diff --git a/Pipfile b/Pipfile index 1734ee09b4..70b52fd98a 100644 --- a/Pipfile +++ b/Pipfile @@ -43,7 +43,7 @@ types-colorama = "<0.5.0,>=0.4.3" # REMINDER: Update "install_requires" deps on setup.py when changing # bc-python-hcl2 = "==0.4.2" -bc-detect-secrets = "==1.5.41" +bc-detect-secrets = "==1.5.43" bc-jsonpath-ng = "==1.6.1" pycep-parser = "==0.5.1" tabulate = ">=0.9.0,<0.10.0" diff --git a/Pipfile.lock b/Pipfile.lock index 32d1d6c77e..18733f5b1a 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "12102ebe1a3e1d9cc600f3837fe74263e4395938b899144c29444a0a3713a23e" + "sha256": "1de9949c91aa495bee1459a5f97362c12af242ea3a2995398f21c879ce801952" }, "pipfile-spec": 6, "requires": { @@ -191,12 +191,12 @@ }, "bc-detect-secrets": { "hashes": [ - "sha256:4bd08292a975bfc9b95771e118dd1131e1afbd479610eb29e4e0c15bd33677fc", - "sha256:629df912f2a4f4d5039cc1fece906c34700586f7db1ae6a8d1c830c25df6db9b" + "sha256:9f0181b1092e99bc4e4667f110ed9c905c221d851a71fc0ce01ca3d936f8970b", + "sha256:c56dc62be49c46c751682219d1ce5e7b1933ebd4051d9766d9b9e72537550e61" ], "index": "pypi", "markers": "python_version >= '3.8'", - "version": "==1.5.41" + "version": "==1.5.43" }, "bc-jsonpath-ng": { "hashes": [ @@ -2192,19 +2192,19 @@ "s3" ], "hashes": [ - "sha256:8a65fdcf344dc6a071d500e3c68bf11c3d14bdb900a3ffe036c445c068b018ee", - "sha256:9106bc4a0682b1db2a7f74a87de2cf1cc9aa70b6d068a469410ea4ea0293c88c" + "sha256:c39a80a0c986ef19e98976802007cea4fac6eec91569581a00556d40d931e5c5", + "sha256:d85890ea95a1789e36f7af304a2a4c1d8ec0d7149dfe1ac57ccea88b89d5f848" ], "markers": "python_version >= '3.8'", - "version": "==1.38.12" + "version": "==1.38.16" }, "botocore-stubs": { "hashes": [ - "sha256:d8656b6be20208fbbfd42fdee81b8c5374c8ae317a0046df6c155140a606a57e", - "sha256:e25cda287d65f9460cce4f3489e3d9842a8920688cc8d0790bc0b5ed7ee5bc10" + "sha256:48ec6eb6c38923d0e0f9494e72c869462ab5ffd3578b91cd2d91fd94d361e03c", + "sha256:492c7bb397d57d38a27cb8b27bfd1644a717bfd654ea613a60b4be23375c1357" ], "markers": "python_version >= '3.8'", - "version": "==1.38.12" + "version": "==1.38.16" }, "certifi": { "hashes": [ @@ -2427,11 +2427,11 @@ }, "exceptiongroup": { "hashes": [ - "sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b", - "sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc" + "sha256:4d111e6e0c13d0644cad6ddaa7ed0261a0b36971f6d23e7ec9b4b9097da78a10", + "sha256:b241f5885f560bc56a59ee63ca4c6a8bfa46ae4ad651af316d4e81817bb9fd88" ], "markers": "python_version >= '3.7'", - "version": "==1.2.2" + "version": "==1.3.0" }, "execnet": { "hashes": [ @@ -3384,11 +3384,11 @@ }, "types-awscrt": { "hashes": [ - "sha256:176d320a26990efc057d4bf71396e05be027c142252ac48cc0d87aaea0704280", - "sha256:aca96f889b3745c0e74f42f08f277fed3bf6e9baa2cf9b06a36f78d77720e504" + "sha256:3c2bee52ee45022daaf4f106d5d1b5f0ff0a8e3e6093dda65f5315b7669bc418", + "sha256:e86b83d0fd8c770f985b8c458c28e232dae9adee0689d0a9671868a8bf397b0a" ], "markers": "python_version >= '3.8'", - "version": "==0.26.1" + "version": "==0.27.1" }, "types-cachetools": { "hashes": [ diff --git a/setup.py b/setup.py index bc75fa2e8b..624f05a1c8 100644 --- a/setup.py +++ b/setup.py @@ -66,7 +66,7 @@ def run(self) -> None: }, install_requires=[ "bc-python-hcl2==0.4.2", - "bc-detect-secrets==1.5.41", + "bc-detect-secrets==1.5.43", "bc-jsonpath-ng==1.6.1", "pycep-parser==0.5.1", "tabulate>=0.9.0,<0.10.0", diff --git a/tests/secrets/resources/cfn/secret-no-false-positive.yml b/tests/secrets/resources/cfn/secret-no-false-positive.yml index 012ab3a6d7..9214b6a8e3 100644 --- a/tests/secrets/resources/cfn/secret-no-false-positive.yml +++ b/tests/secrets/resources/cfn/secret-no-false-positive.yml @@ -19,4 +19,4 @@ no False Positive - where it's not an actual secret check1 = {'blabla': 'blabla1'} check2 = {'blabla': 'blabla2'} check1['some_key_1235#$@'] = check2.get('some_value_1235') - not_a_secr_k = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \ No newline at end of file + not_a_secr_k = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" diff --git a/tests/secrets/resources/cfn/secret.yml b/tests/secrets/resources/cfn/secret.yml index b6c0cd7ba4..87f146f064 100644 --- a/tests/secrets/resources/cfn/secret.yml +++ b/tests/secrets/resources/cfn/secret.yml @@ -14,8 +14,8 @@ Resources: console.log("Hello World"); Environment: Variables: - access_key: "AKIAIOSFODNN7EXAMPLE" - secret_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + access_key: "AKIAIOSFODNN7EXAMPL3" + secret_key: "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" Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-analysis" diff --git a/tests/secrets/resources/file_type/Dockerfile b/tests/secrets/resources/file_type/Dockerfile index d575ab12fc..b4d34c7053 100644 --- a/tests/secrets/resources/file_type/Dockerfile +++ b/tests/secrets/resources/file_type/Dockerfile @@ -5,9 +5,9 @@ RUN apt install first_update_line \ RUN apt update second_update_line RUN apt update third_update_line USER bob -ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" -ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPLE" +ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" +ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPL3" HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -f http://localhost/ || exit 1 -~ \ No newline at end of file +~ diff --git a/tests/secrets/resources/file_type/Dockerfile.simple b/tests/secrets/resources/file_type/Dockerfile.simple index 3c9c59b4d6..8eed6c5363 100644 --- a/tests/secrets/resources/file_type/Dockerfile.simple +++ b/tests/secrets/resources/file_type/Dockerfile.simple @@ -1,5 +1,5 @@ FROM base -ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" -ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPLE" +ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" +ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPL3" -RUN apk update \ No newline at end of file +RUN apk update diff --git a/tests/secrets/resources/file_type/test.py b/tests/secrets/resources/file_type/test.py index 0f5c798d28..ea8b87b03b 100644 --- a/tests/secrets/resources/file_type/test.py +++ b/tests/secrets/resources/file_type/test.py @@ -7,6 +7,6 @@ access_key = "AKIAIOSFODNN7EXAMPLE" -secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" +secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" if __name__ == '__main__': print('secrets') \ No newline at end of file diff --git a/tests/secrets/resources/file_type/test.ts b/tests/secrets/resources/file_type/test.ts index 66509634c4..4f38f2b6bb 100644 --- a/tests/secrets/resources/file_type/test.ts +++ b/tests/secrets/resources/file_type/test.ts @@ -1,5 +1,5 @@ const access_key = "AKIAIOSFODNN7EXAMPLE" -const secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" +const secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" function compact(arr: string[]) { if (arr.length > 10) return arr.slice(0, 10) diff --git a/tests/secrets/resources/terraform_skip/main.tf b/tests/secrets/resources/terraform_skip/main.tf index d775e7b6fa..2ea7917968 100644 --- a/tests/secrets/resources/terraform_skip/main.tf +++ b/tests/secrets/resources/terraform_skip/main.tf @@ -26,7 +26,7 @@ resource "aws_lambda_function" "wrong_skip" { environment { variables = { - access_key = "AKIAIOS3F6KN7EXAMPLE" #checkov:skip=CKV_SECRET_5:wrong check id + access_key = "AKIAIOS3F6KN7EXAMPL3" #checkov:skip=CKV_SECRET_5:wrong check id secret_key = "" } } diff --git a/tests/secrets/sanity/secrets/true_positive.json b/tests/secrets/sanity/secrets/true_positive.json index 6ff1dc325e..c525874dea 100644 --- a/tests/secrets/sanity/secrets/true_positive.json +++ b/tests/secrets/sanity/secrets/true_positive.json @@ -1,6 +1,6 @@ { "SA_PASSWORD": "DEV-we-954", - "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", + "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY", "my_new_password": "F322a45xxmwov9bpgRhyuByXj2nxz7khS6yXQmfSaQCmwbTF2jpfgC56az3a", "test_pass": "z2b7k2cQfzc+yjP2K8cjuQ8uoorHBpEvC+XWhU3Z5+IdrPQYwr991Lj73xfZ+RA2GzC0wTedDTvb1C2NX+3Gpw==", "pg_pass": "sup1rstr0ngpass2ForTT", diff --git a/tests/secrets/test_secrets_verification_suppressions.py b/tests/secrets/test_secrets_verification_suppressions.py index db894402e5..ca2ac0f7a8 100644 --- a/tests/secrets/test_secrets_verification_suppressions.py +++ b/tests/secrets/test_secrets_verification_suppressions.py @@ -12,7 +12,7 @@ def test_runner_verify_secrets_skip_invalid_suppressed(mock_bc_integration, mock valid_dir_path = current_dir + "/resources/cfn" rel_resource_path = '/secret.yml' - resource_id = '25910f981e85ca04baf359199dd0bd4a3ae738b6' + resource_id = '3472e46be802575792c8ddc3fcea5399a73078f1' verified_report = [ { "violationId": "BC_GIT_2", @@ -53,8 +53,8 @@ def test_runner_verify_secrets_skip_all_no_effect(mock_bc_integration, mock_meta valid_dir_path = current_dir + "/resources/cfn" rel_resource_path = '/secret.yml' - resource_id = '25910f981e85ca04baf359199dd0bd4a3ae738b6' - second_resource_id = 'd70eab08607a4d05faa2d0d6647206599e9abc65' + resource_id = '3472e46be802575792c8ddc3fcea5399a73078f1' + second_resource_id = 'a8a2f5d0efa444d71973792b14df2e05c00458c4' verified_report = [ { "violationId": "BC_GIT_2",