diff --git a/test/lib/secret.test.ts b/test/lib/secret.test.ts
index 34cda3a8..f2c5c89e 100644
--- a/test/lib/secret.test.ts
+++ b/test/lib/secret.test.ts
@@ -1,7 +1,37 @@
 import { expect } from "chai";
 import { Secret } from "../../src/lib/secret";
 
-describe("secret", () => {
+describe("Secret.parse", () => {
+  it("disallows empty secrets", () => {
+    expect(() => Secret.parse("")).to.throw("Secret cannot be empty");
+  });
+
+  it("disallows scoped secrets", () => {
+    expect(() => Secret.parse("fn1234:foo")).to.throw(
+      "Secret cannot be scoped"
+    );
+  });
+});
+
+describe("Secret.parseFlag", () => {
+  it("disallows empty secrets", () => {
+    expect(() => Secret.parseFlag("")).to.throw("Secret cannot be empty");
+  });
+
+  it("allows scoped secrets", () => {
+    Secret.parseFlag("fn1234:foo");
+  });
+
+  it("disallows appending scopes to scoped secrets", () => {
+    const secret = Secret.parseFlag("fn1234:foo");
+
+    expect(() => secret.appendScope("bar")).to.throw(
+      "Cannot specify database with a secret that contains a database"
+    );
+  });
+});
+
+describe("Secret", () => {
   it("appends paths scoped secrets", () => {
     const secret = Secret.parse("fn1234");
     expect(secret.databaseScope).to.eql([]);
@@ -21,16 +51,6 @@ describe("secret", () => {
     expect(secret.databaseScope).to.eql(["foo", "bar"]);
   });
 
-  it("disallows empty secrets", () => {
-    expect(() => Secret.parse("")).to.throw("Secret cannot be empty");
-  });
-
-  it("disallows scoped secrets", () => {
-    expect(() => Secret.parse("fn1234:foo")).to.throw(
-      "Secret cannot be scoped"
-    );
-  });
-
   it("builds a secret with a role", () => {
     const secret = Secret.parse("fn1234");
     expect(secret.buildSecret()).to.equal("fn1234");