org.sonar.plugins.secrets.configuration.aws.yaml Maven / Gradle / Ivy
provider:
metadata:
name: AWS
category: Cloud Provider
detection:
pre:
scopes:
- main
include:
content:
- aws
- amazon
reject:
ext:
- .adoc
- .example
- .html
- .md
- .mdx
- .template
rules:
- rspecKey: S6290
id: aws-secret-access-keys-1
metadata:
name: AWS Secret Access Keys
message: Make sure this AWS Secret Access Key gets revoked, changed, and removed from the code.
detection:
matching:
pattern: "(?is)aws.{0,30}secret.{0,30}\\b([0-9a-z/+]{40})\\b"
context:
matchNot:
matchEither:
- patternBefore:
pattern: "caver"
maxLineDistance: 5
- patternBefore:
pattern: "klaytn"
maxLineDistance: 5
post:
statisticalFilter:
threshold: 4.2
patternNot:
# Character repeated 5 times
- "([\\w])\\1{5,}"
# Common text placeholders
- "(?i)(?:s|ex)ample|foo|bar|test|abcd|redacted|key"
# Common numeric placeholders
- "1234"
examples:
- text: |
# Noncompliant code example
props.set("aws-secret-access-key", "kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb")
containsSecret: true
match: kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
- text: |
# Compliant solution
props.set("aws-secret-access-key", System.getenv("AWS_SECRET_ACCESS_KEY"))
containsSecret: false
- text: |
var creds = new AWS.Credentials({
secretAccessKey: 'kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb'
});
containsSecret: true
match: kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
- text: |
var creds = new AWS.Credentials({
secretAccessKey: 'kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb'
});
fileName: Doc.md
containsSecret: false
- text: |
aws_secret_access_key=kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
containsSecret: true
match: kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
- text: |
AWS_FECRET_KEY=kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb'
AWS_SECRET_KEY=EXAMPLEKEYCXCgDCUbJq1h7CKwNqnpA1il4MXL+y
containsSecret: false
- text: |
c.S3SecretAccessKey = c.Get("PRECISE_CODE_INTEL_UPLOAD_AWS_SECRET_ACCESS_KEY", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "An AWS secret key associated with a user with access to S3.")
containsSecret: false
- text: |
some-aws-key:
more-aws-metadata:
line1: true
line2: false
caver:
accessKeyId: KASK8ZXBEY0OG1ZE7V8V55TP
secretAccessKey: nuGZMoAmbq1v9kC1bg9iK5x1nIHOTXzEogtCivX2
containsSecret: false
- text: |
curl --location --request POST "https://wallet-api.klaytnapi.com/v2/account" \
-u KASKP6ZDZJ9TDH4OE825GB01:UDGCqEA2wibbsHFj4VL3vgpltaSh1HvlMRLBauEL \
--header "x-krn: krn:1001:wallet:b73717b4-2bad-4cbe-9517-951ca5af3a15:account-pool:Dawson Lee"
--header "x-chain-id: 1001" \
containsSecret: false
- rspecKey: S6290
id: aws-secret-access-keys-2
metadata:
name: AWS Secret Access Keys
message: Make sure this AWS Secret Access Key gets revoked, changed, and removed from the code.
detection:
matching:
pattern: "(?i)\\b(?:AWS)?_?SECRET_?(?:ACCESS)?_?KEY\\b.{0,10}\\b([0-9a-z\\/+]{40})\\b"
post:
statisticalFilter:
threshold: 4.2
patternNot:
# Character repeated 5 times
- "([\\w])\\1{5,}"
# Common text placeholders
- "(?i)(?:s|ex)ample|foo|bar|test|abcd|redacted|key"
# Common numeric placeholders
- "1234"
examples:
- text: |
var creds = new AWS.Credentials({
secretAccessKey: 'kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb'
});
containsSecret: true
match: kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
- text: |
aws_secret_access_key=kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
containsSecret: true
match: kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
- text: |
aws_secret_access_key=kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb
fileName: Doc.html
containsSecret: false
- text: |
AWS_FECRET_KEY=kHeUAwnSUizTWpSbyGAz4f+As5LshPIjvtpswqGb'
AWS_SECRET_KEY=EXAMPLEKEYCXCgDCUbJq1h7CKwNqnpA1il4MXL+y
containsSecret: false
- rspecKey: S6290
id: aws-session-tokens
metadata:
name: AWS Session tokens
message: Make sure this AWS Session token gets revoked, changed, and removed from the code.
detection:
matching:
pattern: "(?i)session_?token(?:\"?\\s*[=:]\\s*\"?|>\\s*)([0-9a-z/+\"\\s=]{50,})(?:\\s*<|\\s*$|\"[;,]?|$)"
post:
patternNot:
# Common text placeholders
- "(?i)(?:s|ex)ample|foo|bar|test|redacted"
examples:
- text: |
AWS_SESSION_TOKEN = "IQoJb3JpZ2luX2VjEKL//////////wE" +
"aDGV1LWNlbnRyYWwtMSJHMEUCIQDFlDUEvUa6slxlkKKn8zbLkN/j1f7lKJdXJ03PQ5T5ZwIgDYlshciO8nyfnmjUfFy4I2+rEuPHBe" +
"xsvfBo3MlCdgQqugMISxAAGgw4NTk4OTY2NzUzMDYiDFKPV7D/QmnqFWRYpiqXAypJf6TksPZXImVpIUU0Yj0uJhNN0o/HcO8hfQ4BX" +
"uCvpm1DOiVsH6VXMxgNdpGTWr8CjNpEt/eYwSk6MAVPOtjg5+lY2qoGJrUuxwhiKe+BquVM17h0giZ18h1B4ozDGkfxA/vGSJa/qBzn" +
"F0yEpLE+fJoesGe4ZpATs8oUN94/XkrL/eYzXsW3ZD1ZX66QzmSFHhgTJc24d9bezGjR32fEJD/dBm9La+7wpc4+jrXCmt6yxHox0gC" +
"uGrSagcJfPh9pVYneM81fnD/S7Kicb1Pw8MiChfqW0hao1twr4wMgp9N3JlYQNK3fZKbMU/qlvoKTz8D0Joa4elSp4rU4reVUsujCXV" +
"E95PDyj4LD3IDXHF5SAd/23/M/IucMRyeWlRE4pCtry68ENpojXr0tdyyVs8XSkgCGgup/BqDTkBnEBD+V5hOIrHJv5rJ6KpaxEZG0o" +
"zUJdaUpCseSSKK4Jn7liqVqF5EzOOXelqTAACcJmILKQHqke8n3imNs72oi8tu1N+oqbFp60K9whtLDm0JZSavpmRDkMODb8/4FOusB" +
"HFYZCuxMUmotN9Dkzp4InT7kJdKZ/kr61SMhU4hj7vTdjhcRHItO2P+jR7+38kQLDR4O1HR1XkHzLMwDvDwZULeOl6afS1ZpbO8XpeP" +
"HaaLnEqJeZ8BpnfwBEiylK3HGzGAP7WcAgFlMO9AEqoGnnbUBFcL+IYnZ3JFPy0sGsrH4cOC8Gxy2icQKrGpdIyMqGjb2hZsSc1S4nj" +
"GpK0AlCEKrAjzpr6SzPSwLnFtAJpztHbgb9Z7D2jdsjugQYdFwi6/9GKOI/slKqt5/vb7dLnSyeAY+jTaoveUZf6D5yM8PCKrvw5/k+" +
"A1XJw=="
containsSecret: true
match: |
IQoJb3JpZ2luX2VjEKL//////////wE" +
"aDGV1LWNlbnRyYWwtMSJHMEUCIQDFlDUEvUa6slxlkKKn8zbLkN/j1f7lKJdXJ03PQ5T5ZwIgDYlshciO8nyfnmjUfFy4I2+rEuPHBe" +
"xsvfBo3MlCdgQqugMISxAAGgw4NTk4OTY2NzUzMDYiDFKPV7D/QmnqFWRYpiqXAypJf6TksPZXImVpIUU0Yj0uJhNN0o/HcO8hfQ4BX" +
"uCvpm1DOiVsH6VXMxgNdpGTWr8CjNpEt/eYwSk6MAVPOtjg5+lY2qoGJrUuxwhiKe+BquVM17h0giZ18h1B4ozDGkfxA/vGSJa/qBzn" +
"F0yEpLE+fJoesGe4ZpATs8oUN94/XkrL/eYzXsW3ZD1ZX66QzmSFHhgTJc24d9bezGjR32fEJD/dBm9La+7wpc4+jrXCmt6yxHox0gC" +
"uGrSagcJfPh9pVYneM81fnD/S7Kicb1Pw8MiChfqW0hao1twr4wMgp9N3JlYQNK3fZKbMU/qlvoKTz8D0Joa4elSp4rU4reVUsujCXV" +
"E95PDyj4LD3IDXHF5SAd/23/M/IucMRyeWlRE4pCtry68ENpojXr0tdyyVs8XSkgCGgup/BqDTkBnEBD+V5hOIrHJv5rJ6KpaxEZG0o" +
"zUJdaUpCseSSKK4Jn7liqVqF5EzOOXelqTAACcJmILKQHqke8n3imNs72oi8tu1N+oqbFp60K9whtLDm0JZSavpmRDkMODb8/4FOusB" +
"HFYZCuxMUmotN9Dkzp4InT7kJdKZ/kr61SMhU4hj7vTdjhcRHItO2P+jR7+38kQLDR4O1HR1XkHzLMwDvDwZULeOl6afS1ZpbO8XpeP" +
"HaaLnEqJeZ8BpnfwBEiylK3HGzGAP7WcAgFlMO9AEqoGnnbUBFcL+IYnZ3JFPy0sGsrH4cOC8Gxy2icQKrGpdIyMqGjb2hZsSc1S4nj" +
"GpK0AlCEKrAjzpr6SzPSwLnFtAJpztHbgb9Z7D2jdsjugQYdFwi6/9GKOI/slKqt5/vb7dLnSyeAY+jTaoveUZf6D5yM8PCKrvw5/k+" +
"A1XJw=="
- text: |
ASIAIOSFODNN7GUTXNEL
wJalrXUtnFEMI/K7MDENG/bPxRfiCYzP+jR7+38k
AQoDYXdzEPT//////////wMRyeWlRtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
2019-11-09T13:34:41Z
containsSecret: true
match: |
AQoDYXdzEPT//////////wMRyeWlRtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
- text: |
ASIAIOSFODNN7GUTXNEL
wJalrXUtnFEMI/K7MDENG/bPxRfiCYzP+jR7+38k
AQoDYXdzEPT//////////wMRyeWlRtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
2019-11-09T13:34:41Z
fileName: Doc.example
containsSecret: false
- text: |
AWS_SESS_TOK = "IQoJb3JpZ2luX2VjEKL//////////wEaDGV1" +
"LWNlbnRyYWwtMSJHMEUCIQDFlDUEvUa6slxlkKKn8zbLkN/j1f7lKJdXJ03PQ5T5ZwIgDYlshciO8nyfnmjUfFy4I2+rEuPHBexsvfB" +
"o3MlCdgQqugMISxAAGgw4NTk4OTY2NzUzMDYiDFKPV7D/QmnqFWRYpiqXAypJf6TksPZXImVpIUU0Yj0uJhNN0o/HcO8hfQ4BXuCvpm" +
"1DOiVsH6VXMxgNdpGTWr8CjNpEt/eYwSk6MAVPOtjg5+lY2qoGJrUuxwhiKe+BquVM17h0giZ18h1B4ozDGkfxA/vGSJa/qBznF0yEp" +
"LE+fJoesGe4ZpATs8oUN94/XkrL/eYzXsW3ZD1ZX66QzmSFHhgTJc24d9bezGjR32fEJD/dBm9La+7wpc4+jrXCmt6yxHox0gCuGrSa" +
"gcJfPh9pVYneM81fnD/S7Kicb1Pw8MiChfqW0hao1twr4wMgp9N3JlYQNK3fZKbMU/qlvoKTz8D0Joa4elSp4rU4reVUsujCXVE95PD" +
"yj4LD3IDXHF5SAd/23/M/IucMRyeWlRE4pCtry68ENpojXr0tdyyVs8XSkgCGgup/BqDTkBnEBD+V5hOIrHJv5rJ6KpaxEZG0ozUJda" +
"UpCseSSKK4Jn7liqVqF5EzOOXelqTAACcJmILKQHqke8n3imNs72oi8tu1N+oqbFp60K9whtLDm0JZSavpmRDkMODb8/4FOusBHFYZC" +
"uxMUmotN9Dkzp4InT7kJdKZ/kr61SMhU4hj7vTdjhcRHItO2P+jR7+38kQLDR4O1HR1XkHzLMwDvDwZULeOl6afS1ZpbO8XpePHaaLn" +
"EqJeZ8BpnfwBEiylK3HGzGAP7WcAgFlMO9AEqoGnnbUBFcL+IYnZ3JFPy0sGsrH4cOC8Gxy2icQKrGpdIyMqGjb2hZsSc1S4njGpK0A" +
"lCEKrAjzpr6SzPSwLnFtAJpztHbgb9Z7D2jdsjugQYdFwi6/9GKOI/slKqt5/vb7dLnSyeAY+jTaoveUZf6D5yM8PCKrvw5/k+A1XJw" +
"=="
containsSecret: false
© 2015 - 2025 Weber Informatics LLC | Privacy Policy