Filter out ARNs (#252)

Author: tsmithv11

detect_secrets/filters/heuristic.py

@@ -258,3 +258,18 @@ def is_swagger_file(filename: str) -> bool:
 @lru_cache(maxsize=1)
 def _get_swagger_regex() -> Pattern:
     return re.compile(r'.*swagger.*')
+
+
+def is_aws_arn(secret: str) -> bool:
+    """
+    Filters AWS ARN strings that match the pattern:
+    arn:aws:<service>:<region>:<account-id>:<resource-type>:<resource-name>
+    """
+    return bool(_get_arn_regex().search(secret))
+
+
+@lru_cache(maxsize=1)
+def _get_arn_regex() -> Pattern:
+    return re.compile(
+        r'^arn:aws:[a-z0-9\-]+:([a-z0-9\-]*:[0-9]{12}|:[0-9]{12}|\*)?:.*$',
+    )

tests/filters/heuristic_filter_test.py

@@ -172,3 +172,16 @@ def test_is_not_alphanumeric_string(secret, result):
 )
 def test_is_swagger_file(filename, result):
     assert filters.heuristic.is_swagger_file(filename.format(sep=os.path.sep)) is result
+
+@pytest.mark.parametrize(
+    'secret, result',
+    (
+        ('arn:aws:lambda:us-west-2:123456789012:function:my-function', True),
+        ('arn:aws:s3:::my-bucket', True),
+        ('arn:aws:iam::123456789012:role/service-role/my-role', True),
+        ('not:an:arn:123456789012', False),
+        ('randomstring', False),
+    ),
+)
+def test_is_aws_arn(secret, result):
+    assert filters.heuristic.is_aws_arn(secret) is result

tests/plugins/high_entropy_strings_test.py

@@ -43,6 +43,9 @@ class TestHighEntropyString:
             # Non-quoted string from Yaml
             ('some_key: {secret}', True),
             ('some_key:{secret}', True),
+
+            # Don't flag ARNs
+            ('ServiceToken: "arn:aws:lambda:us-west-2:123456789012:function:dummy-token"', False),
         ),
     )
     def test_basic(plugin, non_secret, secret, format, should_be_caught):