Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove IAM identifiers for non-credential resources in the aws-access-token rule #1307

Merged
merged 4 commits into from Jan 31, 2024
Merged

Remove IAM identifiers for non-credential resources in the aws-access-token rule #1307

merged 4 commits into from Jan 31, 2024

Conversation

kieran-smith-itv
Copy link
Contributor

@kieran-smith-itv kieran-smith-itv commented Dec 5, 2023
edited

Description:

The purpose of this PR is to reduce the number of False Positive detections by the aws-access-token. This PR addresses issue: #1049

The regex for aws-access-token has been updated to only catch:

  • AWS STS service bearer token (ABIA)
  • Context-specific credential (ACCA)
  • Access key (AKIA)
  • Temporary access key IDs (ASIA)

The following unique IDs are now ignored:

  • User group (AGPA)
  • IAM user (AIDA)
  • IAM role (AROA)
  • Amazon EC2 instance profile (AIPA)
  • Managed policy (ANPA)
  • Version in a managed policy (ANVA)

Checklist:

  • Does your PR pass tests?
  • Have you written new tests for your changes?
  • Have you lint your code locally prior to submission?

@kieran-smith-itv
Remove IAM identifiers for non-credential resources
a83a837 
Only detects: 
AWS STS service bearer token
Context-specific credential
Access key
Temporary (AWS STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token.
@kieran-smith-itv
Update gitleaks.toml
13526b5
@kieran-smith-itv
Update testdata
05f01cc
@kieran-smith-itv
Update tests
97eb67e
@zricethezav
Copy link
Collaborator

Hey @kieran-smith-itv, thanks for the PR. These changes make sense to me

@zricethezav zricethezav merged commit 76c9e31 into gitleaks:master Jan 31, 2024
1 check passed
@zricethezav zricethezav mentioned this pull request Jan 31, 2024
Open
quotengrote pushed a commit to quotengrote/miniflux-filter that referenced this pull request Feb 1, 2024
@quotengrote
chore(deps): update zricethezav/gitleaks docker tag to v8.18.2 (#17)
09293ef 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [zricethezav/gitleaks](https://github.com/gitleaks/gitleaks) | patch | `v8.18.1` -> `v8.18.2` |

---

> ⚠ **Warning**
>
> Some dependencies could not be looked up. Check the warning logs for more information.

---

### Release Notes

<details>
<summary>gitleaks/gitleaks (zricethezav/gitleaks)</summary>

### [`v8.18.2`](https://github.com/gitleaks/gitleaks/releases/tag/v8.18.2)

[Compare Source](gitleaks/gitleaks@v8.18.1...v8.18.2)

#### Changelog

-   [`ac4b514`](gitleaks/gitleaks@ac4b514) removed gitleaks user from Dockerfile ([#&#8203;1313](gitleaks/gitleaks#1313))
-   [`76c9e31`](gitleaks/gitleaks@76c9e31) Remove IAM identifiers for non-credential resources in the aws-access-token rule ([#&#8203;1307](gitleaks/gitleaks#1307))
-   [`afe046b`](gitleaks/gitleaks@afe046b) Update stripe rule to not alert on publishable keys ([#&#8203;1320](gitleaks/gitleaks#1320))
-   [`8b8920d`](gitleaks/gitleaks@8b8920d) --max-target-megabytes flag now supported for --no-git flag as well ([#&#8203;1330](gitleaks/gitleaks#1330))
-   [`a59289c`](gitleaks/gitleaks@a59289c) add pre-commit hook gitleaks-system ([#&#8203;1225](gitleaks/gitleaks#1225))
-   [`870194b`](gitleaks/gitleaks@870194b) fix errors when using protect and an external git diff tool ([#&#8203;1318](gitleaks/gitleaks#1318))
-   [`179c607`](gitleaks/gitleaks@179c607) rename filesystem to directory ([#&#8203;1317](gitleaks/gitleaks#1317))
-   [`8de8938`](gitleaks/gitleaks@8de8938) Enhance Secret Descriptions  ([#&#8203;1300](gitleaks/gitleaks#1300))
-   [`ca7aa14`](gitleaks/gitleaks@ca7aa14) Small refactor `detect` and `sources` ([#&#8203;1297](gitleaks/gitleaks#1297))
-   [`01e60c8`](gitleaks/gitleaks@01e60c8) chore(config): refactor to go generate; simplify configRules init ([#&#8203;1295](gitleaks/gitleaks#1295))
-   [`54f5f04`](gitleaks/gitleaks@54f5f04) forgot symlinks
-   [`221d5c4`](gitleaks/gitleaks@221d5c4) pretty apparent 'protect' and 'detect' should be merged into one command ([#&#8203;1294](gitleaks/gitleaks#1294))
-   [`128b50f`](gitleaks/gitleaks@128b50f) style: sort the stopwords ([#&#8203;1289](gitleaks/gitleaks#1289))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNjUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE2NS4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->

Reviewed-on: https://git.mgrote.net/container-images/miniflux-filter/pulls/17
Co-authored-by: Renovate Bot <renovate@mgrote.net>
Co-committed-by: Renovate Bot <renovate@mgrote.net>
@mikedidomizio mikedidomizio mentioned this pull request Mar 3, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kieran-smith-itv @zricethezav