From 0c32c61436f21f3ef5e67937da2a5c03fd28e636 Mon Sep 17 00:00:00 2001
From: John-Paul Dakran <dakranj@yelp.com>
Date: Thu, 23 Jun 2022 08:50:28 -0700
Subject: [PATCH] Refactor aws access key regex to look for secret keywords in
 variable name to avoid false postives

---
 detect_secrets/plugins/aws.py         | 10 +++++++++-
 tests/core/secrets_collection_test.py | 11 +++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/detect_secrets/plugins/aws.py b/detect_secrets/plugins/aws.py
index 23afd161..ee822b6f 100644
--- a/detect_secrets/plugins/aws.py
+++ b/detect_secrets/plugins/aws.py
@@ -22,13 +22,21 @@ class AWSKeyDetector(RegexBasedDetector):
     """Scans for AWS keys."""
     secret_type = 'AWS Access Key'
 
+    secret_keyword = r'(?:key|pwd|pw|password|pass|token)'
+
     denylist = (
         re.compile(r'AKIA[0-9A-Z]{16}'),
 
         # This examines the variable name to identify AWS secret tokens.
         # The order is important since we want to prefer finding `AKIA`-based
         # keys (since they can be verified), rather than the secret tokens.
-        re.compile(r'aws.{0,20}?[\'\"]([0-9a-zA-Z/+]{40})[\'\"]'),
+
+        re.compile(
+            r'aws.{{0,20}}?{secret_keyword}.{{0,20}}?[\'\"]([0-9a-zA-Z/+]{{40}})[\'\"]'.format(
+                secret_keyword=secret_keyword,
+            ),
+            flags=re.IGNORECASE,
+        ),
     )
 
     def verify(       # type: ignore[override]  # noqa: F821
diff --git a/tests/core/secrets_collection_test.py b/tests/core/secrets_collection_test.py
index 0fa43498..1f1fa3db 100644
--- a/tests/core/secrets_collection_test.py
+++ b/tests/core/secrets_collection_test.py
@@ -173,7 +173,7 @@ def test_success():
 def test_merge():
     old_secrets = SecretsCollection()
     old_secrets.scan_file('test_data/each_secret.py')
-    assert len(list(old_secrets)) >= 3      # otherwise, this test won't work.
+    assert len(list(old_secrets)) >= 4      # otherwise, this test won't work.
 
     index = 0
     for _, secret in old_secrets:
@@ -188,7 +188,7 @@ def test_merge():
 
     new_secrets = SecretsCollection()
     new_secrets.scan_file('test_data/each_secret.py')
-    list(new_secrets)[-1][1].is_secret = True
+    list(new_secrets)[-2][1].is_secret = True
 
     new_secrets.merge(old_secrets)
 
@@ -203,6 +203,9 @@ def test_merge():
         elif index == 2:
             assert secret.is_secret is True
             assert secret.is_verified is True
+        elif index == 3:
+            assert secret.is_secret is None
+            assert secret.is_verified is False
 
         index += 1
 
@@ -370,8 +373,8 @@ def test_basic(configure_plugins):
         assert secrets != baseline
 
         result = secrets - baseline
-        assert len(result['test_data/each_secret.py']) == 2
-        assert len(secrets['test_data/each_secret.py']) == 4
+        assert len(result['test_data/each_secret.py']) == 3
+        assert len(secrets['test_data/each_secret.py']) == 5
 
     @staticmethod
     def test_no_overlapping_files(configure_plugins):