False Positive: AWS Access Key for aws:cdk:path #559
Labels
enhancement
The issue is related to improving a certain aspect of the project.
false positives
P4
Future work. E.g. something we might to get on in the future. Might be used for future ideas too.
selected
The issue has been selected to be worked on.
Background
I have been using detect-secrets and absolutely love it! Particularly, I use it via checkov, which scans AWS CloudFormation templates (among other things). I am using the AWS CDK to generate my CloudFormation, which adds some metadata
The Problem
Some CDK metadata in CloudFormation can trigger a false positive on
AWSKeyDetector
. The offending regex is atdetect-secrets/detect_secrets/plugins/aws.py
Line 31 in 3c8ee74
Two examples I have that were from valid generated CloudFormation (from cdk) are:
"aws:cdk:path": "VaDataVaultCdkPoc/rBucketKeyCdk/Resource"
"aws:cdk:path": "AuroraRdsStack/DbCluster/Subnets/Default"
The Solution
I am not quite sure - in part that I don't have all the context behind the validity of this regex when it was originally introduced/sourced from a third party.
Final Thoughts
I am willing to make a contribution if someone has a good idea on how to change this to be effective, but still not alert on the scenarios I have put above. Otherwise if someone has a good idea, go for it!
The text was updated successfully, but these errors were encountered: