Skip to content

Commit c1a9133

Browse files
Alex HolmbergAlex793x
Alex Holmberg
authored and
Alex793x
committed
fix: improved security cmd, for further false postitive in terms of:
bun.locks, .svg, img and binary files, would often pop up with false positive key exposures
1 parent 0766968 commit c1a9133

6 files changed

Lines changed: 1021 additions & 106 deletions

File tree

src/analyzer/security/config.rs

Lines changed: 80 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -85,25 +85,103 @@ impl Default for SecurityAnalysisConfig {
8585
"Spring Boot".to_string(),
8686
],
8787

88-
// File filtering
88+
// File filtering - Enhanced patterns to reduce false positives
8989
ignore_patterns: vec![
90+
// Dependencies and build artifacts
9091
"node_modules".to_string(),
9192
".git".to_string(),
9293
"target".to_string(),
9394
"build".to_string(),
9495
".next".to_string(),
9596
"coverage".to_string(),
9697
"dist".to_string(),
98+
".nuxt".to_string(),
99+
".output".to_string(),
100+
".vercel".to_string(),
101+
".netlify".to_string(),
102+
103+
// Minified and bundled files
97104
"*.min.js".to_string(),
105+
"*.min.css".to_string(),
98106
"*.bundle.js".to_string(),
107+
"*.bundle.css".to_string(),
108+
"*.chunk.js".to_string(),
109+
"*.vendor.js".to_string(),
99110
"*.map".to_string(),
111+
112+
// Lock files and package managers
100113
"*.lock".to_string(),
114+
"*.lockb".to_string(),
115+
"yarn.lock".to_string(),
116+
"package-lock.json".to_string(),
117+
"pnpm-lock.yaml".to_string(),
118+
"bun.lockb".to_string(),
119+
"cargo.lock".to_string(),
120+
"go.sum".to_string(),
121+
"poetry.lock".to_string(),
122+
"composer.lock".to_string(),
123+
"gemfile.lock".to_string(),
124+
125+
// Asset files
126+
"*.jpg".to_string(),
127+
"*.jpeg".to_string(),
128+
"*.png".to_string(),
129+
"*.gif".to_string(),
130+
"*.bmp".to_string(),
131+
"*.svg".to_string(),
132+
"*.ico".to_string(),
133+
"*.webp".to_string(),
134+
"*.tiff".to_string(),
135+
"*.mp3".to_string(),
136+
"*.mp4".to_string(),
137+
"*.avi".to_string(),
138+
"*.mov".to_string(),
139+
"*.pdf".to_string(),
140+
"*.ttf".to_string(),
141+
"*.otf".to_string(),
142+
"*.woff".to_string(),
143+
"*.woff2".to_string(),
144+
"*.eot".to_string(),
145+
146+
// Test and example files
101147
"*_sample.*".to_string(),
102148
"*example*".to_string(),
103149
"*test*".to_string(),
104150
"*spec*".to_string(),
105151
"*mock*".to_string(),
106-
"*.d.ts".to_string(), // TypeScript declaration files
152+
"*fixture*".to_string(),
153+
"test/*".to_string(),
154+
"tests/*".to_string(),
155+
"__test__/*".to_string(),
156+
"__tests__/*".to_string(),
157+
"spec/*".to_string(),
158+
"specs/*".to_string(),
159+
160+
// Documentation
161+
"*.md".to_string(),
162+
"*.txt".to_string(),
163+
"*.rst".to_string(),
164+
"docs/*".to_string(),
165+
"documentation/*".to_string(),
166+
167+
// IDE and editor files
168+
".vscode/*".to_string(),
169+
".idea/*".to_string(),
170+
".vs/*".to_string(),
171+
"*.swp".to_string(),
172+
"*.swo".to_string(),
173+
".DS_Store".to_string(),
174+
"Thumbs.db".to_string(),
175+
176+
// TypeScript and generated files
177+
"*.d.ts".to_string(),
178+
"*.generated.*".to_string(),
179+
"*.auto.*".to_string(),
180+
181+
// Framework-specific
182+
".angular/*".to_string(),
183+
".svelte-kit/*".to_string(),
184+
"storybook-static/*".to_string(),
107185
],
108186
include_patterns: vec![], // Empty means include all (subject to ignore patterns)
109187

src/analyzer/security/patterns.rs

Lines changed: 14 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -197,12 +197,13 @@ impl SecretPatternManager {
197197
ToolPattern {
198198
tool_name: "AWS".to_string(),
199199
pattern_type: "access_key".to_string(),
200-
pattern: Regex::new(r#"AKIA[0-9A-Z]{16}"#)?,
200+
// More specific - must be in assignment context
201+
pattern: Regex::new(r#"(?i)(?:aws[_-]?access[_-]?key|access[_-]?key[_-]?id)\s*[:=]\s*["']?(AKIA[0-9A-Z]{16})["']?"#)?,
201202
severity: SecuritySeverity::Critical,
202-
description: "AWS access key ID (CRITICAL)".to_string(),
203+
description: "AWS access key ID in assignment (CRITICAL)".to_string(),
203204
public_safe: false,
204205
context_keywords: vec!["aws".to_string(), "access".to_string(), "key".to_string()],
205-
false_positive_keywords: vec![],
206+
false_positive_keywords: vec!["example".to_string(), "AKIAEXAMPLE".to_string()],
206207
},
207208
ToolPattern {
208209
tool_name: "AWS".to_string(),
@@ -212,7 +213,7 @@ impl SecretPatternManager {
212213
description: "AWS secret access key (CRITICAL)".to_string(),
213214
public_safe: false,
214215
context_keywords: vec!["aws".to_string(), "secret".to_string()],
215-
false_positive_keywords: vec![],
216+
false_positive_keywords: vec!["example".to_string(), "your_secret".to_string(), "placeholder".to_string()],
216217
},
217218
]);
218219

@@ -267,18 +268,20 @@ impl SecretPatternManager {
267268
GenericPattern {
268269
id: "bearer-token".to_string(),
269270
name: "Bearer Token".to_string(),
270-
pattern: Regex::new(r#"(?i)(?:authorization|bearer)\s*[:=]\s*["'](?:bearer\s+)?([A-Za-z0-9_-]{20,})["']"#)?,
271+
// More specific - exclude template literals and ensure it's a real assignment
272+
pattern: Regex::new(r#"(?i)(?:authorization|bearer)\s*[:=]\s*["'](?:bearer\s+)?([A-Za-z0-9_-]{32,})["'](?!\s*\$\{)"#)?,
271273
severity: SecuritySeverity::Critical,
272274
category: SecurityCategory::SecretsExposure,
273-
description: "Bearer token in authorization header".to_string(),
275+
description: "Bearer token in authorization header (excluding templates)".to_string(),
274276
},
275277
GenericPattern {
276278
id: "jwt-token".to_string(),
277279
name: "JWT Token".to_string(),
278-
pattern: Regex::new(r#"eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+"#)?,
280+
// More specific JWT pattern - must be properly formatted and in assignment context
281+
pattern: Regex::new(r#"(?i)(?:token|jwt|authorization|bearer)\s*[:=]\s*["']?eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}["']?"#)?,
279282
severity: SecuritySeverity::Medium,
280283
category: SecurityCategory::SecretsExposure,
281-
description: "JSON Web Token detected".to_string(),
284+
description: "JSON Web Token detected in assignment".to_string(),
282285
},
283286
GenericPattern {
284287
id: "database-url".to_string(),
@@ -299,10 +302,11 @@ impl SecretPatternManager {
299302
GenericPattern {
300303
id: "generic-api-key".to_string(),
301304
name: "Generic API Key".to_string(),
302-
pattern: Regex::new(r#"(?i)(?:api[_-]?key|apikey)\s*[:=]\s*["']([A-Za-z0-9_-]{20,})["']"#)?,
305+
// More specific - require longer keys and exclude common false positives
306+
pattern: Regex::new(r#"(?i)(?:api[_-]?key|apikey)\s*[:=]\s*["']([A-Za-z0-9_-]{32,})["']"#)?,
303307
severity: SecuritySeverity::High,
304308
category: SecurityCategory::SecretsExposure,
305-
description: "Generic API key pattern".to_string(),
309+
description: "Generic API key pattern (32+ characters)".to_string(),
306310
},
307311
];
308312

0 commit comments

Comments
 (0)