Please check if the PR fulfills these requirements
[X] Tests for the changes have been added
[ ] Docs have been added / updated
[X] All CI checks are green
What kind of change does this PR introduce?
Updates the pattern for matching different types of AWS access keys
What is the current behavior?
It currently only flags access keys that are prefixed with AKIA. AWS access keys can come in a few different formats, and without this change they would go undetected.
Here is a list from AWS of different prefixes and what they are.
For instance ASIA is for temporary service token.
This:
export const KEY="ASIAZZZZZZZZZZZZZZZZ"
would be flagged by
git-secrets
```shell
git-secrets.js:1:export const KEY="ASIAZZZZZZZZZZZZZZZZ"
[ERROR] Matched one or more prohibited patterns
Possible mitigations:
- Mark false positives as allowed using: git config --add secrets.allowed ...
- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
- List your configured patterns: git config --get-all secrets.patterns
- List your configured allowed patterns: git config --get-all secrets.allowed
- List your configured allowed patterns in .gitallowed at repository's root directory
- Use --no-verify if this is a one-time false positive
```
What is the new behavior (if this is a feature change)?
It will flag other related AWS access keys one would probably want to be notified about.
Does this PR introduce a breaking change?
No
Other information:
This is the same pattern used in gitleaks (although pattern changed to be in alphabetical order), but not as detailed as git-secrets. The gitleaks pattern makes the most sense to me. It doesn't include every variation as explained here, just the ones that make sense.
Please check if the PR fulfills these requirements
[X] Tests for the changes have been added
[ ] Docs have been added / updated
[X] All CI checks are green
What kind of change does this PR introduce?
Updates the pattern for matching different types of AWS access keys
It currently only flags access keys that are prefixed with
AKIA
. AWS access keys can come in a few different formats, and without this change they would go undetected.Here is a list from AWS of different prefixes and what they are.
For instance
ASIA
is for temporary service token.This:
would be flagged by
git-secrets
```shell git-secrets.js:1:export const KEY="ASIAZZZZZZZZZZZZZZZZ" [ERROR] Matched one or more prohibited patterns Possible mitigations: - Mark false positives as allowed using: git config --add secrets.allowed ... - Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory - List your configured patterns: git config --get-all secrets.patterns - List your configured allowed patterns: git config --get-all secrets.allowed - List your configured allowed patterns in .gitallowed at repository's root directory - Use --no-verify if this is a one-time false positive ```and by
gitleaks
```shell ○ │╲ │ ○ ○ ░ ░ gitleaks Finding: export const KEY="ASIAZZZZZZZZZZZZZZZZ Secret: ASIAZZZZZZZZZZZZZZZZ RuleID: aws-access-token Entropy: 3.621928 File: git-secrets.js Line: 1 Fingerprint: git-secrets.js:aws-access-token:1 ```but not
detect-secrets
```shell { "version": "1.4.0", "plugins_used": [ { "name": "ArtifactoryDetector" }, { "name": "AWSKeyDetector" }, { "name": "AzureStorageKeyDetector" }, { "name": "Base64HighEntropyString", "limit": 4.5 }, { "name": "BasicAuthDetector" }, { "name": "CloudantDetector" }, { "name": "DiscordBotTokenDetector" }, { "name": "GitHubTokenDetector" }, { "name": "HexHighEntropyString", "limit": 3.0 }, { "name": "IbmCloudIamDetector" }, { "name": "IbmCosHmacDetector" }, { "name": "JwtTokenDetector" }, { "name": "KeywordDetector", "keyword_exclude": "" }, { "name": "MailchimpDetector" }, { "name": "NpmDetector" }, { "name": "PrivateKeyDetector" }, { "name": "SendGridDetector" }, { "name": "SlackDetector" }, { "name": "SoftlayerDetector" }, { "name": "SquareOAuthDetector" }, { "name": "StripeDetector" }, { "name": "TwilioKeyDetector" } ], "filters_used": [ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 }, { "path": "detect_secrets.filters.gibberish.should_exclude_secret", "limit": 3.7 }, { "path": "detect_secrets.filters.heuristic.is_indirect_reference" }, { "path": "detect_secrets.filters.heuristic.is_likely_id_string" }, { "path": "detect_secrets.filters.heuristic.is_lock_file" }, { "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" }, { "path": "detect_secrets.filters.heuristic.is_potential_uuid" }, { "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" }, { "path": "detect_secrets.filters.heuristic.is_sequential_string" }, { "path": "detect_secrets.filters.heuristic.is_swagger_file" }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" } ], "results": {}, "generated_at": "2024-03-02T16:23:36Z" } ```It will flag other related AWS access keys one would probably want to be notified about.
No
This is the same pattern used in gitleaks (although pattern changed to be in alphabetical order), but not as detailed as git-secrets. The gitleaks pattern makes the most sense to me. It doesn't include every variation as explained here, just the ones that make sense.