From ae134a9b3884c5fedaad1400863374e2c8c6897e Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Thu, 11 Jan 2024 14:00:33 +0600
Subject: [PATCH] fix(secret): find aws secrets ending with a comma or dot
 (#5921)

---
 pkg/fanal/secret/builtin-rules.go         | 2 +-
 pkg/fanal/secret/scanner_test.go          | 8 ++++----
 pkg/fanal/secret/testdata/aws-secrets.txt | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
index 94da8a3b722a..e93640fcebea 100644
--- a/pkg/fanal/secret/builtin-rules.go
+++ b/pkg/fanal/secret/builtin-rules.go
@@ -76,7 +76,7 @@ const (
 	quote       = `["']?`
 	connect     = `\s*(:|=>|=)?\s*`
 	startSecret = `(^|\s+)`
-	endSecret   = `(\s+|$)`
+	endSecret   = `[.,]?(\s+|$)`
 
 	aws = `aws_?`
 )
diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
index 7f11c6731ac5..c6567cc28b2d 100644
--- a/pkg/fanal/secret/scanner_test.go
+++ b/pkg/fanal/secret/scanner_test.go
@@ -429,7 +429,7 @@ func TestSecretScanner(t *testing.T) {
 		Severity:  "CRITICAL",
 		StartLine: 5,
 		EndLine:   5,
-		Match:     `aws_sec_key "****************************************"`,
+		Match:     `  "created_by": "ENV aws_sec_key "****************************************",`,
 		Code: types.Code{
 			Lines: []types.Line{
 				{
@@ -444,8 +444,8 @@ func TestSecretScanner(t *testing.T) {
 				},
 				{
 					Number:      5,
-					Content:     "aws_sec_key \"****************************************\"",
-					Highlighted: "aws_sec_key \"****************************************\"",
+					Content:     "  \"created_by\": \"ENV aws_sec_key \"****************************************\",",
+					Highlighted: "  \"created_by\": \"ENV aws_sec_key \"****************************************\",",
 					IsCause:     true,
 					FirstCause:  true,
 					LastCause:   true,
@@ -662,7 +662,7 @@ func TestSecretScanner(t *testing.T) {
 			inputFilePath: filepath.Join("testdata", "aws-secrets.txt"),
 			want: types.Secret{
 				FilePath: filepath.Join("testdata", "aws-secrets.txt"),
-				Findings: []types.SecretFinding{wantFinding5, wantFinding9, wantFinding10},
+				Findings: []types.SecretFinding{wantFinding5, wantFinding10, wantFinding9},
 			},
 		},
 		{
diff --git a/pkg/fanal/secret/testdata/aws-secrets.txt b/pkg/fanal/secret/testdata/aws-secrets.txt
index 7739ce9bfb79..737708284303 100644
--- a/pkg/fanal/secret/testdata/aws-secrets.txt
+++ b/pkg/fanal/secret/testdata/aws-secrets.txt
@@ -2,4 +2,4 @@
 AWS_ACCESS_KEY_ID=AKIA0123456789ABCDEF
 "aws_account_ID":'1234-5678-9123'
 AWS_example=AKIAIOSFODNN7EXAMPLE
-aws_sec_key "KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYK"
\ No newline at end of file
+  "created_by": "ENV aws_sec_key "KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYK",
\ No newline at end of file