False positives in heroku API key

[directionless]

Describe the bug

The heroku API key regexp is quite broad. It will trigger on any line that has "heroku" and a uuid. I imagine this is looking for environment KEY/VALUE pairs, but it pretty easily runs afoul of anything relating to heroku stored in json.

For example, I have some archived dataclips, and a snippet of the metadata looks like:

s = '"url":"https://data-api.heroku.com/dataclips/zzjmfvodnuesahmgggrggsbgxeqm.json.gz","latest_result_checksum":"9426d595c8188285c92e3115bf196526","latest_result_at":"2024-07-03T16:26:04.730Z","latest_result_size":5600,"creator_id":"99511235-ea18-409e-b0a6-880ff97d3a82"'

You can see there's a heroku URL, and then several key pairs later, there's an UUID. This incorrectly triggers.

To Reproduce

s = '"url":"https://data-api.heroku.com/dataclips/zzjmfvodnuesahmgggrggsbgxeqm.json.gz","latest_result_checksum":"9426d595c8188285c92e3115bf196526","latest_result_at":"2024-07-03T16:26:04.730Z","latest_result_size":5600,"creator_id":"99511235-ea18-409e-b0a6-880ff97d3a82"'

Expected behavior
This is not an API key, and should not trigger like one.

Priority
How important is this to you?

• P0: blocking me from making progress
• P1: this will block me in the near future
• P2: annoying but not blocking me

Additional Context

I can work around this by adding line breaks to my json. But that's clearly a workaround

[directionless]

The heroku auth tokens that I get in my .netrc (which may or may not be indicative of API keys) match HRKU-[0-9A-Za-z]{60}