[bandit]: Do not treat "passed" as "password" for `S105`/`S106`/`S107` (#3222)

crates/ruff/resources/test/fixtures/flake8_bandit/S105.py

@@ -61,3 +61,13 @@ if token == "3\t4":
 
 if token == "5\r6":
     pass
+
+
+# These should not be flagged
+passed_msg = "You have passed!"
+compassion = "Please don't match!"
+impassable = "You shall not pass!"
+passwords = ""
+passphrases = ""
+tokens = ""
+secrets = ""

crates/ruff/src/rules/flake8_bandit/helpers.rs

@@ -1,10 +1,11 @@
+use once_cell::sync::Lazy;
+use regex::Regex;
 use rustpython_parser::ast::{Constant, Expr, ExprKind};
 
 use crate::checkers::ast::Checker;
 
-const PASSWORD_NAMES: [&str; 7] = [
+static PASSWORD_CANDIDATE_REGEX: Lazy<Regex> =
-    "password", "pass", "passwd", "pwd", "secret", "token", "secrete",
+    Lazy::new(|| Regex::new(r"(^|_)(pas+wo?r?d|pass(phrase)?|pwd|token|secrete?)($|_)").unwrap());
-];
 
 pub fn string_literal(expr: &Expr) -> Option<&str> {
     match &expr.node {
@@ -18,9 +19,7 @@ pub fn string_literal(expr: &Expr) -> Option<&str> {
 
 // Maybe use regex for this?
 pub fn matches_password_name(string: &str) -> bool {
-    PASSWORD_NAMES
+    PASSWORD_CANDIDATE_REGEX.is_match(string)
-        .iter()
-        .any(|name| string.to_lowercase().contains(name))
 }
 
 pub fn is_untyped_exception(type_: Option<&Expr>, checker: &Checker) -> bool {