Merge pull request #796 from mikedidomizio/improve-aws-key-id-detection

Improve AWS access key detection
Yelp · Apr 12, 2024 · cd77447 · cd77447
2 parents 42e6773 + 2ff569a
commit cd77447
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/detect_secrets/plugins/aws.py b/detect_secrets/plugins/aws.py
@@ -25,10 +25,10 @@ class AWSKeyDetector(RegexBasedDetector):
     secret_keyword = r'(?:key|pwd|pw|password|pass|token)'
 
     denylist = (
-        re.compile(r'AKIA[0-9A-Z]{16}'),
+        re.compile(r'(?:A3T[A-Z0-9]|ABIA|ACCA|AKIA|ASIA)[0-9A-Z]{16}'),
 
         # This examines the variable name to identify AWS secret tokens.
-        # The order is important since we want to prefer finding `AKIA`-based
+        # The order is important since we want to prefer finding access
         # keys (since they can be verified), rather than the secret tokens.
 
         re.compile(

diff --git a/tests/plugins/aws_key_test.py b/tests/plugins/aws_key_test.py
@@ -32,6 +32,22 @@ def setup(self):
                 'AKIAZZZ',
                 False,
             ),
+            (
+                'A3T0ZZZZZZZZZZZZZZZZ',
+                True,
+            ),
+            (
+                'ABIAZZZZZZZZZZZZZZZZ',
+                True,
+            ),
+            (
+                'ACCAZZZZZZZZZZZZZZZZ',
+                True,
+            ),
+            (
+                'ASIAZZZZZZZZZZZZZZZZ',
+                True,
+            ),
             (
                 'aws_access_key = "{}"'.format(EXAMPLE_SECRET),
                 True,