Struct FieldNameSignal 

pub struct FieldNameSignal {
    pub key_pattern: String,
    pub category: Category,
    pub label: String,
    pub threshold: f64,
    /* private fields */
}

A field-name–based heuristic signal used during structured processing.

When no explicit FieldRule covers a key, the processor checks the bare key name against all active signals. If a signal matches and the value’s Shannon entropy meets or exceeds threshold, the value is replaced using category — as if an explicit rule had been defined.

Entropy threshold guidance

Threshold	Behaviour
3.0	Catches most secrets including moderately weak ones; recommended for high-confidence keywords (password, secret)
3.5	Balanced default — skips plain enum values like Bearer, basic, true
4.0	Conservative — only high-entropy tokens; use when false-positive rate matters

Configuring via secrets file

Add kind: field-name entries to your secrets file. The pattern field is a case-insensitive regex matched against the bare key name (not the full dot-path). threshold defaults to DEFAULT_FIELD_SIGNAL_THRESHOLD when omitted.

# Strong signal: flag any `password`/`secret`/`private_key` with entropy ≥ 3.0
- kind: field-name
  pattern: "^(password|passwd|secret|private_key|client_secret)$"
  category: custom:credential
  label: my-strong-signals
  threshold: 3.0

# Medium signal: flag `token`/`api_key` only when value looks like a real token
- kind: field-name
  pattern: "^(token|api_key|access_key)$"
  category: custom:credential
  threshold: 3.5

Suppress false positives on specific values with kind: allow:

- kind: allow
  values: ["Bearer", "basic", "oauth2", "true", "false"]

Built-in defaults

When default patterns or --app is active, two built-in signals are injected automatically (unless --no-field-signal is passed):

• Strong (threshold: 3.0): password, passwd, secret, private_key, api_secret, client_secret
• Medium (threshold: 3.5): api_key, access_key, auth_token, token, signing_key, encryption_key, credential, cert

Fields

key_pattern: String

Original pattern string — shown in error messages and log output.

category: Category

Replacement category applied to values that pass the entropy gate.

label: String

Label used in findings and reports. Defaults to "field-signal:<key_pattern>".

threshold: f64

Shannon entropy threshold in bits per character.

Values below this threshold are left unchanged. See the table above and DEFAULT_FIELD_SIGNAL_THRESHOLD.

Implementations

impl FieldNameSignal

pub fn new( key_pattern: impl Into<String>, category: Category, label: Option<String>, threshold: f64, ) -> Result<Self, String>

Construct a new signal, compiling key_pattern as a case-insensitive regex.

Errors

Returns a human-readable error string if key_pattern is not a valid regex.

pub fn matches_key(&self, key: &str) -> bool

Returns true if key (bare field name, not a dot-path) matches this signal.

Trait Implementations

impl Clone for FieldNameSignal

fn clone(&self) -> FieldNameSignal

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for FieldNameSignal

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.