Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#559: Refactor AWS Access Key Regex To Minimize False Positives #571

Merged
merged 1 commit into from
Jun 27, 2022
Merged

#559: Refactor AWS Access Key Regex To Minimize False Positives #571

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion detect_secrets/plugins/aws.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,21 @@ class AWSKeyDetector(RegexBasedDetector):
"""Scans for AWS keys."""
secret_type = 'AWS Access Key'

secret_keyword = r'(?:key|pwd|pw|password|pass|token)'

denylist = (
re.compile(r'AKIA[0-9A-Z]{16}'),

# This examines the variable name to identify AWS secret tokens.
# The order is important since we want to prefer finding `AKIA`-based
# keys (since they can be verified), rather than the secret tokens.
re.compile(r'aws.{0,20}?[\'\"]([0-9a-zA-Z/+]{40})[\'\"]'),

re.compile(
r'aws.{{0,20}}?{secret_keyword}.{{0,20}}?[\'\"]([0-9a-zA-Z/+]{{40}})[\'\"]'.format(
secret_keyword=secret_keyword,
),
jpdakran marked this conversation as resolved.
Show resolved Hide resolved
flags=re.IGNORECASE,
jpdakran marked this conversation as resolved.
Show resolved Hide resolved
),
)

def verify( # type: ignore[override] # noqa: F821
Expand Down
11 changes: 7 additions & 4 deletions tests/core/secrets_collection_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ def test_success():
def test_merge():
old_secrets = SecretsCollection()
old_secrets.scan_file('test_data/each_secret.py')
assert len(list(old_secrets)) >= 3 # otherwise, this test won't work.
assert len(list(old_secrets)) >= 4 # otherwise, this test won't work.

index = 0
for _, secret in old_secrets:
Expand All @@ -188,7 +188,7 @@ def test_merge():

new_secrets = SecretsCollection()
new_secrets.scan_file('test_data/each_secret.py')
list(new_secrets)[-1][1].is_secret = True
list(new_secrets)[-2][1].is_secret = True

new_secrets.merge(old_secrets)

Expand All @@ -203,6 +203,9 @@ def test_merge():
elif index == 2:
assert secret.is_secret is True
assert secret.is_verified is True
elif index == 3:
assert secret.is_secret is None
assert secret.is_verified is False

index += 1

Expand Down Expand Up @@ -370,8 +373,8 @@ def test_basic(configure_plugins):
assert secrets != baseline

result = secrets - baseline
assert len(result['test_data/each_secret.py']) == 2
assert len(secrets['test_data/each_secret.py']) == 4
assert len(result['test_data/each_secret.py']) == 3
assert len(secrets['test_data/each_secret.py']) == 5

@staticmethod
def test_no_overlapping_files(configure_plugins):
Expand Down