fix(security): multline secrets trivially transformed are redacted

A multiline secret transformed into a single line by replacing
with \ followed by n is also redacted.

internal/pkg/report/mask.go

@@ -36,13 +36,16 @@ func (o *masker) add(secret string) {
 		slices.SortFunc(o.multiLines, func(a, b []string) int {
 			return cmp.Compare(len(b), len(a))
 		})
-	} else {
+		// a multiline secret transformed into a single line by replacing
-		o.lines = append(o.lines, lines[0])
+		// newlines with \ followed by n must also be redacted
-		// make sure the longest secret are replaced first
+		secret = strings.Join(lines, "\\n")
-		slices.SortFunc(o.lines, func(a, b string) int {
-			return cmp.Compare(len(b), len(a))
-		})
 	}
+
+	o.lines = append(o.lines, secret)
+	// make sure the longest secret are replaced first
+	slices.SortFunc(o.lines, func(a, b string) int {
+		return cmp.Compare(len(b), len(a))
+	})
 }
 
 func (o *masker) getReplacer() *strings.Replacer {

internal/pkg/report/mask_test.go

@@ -41,6 +41,19 @@ SIX`
 			out:      "line before\n***\n***\n***\nline after\n",
 			needMore: false,
 		},
+		{
+			//
+			// a multiline secret where newlines are represented
+			// as \ followed by n is masked
+			//
+			name: "MultilineTransformedIsMasked",
+			secrets: []string{
+				multiLineOne,
+			},
+			in:       fmt.Sprintf("line before\n%[1]s\\nTWO\\nTHREE\nline after", lineOne),
+			out:      "line before\n***\nline after\n",
+			needMore: false,
+		},
 		{
 			//
 			// in a multiline secret \r\n is equivalent to \n and does