fix(secrets): skip aws secrets of greater length (fanal#514)

2025-12-20 14:22:50 -08:00 · 2022-05-12 12:21:42 +06:00
parent 3487accd99
commit be3993b60a
4 changed files with 62 additions and 8 deletions
--- a/secret/builtin-rules.go
+++ b/secret/builtin-rules.go
@@ -1,6 +1,8 @@
 package secret

 import (
+	"fmt"
+
 	"github.com/aquasecurity/fanal/types"
 )

@@ -64,21 +66,32 @@ var (
 	CategoryTypeform             = types.SecretRuleCategory("Typeform")
 )

+// Reusable regex patterns
+const (
+	quote       = `["']?`
+	connect     = `\s*(:|=>|=)\s*`
+	startSecret = `(^|\s+)`
+	endSecret   = `(\s+|$)`
+
+	aws = `(aws)?_?`
+)
+
 var builtinRules = []Rule{
 	{
-		ID:       "aws-access-key-id",
-		Category: CategoryAWS,
-		Severity: "CRITICAL",
-		Title:    "AWS Access Key ID",
-		Regex:    MustCompile(`(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}`),
-		Keywords: []string{"AKIA", "AGPA", "AIDA", "AROA", "AIPA", "ANPA", "ANVA", "ASIA"},
+		ID:              "aws-access-key-id",
+		Category:        CategoryAWS,
+		Severity:        "CRITICAL",
+		Title:           "AWS Access Key ID",
+		Regex:           MustCompile(fmt.Sprintf(`(?P<secret>(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})%s`, endSecret)),
+		SecretGroupName: "secret",
+		Keywords:        []string{"AKIA", "AGPA", "AIDA", "AROA", "AIPA", "ANPA", "ANVA", "ASIA"},
 	},
 	{
 		ID:              "aws-secret-access-key",
 		Category:        CategoryAWS,
 		Severity:        "CRITICAL",
 		Title:           "AWS Secret Access Key",
-		Regex:           MustCompile(`(?i)["']?(aws)?_?(secret)?_?(access)?_?key["']?\s*(:|=>|=)\s*(?P<secret>["']?[A-Za-z0-9\/\+=]{40})["']?`),
+		Regex:           MustCompile(fmt.Sprintf(`(?i)%s%s%s(secret)?_?(access)?_?key%s%s%s(?P<secret>[A-Za-z0-9\/\+=]{40})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)),
 		SecretGroupName: "secret",
 		Keywords:        []string{"key"},
 	},
@@ -87,7 +100,7 @@ var builtinRules = []Rule{
 		Category:        CategoryAWS,
 		Severity:        "HIGH",
 		Title:           "AWS Account ID",
-		Regex:           MustCompile(`(?i)["']?(aws)?_?account_?(id)?["']?\s*(:|=>|=)\s*['"]?(?P<secret>[0-9]{4}\-?[0-9]{4}\-?[0-9]{4})['"]?`),
+		Regex:           MustCompile(fmt.Sprintf(`(?i)%s%s%saccount_?(id)?%s%s%s(?P<secret>[0-9]{4}\-?[0-9]{4}\-?[0-9]{4})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)),
 		SecretGroupName: "secret",
 		Keywords:        []string{"account"},
 	},
--- a/secret/scanner_test.go
+++ b/secret/scanner_test.go
@@ -94,6 +94,24 @@ func TestSecretScanner(t *testing.T) {
 		EndLine:   2,
 		Match:     "generic secret line secret=\"*****\"",
 	}
+	wantFinding9 := types.SecretFinding{
+		RuleID:    "aws-secret-access-key",
+		Category:  secret.CategoryAWS,
+		Title:     "AWS Secret Access Key",
+		Severity:  "CRITICAL",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     `'AWS_secret_KEY'="*****"`,
+	}
+	wantFinding10 := types.SecretFinding{
+		RuleID:    "aws-account-id",
+		Category:  secret.CategoryAWS,
+		Title:     "AWS Account ID",
+		Severity:  "HIGH",
+		StartLine: 3,
+		EndLine:   3,
+		Match:     `"aws_account_ID":'*****'`,
+	}

 	tests := []struct {
 		name          string
@@ -110,6 +128,15 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFinding1, wantFinding2},
 			},
 		},
+		{
+			name:          "find aws secrets",
+			configPath:    "testdata/config.yaml",
+			inputFilePath: "testdata/aws-secrets.txt",
+			want: types.Secret{
+				FilePath: "testdata/aws-secrets.txt",
+				Findings: []types.SecretFinding{wantFinding5, wantFinding9, wantFinding10},
+			},
+		},
 		{
 			name:          "include when keyword found",
 			configPath:    "testdata/config-happy-keywords.yaml",
@@ -258,6 +285,11 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFinding8},
 			},
 		},
+		{
+			name:          "invalid aws secrets",
+			inputFilePath: "testdata/invalid-aws-secrets.txt",
+			want:          types.Secret{},
+		},
 	}

 	for _, tt := range tests {
--- a/secret/testdata/aws-secrets.txt
+++ b/secret/testdata/aws-secrets.txt
@@ -0,0 +1,3 @@
+'AWS_secret_KEY'="12ASD34qwe56CXZ78tyH10Tna543VBokN85RHCas"
+AWS_ACCESS_KEY_ID=AKIA0123456789ABCDEF
+"aws_account_ID":'1234-5678-9123'
--- a/secret/testdata/invalid-aws-secrets.txt
+++ b/secret/testdata/invalid-aws-secrets.txt
@@ -0,0 +1,6 @@
+base64:
+YXdzLWFjY2AIPA1rZXktaWQgdGVzdCBzdHJpbmc=
+web.config file in windows containers:
+publicKey="F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293"
+length is too long:
+"AWS_key":HGM724ngha9785NGKbbar6jk76mnLL80BHJnabyhdngha9785NGKbb6jk76mnLL8