCount: 2,
+		},
+		{
+			name:          "empty findings list",
+			findings:      []report.Finding{},
+			redact:        0,
+			expectedCount: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := filter(tt.findings, tt.redact)
+			assert.Equal(t, tt.expectedCount, len(result), "unexpected number of findings")
+		})
+	}
+}
+
@@ -1,6 +1,7 @@
 package scanner
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"sync"
@@ -56,7 +57,12 @@ func (s *scanner) Reset(scanConfig *ScanConfig, opts ...engine.EngineOption) err
 	return nil
 }
 
-func (s *scanner) Scan(scanItems []ScanItem, scanConfig *ScanConfig, opts ...engine.EngineOption) (reporting.IReport, error) {
+func (s *scanner) Scan(
+	ctx context.Context,
+	scanItems []ScanItem,
+	scanConfig *ScanConfig,
+	opts ...engine.EngineOption,
+) (reporting.IReport, error) {
 	var wg conc.WaitGroup
 	err := s.Reset(scanConfig, opts...)
 	if err != nil {
@@ -83,7 +89,11 @@ func (s *scanner) Scan(scanItems []ScanItem, scanConfig *ScanConfig, opts ...eng
 		defer close(s.engineInstance.GetPluginChannels().GetItemsCh())
 
 		for _, item := range scanItems {
-			s.engineInstance.GetPluginChannels().GetItemsCh() <- item
+			select {
+			case <-ctx.Done():
+				return
+			case s.engineInstance.GetPluginChannels().GetItemsCh() <- item:
+			}
 		}
 	})
 
@@ -95,6 +105,10 @@ func (s *scanner) Scan(scanItems []ScanItem, scanConfig *ScanConfig, opts ...eng
 
 	close(s.engineInstance.GetErrorsCh())
 
+	if ctx.Err() != nil {
+		return s.engineInstance.GetReport(), ctx.Err()
+	}
+
 	var errs []error
 	for err = range bufferedErrors {
 		errs = append(errs, err)
@@ -107,6 +121,7 @@ func (s *scanner) Scan(scanItems []ScanItem, scanConfig *ScanConfig, opts ...eng
 }
 
 func (s *scanner) ScanDynamic(
+	ctx context.Context,
 	itemsIn <-chan ScanItem,
 	scanConfig *ScanConfig,
 	opts ...engine.EngineOption,
@@ -123,11 +138,22 @@ func (s *scanner) ScanDynamic(
 	wg.Go(func() {
 		defer close(channels.GetItemsCh())
 
-		for item := range itemsIn {
-			channels.GetItemsCh() <- item
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case item, ok := <-itemsIn:
+				if !ok {
+					log.Info().Msg("scan dynamic finished sending items to engine")
+					return
+				}
+				select {
+				case <-ctx.Done():
+					return
+				case channels.GetItemsCh() <- item:
+				}
+			}
 		}
-
-		log.Info().Msg("scan dynamic finished sending items to engine")
 	})
 
 	bufferedErrors := make(chan error, 2)
@@ -148,6 +174,10 @@ func (s *scanner) ScanDynamic(
 
 	close(s.engineInstance.GetErrorsCh())
 
+	if ctx.Err() != nil {
+		return s.engineInstance.GetReport(), ctx.Err()
+	}
+
 	var errs []error
 	for err = range bufferedErrors {
 		errs = append(errs, err)