Skip to content

fix(azure_storage_key): broaden azure storage account key pattern #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lirshindalman merged 1 commit into from
Mar 17, 2026
Merged

fix(azure_storage_key): broaden azure storage account key pattern #292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions detect_secrets/plugins/azure_storage_key.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@ class AzureStorageKeyDetector(RegexBasedDetector):
"""Scans for Azure Storage Account access keys."""
secret_type = 'Azure Storage Account access key'

account_key = 'AccountKey'
account_key = r'account[_]?k(?:ey)?\b'
account_key_check = re.compile(r'account[_]?k(?:ey)?\b', re.IGNORECASE)
azure = 'azure'

max_line_length = 4000
Expand All @@ -28,12 +29,12 @@ class AzureStorageKeyDetector(RegexBasedDetector):
denylist = [
# Account Key (AccountKey=xxxxxxxxx)
re.compile(
r'(?:["\']?[A-Za-z0-9+\/]{86,1000}==["\']?)',
r'(?:["\']?[A-Za-z0-9+\/]{86,88}==["\']?)',
),
]

context_keys = [
r'{account_key}=\s*{secret}',
r'(?i){account_key}[\s=]{{1,20}}{secret}',

# maximum 2 lines secret distance under azure mention (case-insensitive)
r'(?i)\b{azure}(.*\n){{0,2}}.*{secret}',
Expand Down Expand Up @@ -89,7 +90,7 @@ def context_keys_exists(self, result: PotentialSecret, string: str) -> bool:
azure=self.azure,
), re.MULTILINE,
)
if regex.pattern.startswith(self.account_key) and self.account_key not in string:
if self.account_key in regex.pattern and not self.account_key_check.search(string):
continue
if self.azure in regex.pattern.lower() and self.azure not in string.lower():
continue
Expand Down
5 changes: 5 additions & 0 deletions tests/plugins/azure_storage_key_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,11 @@ class TestAzureStorageKeyDetector:
""",
False,
),
# Flexible account key variable names
(
'STORAGE_ACCOUNT_K=X1y2Z3w4V5u6T7s8R9q0P1o2N3m4L5k6J7h8G9f0E1d2C3b4A5B6C7D8E9F0G1H2I3J4K5L6M7N8O9P0Q1R2S3==', # noqa: E501
True,
),
(
'CosmosKey=lJzRc1YdHaAA2KCNJJ1tkYwF/+mKK6Ygw0NGe170Xu592euJv2wYUtBlV8z+qnlcNQSnIYVTkLWntUO1F8j8rQ==',
False,
Expand Down
Loading