updating aws regex + logic for resource type

trufflesecurity · Nov 2, 2023 · 926a92a · 926a92a
1 parent 5e86e3a
commit 926a92a
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/pkg/detectors/aws/aws.go b/pkg/detectors/aws/aws.go
@@ -69,7 +69,7 @@ var (
 
 	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
 	// Key types are from this list https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
-	idPat     = regexp.MustCompile(`\b((?:AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16})\b`)
+	idPat     = regexp.MustCompile(`\b((AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16})\b`)
 	secretPat = regexp.MustCompile(`[^A-Za-z0-9+\/]{0,1}([A-Za-z0-9+\/]{40})[^A-Za-z0-9+\/]{0,1}`)
 	// Hashes, like those for git, do technically match the secret pattern.
 	// But they are extremely unlikely to be generated as an actual AWS secret.
@@ -109,7 +109,7 @@ func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	secretMatches := secretPat.FindAllStringSubmatch(dataStr, -1)
 
 	for _, idMatch := range idMatches {
-		if len(idMatch) != 2 {
+		if len(idMatch) != 3 {
 			continue
 		}
 		resIDMatch := strings.TrimSpace(idMatch[1])
@@ -132,7 +132,7 @@ func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 				Redacted:     resIDMatch,
 				RawV2:        []byte(resIDMatch + resSecretMatch),
 				ExtraData: map[string]string{
-					"resource_type": resourceTypes[resIDMatch[0:4]],
+					"resource_type": resourceTypes[idMatch[2]],
 				},
 			}