fix(linter): reduce noSecrets false positives on CamelCase identifiers

[Exudev]

Summary

• Fixed false positive detection in noSecrets rule for CamelCase/PascalCase identifiers like paddingBottom, IngestGatewayLogGroup, and unhandledRejection.
• Improved entropy calculation algorithm to distinguish between legitimate CamelCase patterns and suspicious random case mixing.
• Added unit tests and snapshot tests to prevent regression.

Test plan

• Unit tests pass: cargo test -p biome_js_analyze -- no_secrets
• Snapshot tests pass for valid.js and invalid.js
• Clippy lint check passes
• Existing secret detection still works (JWT, AWS keys, etc.)

Fixes #8809
Fixes #7985
Fixes #8136

---

Detailed Description

Problem

The noSecrets rule was incorrectly flagging common CamelCase identifiers as potential secrets:

// These were triggering false positives
const prop = "paddingBottom";
const event = "unhandledRejection";
const id = "IngestGatewayLogGroup";

Root Cause

The entropy calculation treated all case switches equally without distinguishing between:

• CamelCase (predictable): Gateway = 1 uppercase + 6 lowercase
• Random alternating (suspicious): aBcDeFg = alternating every character

Solution

Introduced "average run length" metric to detect CamelCase patterns:

average_run_length = letter_count / (case_switches + 1)

• CamelCase has longer runs (avg >= 2.5) → no case boost applied
• Alternating patterns have short runs (avg = 1.0) → full case boost applied

Results

Pattern	Before	After	Status
IngestGatewayLogGroup	4.45 (flagged)	3.82	Fixed
unhandledRejection	4.2 (flagged)	3.53	Fixed
aBcDeFgHiJkLmNoPq	7.5 (flagged)	7.5	Correct

[changeset-bot]

🦋 Changeset detected

Latest commit: 683f042

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 14 packages

Name	Type
@biomejs/biome	Patch
@biomejs/cli-win32-x64	Patch
@biomejs/cli-win32-arm64	Patch
@biomejs/cli-darwin-x64	Patch
@biomejs/cli-darwin-arm64	Patch
@biomejs/cli-linux-x64	Patch
@biomejs/cli-linux-arm64	Patch
@biomejs/cli-linux-x64-musl	Patch
@biomejs/cli-linux-arm64-musl	Patch
@biomejs/wasm-web	Patch
@biomejs/wasm-bundler	Patch
@biomejs/wasm-nodejs	Patch
@biomejs/backend-jsonrpc	Patch
@biomejs/prettier-compare	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Exudev]

Hi, I tried to assign @dyc3 as a reviewer, but I don't have the appropriate permissions.

[coderabbitai]

Walkthrough

The entropy calculation in the noSecrets lint rule was refactored to better distinguish CamelCase identifiers from high-entropy alternating-case strings. It computes an average_run_length (letters / (case_switches + 1)) and linearly interpolates a case-entropy boost from switch density and run length. Previous case-tracking was replaced with previous_was_upper: Option<bool> and character traversal now accumulates letter, uppercase, lowercase, digit and symbol counts. Unit tests were added for CamelCase, alternating-case, and AWS-like key behaviours.

Suggested reviewers

• ematipico

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: fixing false positives in the noSecrets rule for CamelCase identifiers.
Description check	✅ Passed	The description is well-structured and directly related to the changeset, detailing the problem, root cause, solution, and test results.
Linked Issues check	✅ Passed	All three linked issues (#8809, #7985, #8136) are comprehensively addressed: CamelCase properties (paddingBottom, backgroundColor), event handlers (unhandledRejection, uncaughtException), and CDK construct IDs (IngestGatewayLogGroup) are now handled correctly via the new average_run_length entropy metric.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the noSecrets rule refinement: the entropy algorithm, test files (valid.js and invalid.js), unit tests, and a changelog entry—nothing extraneous detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ematipico]

Awesome improvement! Can you create a changeset? https://github.com/biomejs/biome?tab=contributing-ov-file#create-a-changeset

[codspeed-hq]

CodSpeed Performance Report

Merging this PR will improve performance by 9.07%

_{Comparing Exudev:main (683f042) with main (4ee3bda)}

Summary

⚡ 2 improved benchmarks
✅ 56 untouched benchmarks
⏩ 95 skipped benchmarks¹

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
⚡	js_analyzer[index_3894593175024091846.js]	64.2 ms	58.9 ms	+9.05%
⚡	js_analyzer[lint_13640784270757307929.ts]	60.7 ms	55.7 ms	+9.07%

Footnotes

1. 95 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[dyc3]

This is great! Thank you!

[lloydjatkinson]

It seems very odd to me to hard code paddingBottom