Merge pull request #4 from cloudbees/upgrade_from_upstream

a-ruff · web-flow · commit 7490d3c78d96 · 2025-12-08T14:05:18.000+01:00
[PRODSEC-4106] updates from upstream
diff --git a/README.rst b/README.rst
@@ -163,6 +163,7 @@ Each of these options must appear first on the command line.
     checks are added:
 
     - AWS Access Key IDs via ``(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}``
+    - Amazon Bedrock API keys. Long-lived via ``ABSK[A-Za-z0-9+/]{109,}=*`` and short-lived via ``bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t``
     - AWS Secret Access Key assignments via ":" or "=" surrounded by optional
       quotes
     - AWS account ID assignments via ":" or "=" surrounded by optional quotes
diff --git a/git-secrets b/git-secrets
@@ -270,6 +270,8 @@ register_aws() {
   local opt_quote="${quote}?"
   add_config 'secrets.providers' 'git secrets --aws-provider'
   add_config 'secrets.patterns' '(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'
+  add_config 'secrets.patterns' 'ABSK[A-Za-z0-9+/]{109,}=*' #Bedrock long-lived - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html
+  add_config 'secrets.patterns' 'bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t' #Bedrock short-lived - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html
   add_config 'secrets.patterns' "${opt_quote}${aws}(SECRET|secret|Secret)?_?(ACCESS|access|Access)?_?(KEY|key|Key)${opt_quote}${connect}${opt_quote}[A-Za-z0-9/\+=]{40}${opt_quote}"
   add_config 'secrets.patterns' "${opt_quote}${aws}(ACCOUNT|account|Account)_?(ID|id|Id)?${opt_quote}${connect}${opt_quote}[0-9]{4}\-?[0-9]{4}\-?[0-9]{4}${opt_quote}"
   add_config 'secrets.allowed' 'AKIAIOSFODNN7EXAMPLE'
@@ -391,9 +393,9 @@ case "${COMMAND}" in
   --scan-history) scan_with_fn_or_die "scan_history" "$@" ;;
   --list)
     if [ ${GLOBAL} -eq 1 ]; then
-      git config --global --get-regex secrets.*
+      git config --global --get-regex 'secrets.*'
     else
-      git config --get-regex secrets.*
+      git config --get-regex 'secrets.*'
     fi
     ;;
   --install)
diff --git a/git-secrets.1 b/git-secrets.1
@@ -276,6 +276,8 @@ checks are added:
 .IP \(bu 2
 AWS Access Key IDs via \fB(A3T[A\-Z0\-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A\-Z0\-9]{16}\fP
 .IP \(bu 2
+Amazon Bedrock API keys. Long\-lived via \fBABSK[A-Za-z0-9+/]{109,}=*\fP and short\-lived via \fBbedrock\-api\-key\-YmVkcm9jay5hbWF6b25hd3MuY29t\fP
+.IP \(bu 2
 AWS Secret Access Key assignments via ":" or "=" surrounded by optional
 quotes
 .IP \(bu 2
diff --git a/test/git-secrets.bats b/test/git-secrets.bats
@@ -281,6 +281,8 @@ load test_helper
   echo "$output" | grep -F '(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'
   echo "$output" | grep "AKIAIOSFODNN7EXAMPLE"
   echo "$output" | grep "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+  echo "$output" | grep -F 'ABSK[A-Za-z0-9+/]{109,}=*'
+  echo "$output" | grep -F 'bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t'
 }
 
 @test "Adds providers" {

Original file line number	Diff line number	Diff line change
`@@ -281,6 +281,8 @@ load test_helper`
`281`	`281`	`echo "$output" \| grep -F '(A3T[A-Z0-9]\|AKIA\|AGPA\|AIDA\|AROA\|AIPA\|ANPA\|ANVA\|ASIA)[A-Z0-9]{16}'`
`282`	`282`	`echo "$output" \| grep "AKIAIOSFODNN7EXAMPLE"`
`283`	`283`	`echo "$output" \| grep "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"`
	`284`	`+ echo "$output" \| grep -F 'ABSK[A-Za-z0-9+/]{109,}=*'`
	`285`	`+ echo "$output" \| grep -F 'bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t'`
`284`	`286`	`}`
`285`	`287`
`286`	`288`	`@test "Adds providers" {`