You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There really seems to be a problem in the sensitivity system, ggshield definitely isn't built with a "clues" system that adds weight depending on the findings it has.
An AWS key should always get caught no matter the prefix, especially if the pair key+secret is in the same file imo.
Expected behavior
ggshield should flag secrets without needing pointers for "password" or "key", especially for such common use cases like AWS keys.
Screenshots
If applicable, add screenshots to help explain your problem.
Traceback (if available)
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
Hi @Gby56,
We had a look at the example you submitted, thanks for opening this issue.
The engine does not raise an alert indeed. Yet, your explanation is not exactly right. The case you described happens because we apply a validation on the context of the secret to verify the secret is not made of some random text that happens to match AWS Keys pattern. The content you sent very much looks like random text. If you were to include any characters, as long as it includes non text characters, in the close context of the secret then an alert would be raised. For instance :
a = b
AKIAJIPU77TQL5LB6OIB
8Mw77pe6Ua9wr56f6lr069rDPTDWeUvV0q6ZS+6N
We are looking into improving this. I'll keep you updated as soon as we have results on this topic.
Got it ! I understand yes, we had a few people playing with it internally and were surprised to see it not triggered.
I would expect that a random string that fits exactly an AWS key, exact length, on a single line, that would trigger an alert 🤔
Maybe the tool could flag things and suggest a way to ignore the finding in the cli output, so even if it's a false positive it's not too noisy ?
GitGuardian Shield Version
2.72.0
Command executed
Simply add a txt file with a fake AWS key (found on Google) with
Then
ggshield scan -v --all-policies path lol.txt
This won't find anything...
Try the same, with a few pointers:
And this will work.
Describe the bug
There really seems to be a problem in the sensitivity system, ggshield definitely isn't built with a "clues" system that adds weight depending on the findings it has.
An AWS key should always get caught no matter the prefix, especially if the pair key+secret is in the same file imo.
Expected behavior
ggshield should flag secrets without needing pointers for "password" or "key", especially for such common use cases like AWS keys.
Screenshots
If applicable, add screenshots to help explain your problem.
Traceback (if available)
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: