From 156567c44174eceaa4c1f9c4cde5aaae27d76f95 Mon Sep 17 00:00:00 2001 From: Darran Boyd Date: Fri, 15 Aug 2025 13:25:36 +1000 Subject: [PATCH 1/2] feat: Amazon Bedrock API key patterns --- README.rst | 1 + git-secrets | 2 ++ git-secrets.1 | 2 ++ test/git-secrets.bats | 2 ++ 4 files changed, 7 insertions(+) diff --git a/README.rst b/README.rst index f308c7c..0ce3221 100644 --- a/README.rst +++ b/README.rst @@ -163,6 +163,7 @@ Each of these options must appear first on the command line. checks are added: - AWS Access Key IDs via ``(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}`` + - Amazon Bedrock API keys. Long-lived via ``ABSK[A-Za-z0-9+/]{109,}=*`` and short-lived via ``bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t`` - AWS Secret Access Key assignments via ":" or "=" surrounded by optional quotes - AWS account ID assignments via ":" or "=" surrounded by optional quotes diff --git a/git-secrets b/git-secrets index bcf7ac8..a7ac035 100755 --- a/git-secrets +++ b/git-secrets @@ -270,6 +270,8 @@ register_aws() { local opt_quote="${quote}?" add_config 'secrets.providers' 'git secrets --aws-provider' add_config 'secrets.patterns' '(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}' + add_config 'secrets.patterns' 'ABSK[A-Za-z0-9+/]{109,}=*' #Bedrock long-lived - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html + add_config 'secrets.patterns' 'bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t' #Bedrock short-lived - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html add_config 'secrets.patterns' "${opt_quote}${aws}(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)${opt_quote}${connect}${opt_quote}[A-Za-z0-9/\+=]{40}${opt_quote}" add_config 'secrets.patterns' "${opt_quote}${aws}(ACCOUNT|account|Account)_?(ID|id|Id)?${opt_quote}${connect}${opt_quote}[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}${opt_quote}" add_config 'secrets.allowed' 'AKIAIOSFODNN7EXAMPLE' diff --git a/git-secrets.1 b/git-secrets.1 index 3edb173..ad8c4c2 100644 --- a/git-secrets.1 +++ b/git-secrets.1 @@ -276,6 +276,8 @@ checks are added: .IP \(bu 2 AWS Access Key IDs via \fB(A3T[A\-Z0\-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A\-Z0\-9]{16}\fP .IP \(bu 2 +Amazon Bedrock API keys. Long\-lived via \fBABSK[A-Za-z0-9+/]{109,}=*\fP and short\-lived via \fBbedrock\-api\-key\-YmVkcm9jay5hbWF6b25hd3MuY29t\fP +.IP \(bu 2 AWS Secret Access Key assignments via ":" or "=" surrounded by optional quotes .IP \(bu 2 diff --git a/test/git-secrets.bats b/test/git-secrets.bats index d74c8df..8cd501f 100644 --- a/test/git-secrets.bats +++ b/test/git-secrets.bats @@ -281,6 +281,8 @@ load test_helper echo "$output" | grep -F '(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}' echo "$output" | grep "AKIAIOSFODNN7EXAMPLE" echo "$output" | grep "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + echo "$output" | grep -F 'ABSK[A-Za-z0-9+/]{109,}=*' + echo "$output" | grep -F 'bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t' } @test "Adds providers" { From 24622b38a22e92bc4c5fd9e54704ad515d5b13f8 Mon Sep 17 00:00:00 2001 From: Maxi Belarde Date: Sat, 6 Dec 2025 17:17:02 +0100 Subject: [PATCH 2/2] [PRODSEC-4106] adds quotes on list argument --- git-secrets | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/git-secrets b/git-secrets index a7ac035..1b18977 100755 --- a/git-secrets +++ b/git-secrets @@ -393,9 +393,9 @@ case "${COMMAND}" in --scan-history) scan_with_fn_or_die "scan_history" "$@" ;; --list) if [ ${GLOBAL} -eq 1 ]; then - git config --global --get-regex secrets.* + git config --global --get-regex 'secrets.*' else - git config --get-regex secrets.* + git config --get-regex 'secrets.*' fi ;; --install)