-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible false positives with aws-access-token rule #1049
Comments
We are also facing this issue in our repositories. There are some We suppressed these findings globally by adjusting the title = "Custom gitleaks config"
[extend]
useDefault = true
[allowlist]
description = "Custom global allow lists"
paths = [
'''gitleaks.toml''',
'''(.*?)(jpg|gif|doc|docx|zip|xls|pdf|bin|svg|socket)$''',
'''(go.mod|go.sum)$''',
'''node_modules''',
'''package-lock.json''',
'''vendor''',
'''gitleaks-allow''',
]
#######################
# Customized rules, based on https://github.com/zricethezav/gitleaks/blob/v8.16.0/config/gitleaks.toml
#######################
# Customizations:
# - Remove 'AGPA|AIDA|AROA|AIPA|ANPA|ANVA' to reduce false-positive findings
[[rules]]
description = "AWS"
id = "aws-access-token"
regex = '''(A3T[A-Z0-9]|AKIA|ASIA)[A-Z0-9]{16}'''
keywords = [
"akia","asia",
] This way we only get findings for If you think that this should be changed, I can create an pull request for that. Regards |
should be fixed with #1307 |
### Description: I fixes few issues (gitleaks#1049, gitleaks#1324, gitleaks#1337) and added a rule for AWS Secret Key. I renamed the `AWS()` function name to `AWSAccessKey()`, and changed the `RuleID` too, which may lead to breaking changes⚠️ . ### Checklist: * [x] Does your PR pass tests? * [x] Have you written new tests for your changes? * [x] Have you lint your code locally prior to submission? Original: gitleaks#1356
Describe the bug
The
aws-access-token
rule detects IAM resource IDs.The regex contains these prefixes:
AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA
Those prefixes are associated with IAM resource IDs, which I believe are not actually sensitive info.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#:~:text=Understanding%20unique%20ID%20prefixes
To Reproduce
Steps to reproduce the behavior:
aws
CLI to get your role:gitleaks protect --verbose --staged
Expected behavior
I believe Gitleaks should not detect the RoleId as a secret, but it does.
Also, interestingly, the RoleId is 17 characters after the "AROA" prefix. The aws-access-token regex only detects the first 16 characters. Is that intentional?
Screenshots
Basic Info (please complete the following information):
Additional context
N/A
cc @zricethezav
The text was updated successfully, but these errors were encountered: