Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible false positives with aws-access-token rule #1049

Open
weineran opened this issue Dec 1, 2022 · 2 comments
Open

Possible false positives with aws-access-token rule #1049

weineran opened this issue Dec 1, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@weineran
Copy link
Contributor

weineran commented Dec 1, 2022

Describe the bug
The aws-access-token rule detects IAM resource IDs.

The regex contains these prefixes: AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA

Those prefixes are associated with IAM resource IDs, which I believe are not actually sensitive info.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#:~:text=Understanding%20unique%20ID%20prefixes
image

To Reproduce
Steps to reproduce the behavior:

  • In AWS, go to IAM and create a new Role
  • Copy the name of your role.
  • Use the aws CLI to get your role:
aws iam get-role --role-name TestRole

{
    "Role": {
        "Path": "/",
        "RoleName": "TestRole",
        "RoleId": "AROAWORVRXQ5NC76T7223",
        "CreateDate": "2022-12-01T12:59:06+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                    },
                    "Action": "sts:AssumeRole",
                    "Condition": {}
                }
            ]
        },
        "Description": "Delete this after testing",
        "MaxSessionDuration": 3600,
        "RoleLastUsed": {}
    }
}
  • Copy the RoleId and add it to a file in your repo
  • Run gitleaks. e.g. gitleaks protect --verbose --staged

Expected behavior
I believe Gitleaks should not detect the RoleId as a secret, but it does.

Finding:     "RoleId": "AROAWORVRXQ5NC76T7223",
Secret:      AROAWORVRXQ5NC76T722
RuleID:      aws-access-token
Entropy:     3.684184
...

Also, interestingly, the RoleId is 17 characters after the "AROA" prefix. The aws-access-token regex only detects the first 16 characters. Is that intentional?

Screenshots
image

Basic Info (please complete the following information):

  • OS: Windows 10 Home (19044.2251)
  • Gitleaks Version: 8.15.1

Additional context
N/A

cc @zricethezav
@weineran weineran added the bug Something isn't working label Dec 1, 2022
@maltemorgenstern
Copy link
Contributor

We are also facing this issue in our repositories. There are some IAM Instance Profile and IAM Role definitions that (as far as I know) are not sensitive information after all.

We suppressed these findings globally by adjusting the aws-access-token rule using a custom gitleaks.toml:

title = "Custom gitleaks config"

[extend]
useDefault = true

[allowlist]
description = "Custom global allow lists"
paths = [
    '''gitleaks.toml''',
    '''(.*?)(jpg|gif|doc|docx|zip|xls|pdf|bin|svg|socket)$''',
    '''(go.mod|go.sum)$''',
    '''node_modules''',
    '''package-lock.json''',
    '''vendor''',
    '''gitleaks-allow''',
]

#######################
# Customized rules, based on https://github.com/zricethezav/gitleaks/blob/v8.16.0/config/gitleaks.toml
#######################

# Customizations:
# - Remove 'AGPA|AIDA|AROA|AIPA|ANPA|ANVA' to reduce false-positive findings
[[rules]]
description = "AWS"
id = "aws-access-token"
regex = '''(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}'''
keywords = [
    "akia","asia",
]

This way we only get findings for Access Keys and STS Tokens.

If you think that this should be changed, I can create an pull request for that.

Regards
Malte

@ghost ghost mentioned this issue Dec 5, 2023
Merged
3 tasks
@zricethezav
Copy link
Collaborator

should be fixed with #1307

baruchiro added a commit to Checkmarx/gitleaks that referenced this issue Feb 22, 2024
@baruchiro
add tests to AWS rule, include false positives
dd56f01 
Fix gitleaks#1049
@baruchiro baruchiro mentioned this issue Feb 28, 2024
Open
3 tasks
@baruchiro baruchiro mentioned this issue Mar 28, 2024
Merged
3 tasks
baruchiro added a commit to Checkmarx/gitleaks that referenced this issue Mar 28, 2024
@baruchiro
feat: add aws-secret-key rule (#5)
bfa12e0 
### Description:
I fixes few issues (gitleaks#1049, gitleaks#1324, gitleaks#1337) and added a rule for AWS Secret
Key.

I renamed the `AWS()` function name to `AWSAccessKey()`, and changed the
`RuleID` too, which may lead to breaking changes ⚠️.

### Checklist:

* [x] Does your PR pass tests?
* [x] Have you written new tests for your changes?
* [x] Have you lint your code locally prior to submission?

Original: gitleaks#1356
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weineran @zricethezav @maltemorgenstern