Metabase: match only UUID session tokens (reduce false positives)

[ArisRhiannon]

Fixes #4633

Description

The Metabase detector matches any 36-character [a-zA-Z0-9-] string near the metabase keyword, so URL slugs and other descriptive strings get flagged as session tokens (the case reported in #4633).

Metabase session tokens (X-Metabase-Session) are UUIDs:

• src/metabase/session/models/session.clj — generate-session-key returns (str (random-uuid))
• POST /api/session returns {"id": "<uuid>"}

This tightens keyPat to the UUID format, which removes the false positives at the source without extra heuristics. Detection of real tokens is unchanged.

Tests

Added a regression case (a 36-char URL slug is no longer flagged). go test ./pkg/detectors/metabase/ and go vet pass.

Note

@rootranjan already opened #4634 for this same issue using a slug/word-filtering approach — thanks for that work. This is a smaller, root-cause alternative (a one-line regex change) in case it's helpful; happy to defer to #4634 or close this if you'd prefer that direction.

---

Note

Low Risk
Scoped regex and test updates in the Metabase detector only; no auth or verification flow changes beyond stricter matching.

Overview
Tightens the Metabase session-token detector so it only matches UUID-shaped X-Metabase-Session values instead of any 36-character alphanumeric string near the metabase keyword. That stops URL slugs and similar descriptive strings (e.g. prod-analytics-dashboard-public-link) from being reported as secrets while keeping real tokens detectable.

Tests now use a UUID example and add a regression case asserting those slugs are not flagged.

^{Reviewed by Cursor Bugbot for commit 9342bab. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

All committers have signed the CLA.