fix regex for checking github fine-grained tokens

[prezha]

the pattern for github fine-grained token has github_pat_ prefix, followed by two base62 chars segments, all separated with an underscore - ie:

github_pat_<22 base62 chars>_<59 base62 chars>

[kusari-inspector]

⚠️ Workspace Mapping Required

Hello! We noticed that your GitHub organization is not yet mapped to a Kusari workspace. Kusari Inspector now requires installations to be associated with a Kusari workspace.

⚠️ NOTE: Only the admin who installed the Kusari GitHub App can complete these steps. If the admin is unable to complete these steps, please contact support@kusari.dev

To complete the setup:

1. Visit https://console.us.kusari.cloud/auth/github and log in via github
2. If you have only one workspace, it will be automatically selected for you
3. Once the mapping is complete, return here and create a new comment with: @kusari-inspector re-run

This will trigger the analysis to run again.

For more information, or if you need help, visit https://github.com/kusaridev/community/discussions

[Copilot]

Pull request overview

Updates GitHub fine-grained personal access token (PAT) detection/redaction to match the documented github_pat_<22 base62>_<59 base62> format used by GitHub.

Changes:

• Update githubTokenRegex to validate fine-grained PATs with the 22 + '_' + 59 base62 segment format.
• Update sanitizeForLog to redact fine-grained PATs using the new segmented format.
• Adjust and extend unit tests to cover the new valid format and reject the old 82-char-suffix format.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
cmd/reviewGOOSE/security.go	Updates token validation + log redaction regex for fine-grained PAT format.
cmd/reviewGOOSE/security_test.go	Updates test vectors for fine-grained PATs and adds an invalid-case test.

Comments suppressed due to low confidence (1)

cmd/reviewGOOSE/security.go:87

• sanitizeForLog recompiles several regular expressions on every call (MustCompile inside the function). Since this runs on log paths, consider precompiling these regexps once at package scope (similar to githubTokenRegex) and reusing them to avoid repeated compilation overhead.

	s = regexp.MustCompile(`\b[a-f0-9]{40}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
	// New format tokens (ghp_, ghs_, ghr_, gho_, ghu_)
	s = regexp.MustCompile(`\bgh[psoru]_[A-Za-z0-9]{36,251}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
	// Fine-grained personal access tokens
	s = regexp.MustCompile(`\bgithub_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}\b`).ReplaceAllString(s, "[REDACTED-TOKEN]")
	// Bearer tokens in headers
	s = regexp.MustCompile(`Bearer [A-Za-z0-9_\-.]+`).ReplaceAllString(s, "Bearer [REDACTED]")
	// Authorization headers
	s = regexp.MustCompile(`Authorization: \S+`).ReplaceAllString(s, "Authorization: [REDACTED]")

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kusari-inspector]

⚠️ Workspace Mapping Required

Hello! We noticed that your GitHub organization is not yet mapped to a Kusari workspace. Kusari Inspector now requires installations to be associated with a Kusari workspace.

⚠️ NOTE: Only the admin who installed the Kusari GitHub App can complete these steps. If the admin is unable to complete these steps, please contact support@kusari.dev

To complete the setup:

1. Visit https://console.us.kusari.cloud/auth/github and log in via github
2. If you have only one workspace, it will be automatically selected for you
3. Once the mapping is complete, return here and create a new comment with: @kusari-inspector re-run

This will trigger the analysis to run again.

For more information, or if you need help, visit https://github.com/kusaridev/community/discussions