fix(secret): add prefix to exclude 0-9a-zA-Z before secret

[DmitriyLewen]

Description

We don't need to detect secrets containing 0-9a-zA-Z before secret.
e.g. finding a secret in #define DISPID_ICANVASRENDERINGCONTEXT2D_CANVAS DISPID_CANVASRENDERCONTEXT2D is false positive.

Important points:

• we need to check starting line/file.
• we shouldn't check this prefix for custom secrets

[knqyf263]

@DmitriyLewen I would assign it to @afdesk. Could you assist him as you know more context?

[afdesk]

@knqyf263 @DmitriyLewen I have a question.

Should we detect next string as a secret?

MyAWS_secret_KEY="12ASD34qwe56CXZ78tyH10Tna543VBokN85RHCas"

IMHO, yes, because it still contains sensitive data, but now Trivy skips it.
Wdyt?
thanks!

[knqyf263]

Which rule? Why isn't it detected now?

[afdesk]

Only for this rule was added startSecret. so MyAWS_secret_KEY is ignored.

trivy/pkg/fanal/secret/builtin-rules.go

Line 110 in b76a725

Regex: MustCompile(fmt.Sprintf(`(?i)%s%s%s(sec(ret)?)?_?(access)?_?key%s%s%s(?P<secret>[A-Za-z0-9\/\+=]{40})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)),

[afdesk]

@knqyf263 is it a mistake?

[knqyf263]

It's weird. For me, it looks like It should be detected. @DmitriyLewen updated the regex last time. We can wait for him.
#5647

[afdesk]

If I understand correctly, #5647 didn't affect on startSecret,
@DmitriyLewen right?

@knqyf263 thanks. I understood your point

[DmitriyLewen]

I added this in aquasecurity/fanal#514
But unfortunately, 2 years later, I don't remember the reason for this (and I don't see this problem in a related question).

Looks like it was my mistake.
It would be more logical to add startSecret for aws-access-key-id instead of aws-secret-access-key.

UPD:
I'm not sure if we need to check prefix for AWS_SECRET_KEY.
UUIC aws uses a list of standard envs - https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials_environment.html