feat(secrets): handle non iac secrets FP (#5478)

* handle non iac secrets FP * fix mypy issue * fix according to comments --------- Co-authored-by: Max Amelchenko <[email protected]>
bridgecrewio · Aug 23, 2023 · 3dc6f47 · 3dc6f47
1 parent 5a31bd5
commit 3dc6f47
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/checkov/secrets/plugins/detector_utils.py b/checkov/secrets/plugins/detector_utils.py
@@ -174,16 +174,23 @@
 }
 
 
-def remove_fp_secrets_in_keys(detected_secrets: set[PotentialSecret], line: str) -> None:
+def remove_fp_secrets_in_keys(detected_secrets: set[PotentialSecret], line: str, is_code_file: bool = False) -> None:
     formatted_line = line.replace('"', '').replace("'", '')
     secrets_to_remove = set()
     for detected_secret in detected_secrets:
+        if not detected_secret.secret_value:
+            continue
         # Found keyword prefix as potential secret
-        if detected_secret.secret_value and formatted_line.startswith(detected_secret.secret_value):
+        if formatted_line.startswith(detected_secret.secret_value):
             secrets_to_remove.add(detected_secret)
         # found a function name at the end of the line
-        if detected_secret.secret_value and formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
+        if formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
             secrets_to_remove.add(detected_secret)
+        # secret value is substring of keywork
+        if is_code_file and FOLLOWED_BY_EQUAL_VALUE_KEYWORD_REGEX.search(formatted_line):
+            key, value = line.split("=", 1)
+            if detected_secret.secret_value in key and detected_secret.secret_value in value:
+                secrets_to_remove.add(detected_secret)
     detected_secrets -= secrets_to_remove
 
 

diff --git a/checkov/secrets/plugins/entropy_keyword_combinator.py b/checkov/secrets/plugins/entropy_keyword_combinator.py
@@ -209,14 +209,17 @@ def analyze_line(
                         # return a possible secret, otherwise check with next parser
                         return potential_secrets
         else:
-            return detect_secret(
+            detected_secrets = detect_secret(
                 # If we found a keyword (i.e. db_pass = ), lower the threshold to the iac threshold
                 scanners=self.high_entropy_scanners if not keyword_on_key else self.entropy_scanners_non_iac_with_keyword,
                 filename=filename,
                 line=line,
                 line_number=line_number,
                 kwargs=kwargs
             )
+            if detected_secrets:
+                remove_fp_secrets_in_keys(detected_secrets, line, True)
+            return detected_secrets
 
         return set()
 

diff --git a/tests/secrets/sanity/non_iac_fp/main.tf → tests/secrets/sanity/iac_fp/main.tf b/tests/secrets/sanity/non_iac_fp/main.tf → tests/secrets/sanity/iac_fp/main.tf
diff --git a/tests/secrets/sanity/iac_fp/a.py → tests/secrets/sanity/non_iac_fp/a.py b/tests/secrets/sanity/iac_fp/a.py → tests/secrets/sanity/non_iac_fp/a.py
@@ -3,6 +3,9 @@ def a():
 
     mock_url = mock_bc_integration.bc_api_url + "/api/v1/vulnerabilities/scan-results/2e97f5afea42664309f492a1e2083b43479c2936"
 
+    PASSWORD = "PASSWORD"
+    STATUS_ERROR_PASSWORD_FETCH = "ERROR_PASSWORD_FETCH"
+
     return "Properties/LogPublishingOptions/AUDIT_LOGS/Enabled"
 
     metadata_options['HttpTokens'] == "required"