Remove IAM identifiers for non-credential resources in the aws-access-token rule (#1307)

* Remove IAM identifiers for non-credential resources

Only detects: 
AWS STS service bearer token
Context-specific credential
Access key
Temporary (AWS STS) access key IDs use this prefix, but are unique only in combination with the secret access key and the session token.

* Update gitleaks.toml

* Update testdata

* Update tests

cmd/generate/config/rules/aws.go

@@ -12,16 +12,12 @@ func AWS() *config.Rule {
 		Description: "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.",
 		RuleID:      "aws-access-token",
 		Regex: regexp.MustCompile(
-			"(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
+			"(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"),
 		Keywords: []string{
 			"AKIA",
-			"AGPA",
-			"AIDA",
-			"AROA",
-			"AIPA",
-			"ANPA",
-			"ANVA",
 			"ASIA",
+			"ABIA",
+			"ACCA",
 		},
 	}
 

config/config_test.go

@@ -23,7 +23,7 @@ func TestTranslate(t *testing.T) {
 			cfg: Config{
 				Rules: map[string]Rule{"aws-access-key": {
 					Description: "AWS Access Key",
-					Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
+					Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"),
 					Tags:        []string{"key", "AWS"},
 					Keywords:    []string{},
 					RuleID:      "aws-access-key",
@@ -41,7 +41,7 @@ func TestTranslate(t *testing.T) {
 			cfg: Config{
 				Rules: map[string]Rule{"aws-access-key": {
 					Description: "AWS Access Key",
-					Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
+					Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"),
 					Tags:        []string{"key", "AWS"},
 					Keywords:    []string{},
 					RuleID:      "aws-access-key",
@@ -57,7 +57,7 @@ func TestTranslate(t *testing.T) {
 			cfg: Config{
 				Rules: map[string]Rule{"aws-access-key": {
 					Description: "AWS Access Key",
-					Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
+					Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"),
 					Tags:        []string{"key", "AWS"},
 					Keywords:    []string{},
 					RuleID:      "aws-access-key",
@@ -97,7 +97,7 @@ func TestTranslate(t *testing.T) {
 				Rules: map[string]Rule{
 					"aws-access-key": {
 						Description: "AWS Access Key",
-						Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"),
+						Regex:       regexp.MustCompile("(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"),
 						Tags:        []string{"key", "AWS"},
 						Keywords:    []string{},
 						RuleID:      "aws-access-key",

config/gitleaks.toml

@@ -124,9 +124,9 @@ keywords = [
 [[rules]]
 id = "aws-access-token"
 description = "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms."
-regex = '''(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
 keywords = [
-    "akia","agpa","aida","aroa","aipa","anpa","anva","asia",
+    "akia","asia","abia","acca",
 ]
 
 [[rules]]

testdata/config/allow_aws_re.toml

@@ -3,7 +3,7 @@ title = "simple config with allowlist for aws"
 [[rules]]
     description = "AWS Access Key"
     id = "aws-access-key"
-    regex = '''(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
     tags = ["key", "AWS"]
     [rules.allowlist]
         regexes = ['''AKIALALEMEL33243OLIA''']

testdata/config/allow_commit.toml

@@ -3,7 +3,7 @@ title = "simple config with allowlist for a specific commit"
 [[rules]]
     description = "AWS Access Key"
     id = "aws-access-key"
-    regex = '''(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
     tags = ["key", "AWS"]
     [rules.allowlist]
         commits = ['''allowthiscommit''']

testdata/config/allow_global_aws_re.toml

@@ -1,7 +1,7 @@
 [[rules]]
     description = "AWS Access Key"
     id = "aws-access-key"
-    regex = '''(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
     tags = ["key", "AWS"]
 
 [allowlist]

testdata/config/allow_path.toml

@@ -3,7 +3,7 @@ title = "simple config with allowlist for .go files"
 [[rules]]
     description = "AWS Access Key"
     id = "aws-access-key"
-    regex = '''(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
     tags = ["key", "AWS"]
     [rules.allowlist]
         paths = ['''.go''']

testdata/config/extend_1.toml

@@ -6,5 +6,5 @@ path="../testdata/config/extend_2.toml"
 [[rules]]
     description = "AWS Access Key"
     id = "aws-access-key"
-    regex = '''(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
     tags = ["key", "AWS"]

testdata/config/simple.toml

@@ -4,7 +4,7 @@ title = "gitleaks config"
 [[rules]]
     description = "AWS Access Key"
     id = "aws-access-key"
-    regex = '''(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+    regex = '''(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}'''
     tags = ["key", "AWS"]
 
 [[rules]]

testdata/expected/report/sarif_simple.sarif

@@ -13,7 +13,7 @@
        "id": "aws-access-key",
        "name": "AWS Access Key",
        "shortDescription": {
-        "text": "(?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}"
+        "text": "(?:A3T[A-Z0-9]|AKIA|ASIA|ABIA|ACCA)[A-Z0-9]{16}"
        }
       },
       {