Update aws access keys (#221)

tsmithv11 · web-flow · commit 74ba49d75eb9 · 2024-10-06T09:16:27.000+03:00
diff --git a/detect_secrets/plugins/aws.py b/detect_secrets/plugins/aws.py
@@ -25,10 +25,10 @@ class AWSKeyDetector(RegexBasedDetector):
     secret_keyword = r'(?:key|pwd|pw|password|pass|token)'
 
     denylist = (
-        re.compile(r'AKIA[0-9A-Z]{16}'),
+        re.compile(r'(?:A3T[A-Z0-9]|ABIA|ACCA|AKIA|ASIA)[0-9A-Z]{16}'),
 
         # This examines the variable name to identify AWS secret tokens.
-        # The order is important since we want to prefer finding `AKIA`-based
+        # The order is important since we want to prefer finding access
         # keys (since they can be verified), rather than the secret tokens.
 
         re.compile(
@@ -99,7 +99,10 @@ def verify_aws_secret_access_key(key: str, secret: str) -> bool:  # pragma: no c
     }
 
     # Step #1: Canonical Request
-    signed_headers = ';'.join(header.lower() for header in headers)
+    signed_headers = ';'.join(
+        header.lower()
+        for header in headers
+    )
     canonical_request = textwrap.dedent("""
         POST
         /
diff --git a/tests/plugins/aws_key_test.py b/tests/plugins/aws_key_test.py
@@ -32,6 +32,22 @@ def setup_method(self):
                 'AKIAZZZ',
                 False,
             ),
+            (
+                'A3T0ZZZZZZZZZZZZZZZZ',
+                True,
+            ),
+            (
+                'ABIAZZZZZZZZZZZZZZZZ',
+                True,
+            ),
+            (
+                'ACCAZZZZZZZZZZZZZZZZ',
+                True,
+            ),
+            (
+                'ASIAZZZZZZZZZZZZZZZZ',
+                True,
+            ),
             (
                 'aws_access_key = "{}"'.format(EXAMPLE_SECRET),
                 True,
