fix(secret): add sec and space to secret prefix for `aws-secret-acc…

…ess-key` (#5647)
aquasecurity · Nov 26, 2023 · 8ff574e · 8ff574e
1 parent ad977a4
commit 8ff574e
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 4 deletions.
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
@@ -73,7 +73,7 @@ var (
 // Reusable regex patterns
 const (
 	quote       = `["']?`
-	connect     = `\s*(:|=>|=)\s*`
+	connect     = `\s*(:|=>|=)?\s*`
 	startSecret = `(^|\s+)`
 	endSecret   = `(\s+|$)`
 
@@ -105,7 +105,7 @@ var builtinRules = []Rule{
 		Category:        CategoryAWS,
 		Severity:        "CRITICAL",
 		Title:           "AWS Secret Access Key",
-		Regex:           MustCompile(fmt.Sprintf(`(?i)%s%s%s(secret)?_?(access)?_?key%s%s%s(?P<secret>[A-Za-z0-9\/\+=]{40})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)),
+		Regex:           MustCompile(fmt.Sprintf(`(?i)%s%s%s(sec(ret)?)?_?(access)?_?key%s%s%s(?P<secret>[A-Za-z0-9\/\+=]{40})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)),
 		SecretGroupName: "secret",
 		Keywords:        []string{"key"},
 	},

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -401,6 +401,37 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantFinding10 := types.SecretFinding{
+		RuleID:    "aws-secret-access-key",
+		Category:  secret.CategoryAWS,
+		Title:     "AWS Secret Access Key",
+		Severity:  "CRITICAL",
+		StartLine: 5,
+		EndLine:   5,
+		Match:     `aws_sec_key "****************************************"`,
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      3,
+					Content:     "\"aws_account_ID\":'1234-5678-9123'",
+					Highlighted: "\"aws_account_ID\":'1234-5678-9123'",
+				},
+				{
+					Number:      4,
+					Content:     "AWS_example=AKIAIOSFODNN7EXAMPLE",
+					Highlighted: "AWS_example=AKIAIOSFODNN7EXAMPLE",
+				},
+				{
+					Number:      5,
+					Content:     "aws_sec_key \"****************************************\"",
+					Highlighted: "aws_sec_key \"****************************************\"",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+			},
+		},
+	}
 	wantFindingAsymmetricPrivateKeyJson := types.SecretFinding{
 		RuleID:    "private-key",
 		Category:  secret.CategoryAsymmetricPrivateKey,
@@ -548,7 +579,7 @@ func TestSecretScanner(t *testing.T) {
 			inputFilePath: filepath.Join("testdata", "aws-secrets.txt"),
 			want: types.Secret{
 				FilePath: filepath.Join("testdata", "aws-secrets.txt"),
-				Findings: []types.SecretFinding{wantFinding5, wantFinding9},
+				Findings: []types.SecretFinding{wantFinding5, wantFinding9, wantFinding10},
 			},
 		},
 		{

diff --git a/pkg/fanal/secret/testdata/aws-secrets.txt b/pkg/fanal/secret/testdata/aws-secrets.txt
@@ -1,4 +1,5 @@
 'AWS_secret_KEY'="12ASD34qwe56CXZ78tyH10Tna543VBokN85RHCas"
 AWS_ACCESS_KEY_ID=AKIA0123456789ABCDEF
 "aws_account_ID":'1234-5678-9123'
-AWS_example=AKIAIOSFODNN7EXAMPLE
+AWS_example=AKIAIOSFODNN7EXAMPLE
+aws_sec_key "KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYK"