Detect AWS keys in absence of `key` earlier in string

cloud-gov / caulking

Prevent leaks with gitleaks, and use tests to validate

Other

32 stars 11 forks source link

Detect AWS keys in absence of `key` earlier in string #13

Closed pburkholder closed 4 years ago

pburkholder commented 4 years ago

In order to more fully ensure AWS keys can't be inadvertently leaked, add a rule to detect any string that might be an AWS key.

This is a finding from our 3PAO review of caulking

This will generate lots of false positives, so it would be considered a mitigation until we better ensure that only short-lived authenticators are used.

Security considerations

To update rules, no implications as such

Implementation sketch

pburkholder commented 4 years ago

aws_secret_access_key='ABCDEF+c2L7yXeGvUyrPgYsDnWRRC1AYEXAMPLE'

pburkholder commented 4 years ago

Fixed in #21 with commit 060507b407bb680b82826b15c29d6d3e6d7ca6a0