From 926a92af3bc14e0633e6618d869e681403310c88 Mon Sep 17 00:00:00 2001 From: Joe Leon Date: Thu, 2 Nov 2023 16:30:22 -0400 Subject: [PATCH] updating aws regex + logic for resource type --- pkg/detectors/aws/aws.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/detectors/aws/aws.go b/pkg/detectors/aws/aws.go index 72b19cbc33b4..64fdeb648848 100644 --- a/pkg/detectors/aws/aws.go +++ b/pkg/detectors/aws/aws.go @@ -69,7 +69,7 @@ var ( // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. // Key types are from this list https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids - idPat = regexp.MustCompile(`\b((?:AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16})\b`) + idPat = regexp.MustCompile(`\b((AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16})\b`) secretPat = regexp.MustCompile(`[^A-Za-z0-9+\/]{0,1}([A-Za-z0-9+\/]{40})[^A-Za-z0-9+\/]{0,1}`) // Hashes, like those for git, do technically match the secret pattern. // But they are extremely unlikely to be generated as an actual AWS secret. @@ -109,7 +109,7 @@ func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (result secretMatches := secretPat.FindAllStringSubmatch(dataStr, -1) for _, idMatch := range idMatches { - if len(idMatch) != 2 { + if len(idMatch) != 3 { continue } resIDMatch := strings.TrimSpace(idMatch[1]) @@ -132,7 +132,7 @@ func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (result Redacted: resIDMatch, RawV2: []byte(resIDMatch + resSecretMatch), ExtraData: map[string]string{ - "resource_type": resourceTypes[resIDMatch[0:4]], + "resource_type": resourceTypes[idMatch[2]], }, }