fix(postgres): honor ignore tags for default port URLs

[Dawn-Fighter]

Summary

• Preserve the original Postgres URI match as the primary secret so line-offset and ignore-tag handling use the source text.
• Add regression coverage for trufflehog:ignore on Postgres URLs that omit the explicit port and are normalized to :5432.

Tests

• go test ./pkg/detectors/postgres ./pkg/engine
• make test-community
• make lint
• go run ./hack/checksecretparts -fail ./pkg/detectors
• make man && git diff --exit-code docs/man/trufflehog.1

Addresses #4962.

---

Note

Low Risk
Localized detector and test changes; behavior improves ignore/line matching without altering verification or connection logic.

Overview
The Postgres detector now keeps the exact URI substring from the scanned file as the primary secret, while Raw / RawV2 stay in the normalized connection form (including default port :5432). That aligns Postgres with how other detectors use primary secrets so the engine can find the right line and honor trufflehog:ignore on the text that actually appears in the source.

findUriMatches returns a small uriMatch wrapper (parsed params plus rawURI) instead of only parameter maps. Regression tests cover primary vs normalized values and an engine case where ignoring a URL without an explicit port still works after normalization.

^{Reviewed by Cursor Bugbot for commit ddd94fc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

All committers have signed the CLA.

[gugacyber]

Fix is correct and well-scoped. The root cause is clear: findUriMatches was normalizing the URI (adding :5432) before returning it, so the raw text used for ignore-tag line matching no longer corresponded to what was in the source file.
The uriMatch struct is the right abstraction — keeps params and rawURI together without leaking the raw string into unrelated code paths.
One minor observation: SetPrimarySecretValue(candidateURI.rawURI) sets the primary secret to the raw URI, but Raw and RawV2 are still set to the normalized raw value a few lines above. For ignore-tag matching this is fine since SetPrimarySecretValue is what drives line offset lookup, but worth confirming that having Raw != primary secret value doesn't break any downstream consumers that assume they're the same.

[Dawn-Fighter]

Thank you for the review will do and commit again

[Dawn-Fighter]

i have commit again with your comment in mind .. please review and respond @gugacyber

[gugacyber]

The new TestPostgres_RawVsPrimarySecret test addresses exactly the concern I raised — it explicitly asserts that Raw/RawV2 hold the normalized form while GetPrimarySecretValue() returns the original source text, and the comment in the code explains the design decision clearly.
The approach is correct and well-documented. LGTM. Congrats on the fix!

[Dawn-Fighter]

Thank you ..