criteria for adding new secret patterns versus relying on high entropy detection

[cduggn]

Summary

I wanted to add an explicit check for Artifactory API token however gosec high entropy string detection also caught the samples I tried. Is there a criteria for choosing when to add a hardcoded secret pattern versus relying on high entropy detection? As an example gosec does have hardcoded secret patterns for AWS API Key but the entropy checker does detect this secret before the secret pattern check happens. Thanks