Filter out generic API key vulnerabilities in real-time scan results (AST-106731) (#1239)

cx-ben-alvo · web-flow · commit 601185a84899 · 2025-07-23T14:27:16.000+03:00
* Filter out generic API key vulnerabilities in real-time scan results

* Fix typo in generic API key constant name

* Fix typo in generic API key constant name

* Fix logic in filtering generic API keys in real-time scan results

* Fix logic in filtering generic API keys in real-time scan results
diff --git a/internal/services/realtimeengine/secretsrealtime/secrets-realtime.go b/internal/services/realtimeengine/secretsrealtime/secrets-realtime.go
@@ -3,9 +3,10 @@ package secretsrealtime
 import (
 	"encoding/json"
 	"fmt"
+	"os"
+
 	errorconstants "github.com/checkmarx/ast-cli/internal/constants/errors"
 	"github.com/checkmarx/ast-cli/internal/logger"
-	"os"
 
 	"github.com/checkmarx/2ms/v3/lib/reporting"
 	"github.com/checkmarx/2ms/v3/lib/secrets"
@@ -22,6 +23,7 @@ const (
 	criticalSeverity = "Critical"
 	highSeverity     = "High"
 	mediumSeverity   = "Medium"
+	genericAPIKey    = "generic-api-key"
 )
 
 type SecretsRealtimeService struct {
@@ -105,6 +107,8 @@ func (s *SecretsRealtimeService) RunSecretsRealtimeScan(filePath, ignoredFilePat
 	}
 
 	results := convertToSecretsRealtimeResult(report)
+	resultsPerLineMap := createResultsPerLineMap(results)
+	results = filterGenericAPIKeyVulIfNeeded(results, resultsPerLineMap)
 
 	if ignoredFilePath == "" {
 		return results, nil
@@ -177,3 +181,38 @@ func getSeverity(secret *secrets.Secret) string {
 		return highSeverity
 	}
 }
+
+func createResultsPerLineMap(results []SecretsRealtimeResult) map[string][]SecretsRealtimeResult {
+	resultsPerLine := make(map[string][]SecretsRealtimeResult)
+	for _, result := range results {
+		for _, location := range result.Locations {
+			lineKey := fmt.Sprintf("%s:%d", result.FilePath, location.Line)
+			resultsPerLine[lineKey] = append(resultsPerLine[lineKey], result)
+		}
+	}
+	return resultsPerLine
+}
+
+func filterGenericAPIKeyVulIfNeeded(
+	results []SecretsRealtimeResult,
+	resultsPerLine map[string][]SecretsRealtimeResult,
+) []SecretsRealtimeResult {
+	if len(results) == 0 || len(resultsPerLine) == 0 {
+		return results
+	}
+
+	var filtered []SecretsRealtimeResult
+	for _, entries := range resultsPerLine {
+		if len(entries) <= 1 {
+			filtered = append(filtered, entries...)
+			continue
+		}
+
+		for i := 0; i < len(entries); i++ {
+			if entries[i].Title != genericAPIKey {
+				filtered = append(filtered, entries[i])
+			}
+		}
+	}
+	return filtered
+}
diff --git a/internal/services/realtimeengine/secretsrealtime/secrets-realtime_test.go b/internal/services/realtimeengine/secretsrealtime/secrets-realtime_test.go
@@ -73,12 +73,12 @@ func TestRunSecretsRealtimeScan_WithIgnoreFile_FiltersResult(t *testing.T) {
 	tempDir := t.TempDir()
 
 	testFile := filepath.Join(tempDir, "test.txt")
-	testContent := "aws_access_key_id = AKIAIOSFODNN7EXAMPLE\ngithub_token = ghp_XXXXXXXXXXXXXXXXXXXX"
+	testContent := "pat = \"ghp_1234567890abcdef1234567890abcdef12345678\""
 	assert.NoError(t, os.WriteFile(testFile, []byte(testContent), 0644))
 
 	ignoreFile := filepath.Join(tempDir, "ignored.json")
 	ignored := []IgnoredSecret{
-		{Title: "github-token", FilePath: "test.txt", Line: 2},
+		{Title: "github-pat", FilePath: testFile, Line: 0},
 	}
 	data, _ := json.Marshal(ignored)
 	assert.NoError(t, os.WriteFile(ignoreFile, data, 0644))
@@ -93,7 +93,30 @@ func TestRunSecretsRealtimeScan_WithIgnoreFile_FiltersResult(t *testing.T) {
 	assert.NotNil(t, results)
 
 	for _, r := range results {
-		assert.NotEqual(t, "github-token", r.Title)
+		assert.NotEqual(t, "github-pat", r.Title)
+	}
+}
+
+func TestRunSecretsRealtimeScan_PatVulAndGenericVul_ReturnedOnlyPathVul(t *testing.T) {
+	mock.Flag = wrappers.FeatureFlagResponseModel{Name: wrappers.OssRealtimeEnabled, Status: true}
+
+	tempDir := t.TempDir()
+
+	testFile := filepath.Join(tempDir, "test.txt")
+	testContent := "token = \"ghp_1234567890abcdef1234567890abcdef12345678\""
+	assert.NoError(t, os.WriteFile(testFile, []byte(testContent), 0644))
+
+	service := &SecretsRealtimeService{
+		JwtWrapper:         &mock.JWTMockWrapper{},
+		FeatureFlagWrapper: &mock.FeatureFlagsMockWrapper{},
+	}
+
+	results, err := service.RunSecretsRealtimeScan(testFile, "")
+	assert.NoError(t, err)
+	assert.NotNil(t, results)
+
+	for _, r := range results {
+		assert.Equal(t, "github-pat", r.Title)
 	}
 }
 
