diff --git a/Pipfile b/Pipfile index 1734ee09b4..f11ea22e69 100644 --- a/Pipfile +++ b/Pipfile @@ -43,7 +43,6 @@ types-colorama = "<0.5.0,>=0.4.3" # REMINDER: Update "install_requires" deps on setup.py when changing # bc-python-hcl2 = "==0.4.2" -bc-detect-secrets = "==1.5.41" bc-jsonpath-ng = "==1.6.1" pycep-parser = "==0.5.1" tabulate = ">=0.9.0,<0.10.0" @@ -85,6 +84,7 @@ license-expression = ">=30.1.0,<31.0.0" rustworkx = ">=0.13.0,<1.0.0" pydantic = ">=2.0.0,<3.0.0" asteval = "==1.0.5" +bc-detect-secrets = "==1.5.44" [requires] python_version = "3.8" diff --git a/Pipfile.lock b/Pipfile.lock index 32d1d6c77e..5acd67af77 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "12102ebe1a3e1d9cc600f3837fe74263e4395938b899144c29444a0a3713a23e" + "sha256": "f9e2283dfbeb7355ccb6b4ea04837ff64516e3d0389eed48554afcf5573bc606" }, "pipfile-spec": 6, "requires": { @@ -173,14 +173,6 @@ "markers": "python_version >= '3.8'", "version": "==1.0.5" }, - "async-timeout": { - "hashes": [ - "sha256:39e3809566ff85354557ec2398b55e096c8364bacac9405a7a1fa429e77fe76c", - "sha256:d9321a7a3d5a6a5e187e824d2fa0793ce379a202935782d555d6e9d2735677d3" - ], - "markers": "python_version >= '3.8'", - "version": "==5.0.1" - }, "attrs": { "hashes": [ "sha256:427318ce031701fea540783410126f03899a97ffc6f61596ad581ac2e40e3bc3", @@ -191,12 +183,12 @@ }, "bc-detect-secrets": { "hashes": [ - "sha256:4bd08292a975bfc9b95771e118dd1131e1afbd479610eb29e4e0c15bd33677fc", - "sha256:629df912f2a4f4d5039cc1fece906c34700586f7db1ae6a8d1c830c25df6db9b" + "sha256:0ab63d6c4f6680ec2dbe42cc3c63480568c55dbb6254afcc5bb6d4375a4e1d27", + "sha256:bebd82c56055c600335f85db95f7ca3b434087f16292a0396a60705de1b94183" ], "index": "pypi", "markers": "python_version >= '3.8'", - "version": "==1.5.41" + "version": "==1.5.44" }, "bc-jsonpath-ng": { "hashes": [ @@ -689,22 +681,6 @@ "markers": "python_version >= '3.8'", "version": "==7.2.1" }, - "importlib-resources": { - "hashes": [ - "sha256:980862a1d16c9e147a59603677fa2aa5fd82b87f223b6cb870695bcfce830065", - "sha256:ac29d5f956f01d5e4bb63102a5a19957f1b9175e45649977264a1416783bb717" - ], - "markers": "python_version >= '3.8'", - "version": "==6.4.5" - }, - "isodate": { - "hashes": [ - "sha256:28009937d8031054830160fce6d409ed342816b543597cece116d966c6d99e15", - "sha256:4cd1aa0f43ca76f4a6c6c0292a85f40b35ec2e43e315b59f06e6d32171a953e6" - ], - "markers": "python_version >= '3.7'", - "version": "==0.7.2" - }, "jinja2": { "hashes": [ "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d", @@ -1082,14 +1058,6 @@ "markers": "python_version >= '3.7'", "version": "==23.2" }, - "pkgutil-resolve-name": { - "hashes": [ - "sha256:357d6c9e6a755653cfd78893817c0853af365dd51ec97f3d358a819373bbd174", - "sha256:ca27cc078d25c5ad71a9de0a7a330146c4e014c2462d9af19c6b828280649c5e" - ], - "markers": "python_version >= '3.6'", - "version": "==1.3.10" - }, "ply": { "hashes": [ "sha256:00c7c1aaa88358b9c765b6d3000c6eec0ba42abca5351b095321aef446081da3", @@ -1905,11 +1873,11 @@ }, "urllib3": { "hashes": [ - "sha256:0ed14ccfbf1c30a9072c7ca157e4319b70d65f623e91e7b32fadb2853431016e", - "sha256:40c2dc0c681e47eb8f90e7e27bf6ff7df2e677421fd46756da1161c39ca70d32" + "sha256:414bc6535b787febd7567804cc015fee39daab8ad86268f1310a9250697de466", + "sha256:4e16665048960a0900c702d4a66415956a584919c03361cac9f1df5c5dd7e813" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'", - "version": "==1.26.20" + "markers": "python_version >= '3.9'", + "version": "==2.4.0" }, "wcwidth": { "hashes": [ @@ -2192,19 +2160,19 @@ "s3" ], "hashes": [ - "sha256:8a65fdcf344dc6a071d500e3c68bf11c3d14bdb900a3ffe036c445c068b018ee", - "sha256:9106bc4a0682b1db2a7f74a87de2cf1cc9aa70b6d068a469410ea4ea0293c88c" + "sha256:c39a80a0c986ef19e98976802007cea4fac6eec91569581a00556d40d931e5c5", + "sha256:d85890ea95a1789e36f7af304a2a4c1d8ec0d7149dfe1ac57ccea88b89d5f848" ], "markers": "python_version >= '3.8'", - "version": "==1.38.12" + "version": "==1.38.16" }, "botocore-stubs": { "hashes": [ - "sha256:d8656b6be20208fbbfd42fdee81b8c5374c8ae317a0046df6c155140a606a57e", - "sha256:e25cda287d65f9460cce4f3489e3d9842a8920688cc8d0790bc0b5ed7ee5bc10" + "sha256:48ec6eb6c38923d0e0f9494e72c869462ab5ffd3578b91cd2d91fd94d361e03c", + "sha256:492c7bb397d57d38a27cb8b27bfd1644a717bfd654ea613a60b4be23375c1357" ], "markers": "python_version >= '3.8'", - "version": "==1.38.12" + "version": "==1.38.16" }, "certifi": { "hashes": [ @@ -2427,11 +2395,11 @@ }, "exceptiongroup": { "hashes": [ - "sha256:3111b9d131c238bec2f8f516e123e14ba243563fb135d3fe885990585aa7795b", - "sha256:47c2edf7c6738fafb49fd34290706d1a1a2f4d1c6df275526b62cbb4aa5393cc" + "sha256:4d111e6e0c13d0644cad6ddaa7ed0261a0b36971f6d23e7ec9b4b9097da78a10", + "sha256:b241f5885f560bc56a59ee63ca4c6a8bfa46ae4ad651af316d4e81817bb9fd88" ], "markers": "python_version >= '3.7'", - "version": "==1.2.2" + "version": "==1.3.0" }, "execnet": { "hashes": [ @@ -3384,11 +3352,11 @@ }, "types-awscrt": { "hashes": [ - "sha256:176d320a26990efc057d4bf71396e05be027c142252ac48cc0d87aaea0704280", - "sha256:aca96f889b3745c0e74f42f08f277fed3bf6e9baa2cf9b06a36f78d77720e504" + "sha256:3c2bee52ee45022daaf4f106d5d1b5f0ff0a8e3e6093dda65f5315b7669bc418", + "sha256:e86b83d0fd8c770f985b8c458c28e232dae9adee0689d0a9671868a8bf397b0a" ], "markers": "python_version >= '3.8'", - "version": "==0.26.1" + "version": "==0.27.1" }, "types-cachetools": { "hashes": [ diff --git a/setup.py b/setup.py index bc75fa2e8b..de44feeb7e 100644 --- a/setup.py +++ b/setup.py @@ -66,7 +66,7 @@ def run(self) -> None: }, install_requires=[ "bc-python-hcl2==0.4.2", - "bc-detect-secrets==1.5.41", + "bc-detect-secrets==1.5.44", "bc-jsonpath-ng==1.6.1", "pycep-parser==0.5.1", "tabulate>=0.9.0,<0.10.0", diff --git a/tests/secrets/resources/cfn/secret-no-false-positive.yml b/tests/secrets/resources/cfn/secret-no-false-positive.yml index 012ab3a6d7..9214b6a8e3 100644 --- a/tests/secrets/resources/cfn/secret-no-false-positive.yml +++ b/tests/secrets/resources/cfn/secret-no-false-positive.yml @@ -19,4 +19,4 @@ no False Positive - where it's not an actual secret check1 = {'blabla': 'blabla1'} check2 = {'blabla': 'blabla2'} check1['some_key_1235#$@'] = check2.get('some_value_1235') - not_a_secr_k = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" \ No newline at end of file + not_a_secr_k = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" diff --git a/tests/secrets/resources/cfn/secret.yml b/tests/secrets/resources/cfn/secret.yml index b6c0cd7ba4..87f146f064 100644 --- a/tests/secrets/resources/cfn/secret.yml +++ b/tests/secrets/resources/cfn/secret.yml @@ -14,8 +14,8 @@ Resources: console.log("Hello World"); Environment: Variables: - access_key: "AKIAIOSFODNN7EXAMPLE" - secret_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + access_key: "AKIAIOSFODNN7EXAMPL3" + secret_key: "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" Tags: - Key: Name Value: !Sub "${AWS::AccountId}-${CompanyName}-${Environment}-analysis" diff --git a/tests/secrets/resources/file_type/Dockerfile b/tests/secrets/resources/file_type/Dockerfile index d575ab12fc..b4d34c7053 100644 --- a/tests/secrets/resources/file_type/Dockerfile +++ b/tests/secrets/resources/file_type/Dockerfile @@ -5,9 +5,9 @@ RUN apt install first_update_line \ RUN apt update second_update_line RUN apt update third_update_line USER bob -ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" -ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPLE" +ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" +ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPL3" HEALTHCHECK --interval=5m --timeout=3s \ CMD curl -f http://localhost/ || exit 1 -~ \ No newline at end of file +~ diff --git a/tests/secrets/resources/file_type/Dockerfile.simple b/tests/secrets/resources/file_type/Dockerfile.simple index 3c9c59b4d6..8eed6c5363 100644 --- a/tests/secrets/resources/file_type/Dockerfile.simple +++ b/tests/secrets/resources/file_type/Dockerfile.simple @@ -1,5 +1,5 @@ FROM base -ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" -ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPLE" +ENV AWS_ACCESS_KEY_ID="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" +ENV AWS_SECRET_ACCESS_KEY="AKIAIOSFODNN7EXAMPL3" -RUN apk update \ No newline at end of file +RUN apk update diff --git a/tests/secrets/resources/file_type/test.py b/tests/secrets/resources/file_type/test.py index 0f5c798d28..ea8b87b03b 100644 --- a/tests/secrets/resources/file_type/test.py +++ b/tests/secrets/resources/file_type/test.py @@ -7,6 +7,6 @@ access_key = "AKIAIOSFODNN7EXAMPLE" -secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" +secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" if __name__ == '__main__': print('secrets') \ No newline at end of file diff --git a/tests/secrets/resources/file_type/test.ts b/tests/secrets/resources/file_type/test.ts index 66509634c4..4f38f2b6bb 100644 --- a/tests/secrets/resources/file_type/test.ts +++ b/tests/secrets/resources/file_type/test.ts @@ -1,5 +1,5 @@ const access_key = "AKIAIOSFODNN7EXAMPLE" -const secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" +const secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY" function compact(arr: string[]) { if (arr.length > 10) return arr.slice(0, 10) diff --git a/tests/secrets/resources/terraform_skip/main.tf b/tests/secrets/resources/terraform_skip/main.tf index d775e7b6fa..2ea7917968 100644 --- a/tests/secrets/resources/terraform_skip/main.tf +++ b/tests/secrets/resources/terraform_skip/main.tf @@ -26,7 +26,7 @@ resource "aws_lambda_function" "wrong_skip" { environment { variables = { - access_key = "AKIAIOS3F6KN7EXAMPLE" #checkov:skip=CKV_SECRET_5:wrong check id + access_key = "AKIAIOS3F6KN7EXAMPL3" #checkov:skip=CKV_SECRET_5:wrong check id secret_key = "" } } diff --git a/tests/secrets/sanity/secrets/true_positive.json b/tests/secrets/sanity/secrets/true_positive.json index 6ff1dc325e..c525874dea 100644 --- a/tests/secrets/sanity/secrets/true_positive.json +++ b/tests/secrets/sanity/secrets/true_positive.json @@ -1,6 +1,6 @@ { "SA_PASSWORD": "DEV-we-954", - "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", + "secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPL3KEY", "my_new_password": "F322a45xxmwov9bpgRhyuByXj2nxz7khS6yXQmfSaQCmwbTF2jpfgC56az3a", "test_pass": "z2b7k2cQfzc+yjP2K8cjuQ8uoorHBpEvC+XWhU3Z5+IdrPQYwr991Lj73xfZ+RA2GzC0wTedDTvb1C2NX+3Gpw==", "pg_pass": "sup1rstr0ngpass2ForTT", diff --git a/tests/secrets/test_secrets_verification_suppressions.py b/tests/secrets/test_secrets_verification_suppressions.py index db894402e5..ca2ac0f7a8 100644 --- a/tests/secrets/test_secrets_verification_suppressions.py +++ b/tests/secrets/test_secrets_verification_suppressions.py @@ -12,7 +12,7 @@ def test_runner_verify_secrets_skip_invalid_suppressed(mock_bc_integration, mock valid_dir_path = current_dir + "/resources/cfn" rel_resource_path = '/secret.yml' - resource_id = '25910f981e85ca04baf359199dd0bd4a3ae738b6' + resource_id = '3472e46be802575792c8ddc3fcea5399a73078f1' verified_report = [ { "violationId": "BC_GIT_2", @@ -53,8 +53,8 @@ def test_runner_verify_secrets_skip_all_no_effect(mock_bc_integration, mock_meta valid_dir_path = current_dir + "/resources/cfn" rel_resource_path = '/secret.yml' - resource_id = '25910f981e85ca04baf359199dd0bd4a3ae738b6' - second_resource_id = 'd70eab08607a4d05faa2d0d6647206599e9abc65' + resource_id = '3472e46be802575792c8ddc3fcea5399a73078f1' + second_resource_id = 'a8a2f5d0efa444d71973792b14df2e05c00458c4' verified_report = [ { "violationId": "BC_GIT_2",