feat(masker): add support for AWS temporary credentials and secret keys

Add masking patterns for:
- AWS Access Key ID issued by STS/SSO (ASIA prefix)
- AWS Secret Access Key (40-char base64-like string)

The secret key pattern is placed last to avoid matching other secrets.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: koki-develop

CLAUDE.md

@@ -114,9 +114,11 @@ When adding new API key patterns to `internal/masker/`:
 ### Pattern Ordering
 - Place more specific patterns before general ones to avoid false matches
 - Example: `sk-ant-` must be before `sk-` to prevent Anthropic keys from matching OpenAI pattern
+- Example: AWS Secret Access Key (`[a-zA-Z0-9+/]{40}`) must be last due to its generic pattern
 
-### Supported Patterns
-- AWS Access Key ID: `AKIA[0-9A-Z]{16}`
+### Supported Patterns (in order of application)
+- AWS Access Key ID (permanent): `AKIA[0-9A-Z]{16}`
+- AWS Access Key ID (temporary/SSO): `ASIA[0-9A-Z]{16}`
 - GitHub Tokens: `gh[pousr]_[a-zA-Z0-9]{36,}`
 - GitLab PAT: `glpat-[a-zA-Z0-9\-_]{20,}`
 - Slack Tokens: `xox[baprs]-[0-9a-zA-Z\-]+`
@@ -125,6 +127,7 @@ When adding new API key patterns to `internal/masker/`:
 - Supabase Secret Key: `sb_secret_[a-zA-Z0-9\-_]+`
 - JWT Tokens: `eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*`
 - Private Key Headers: `-----BEGIN\s+(RSA|DSA|EC|OPENSSH|PGP)\s+PRIVATE\s+KEY-----`
+- AWS Secret Access Key: `[a-zA-Z0-9+/]{40}` (must be last due to generic pattern)
 
 ### Pattern Update Workflow
 1. Add regex pattern to `internal/masker/masker.go`

README.md

@@ -109,6 +109,7 @@ AWS_ACCESS_KEY_ID=********************
 
 Supported patterns:
 - AWS Access Key ID
+- AWS Secret Access Key
 - GitHub Tokens (`ghp_`, `gho_`, `ghs_`, `ghr_`)
 - GitLab Personal Access Tokens
 - Slack Tokens

internal/masker/masker.go

@@ -6,8 +6,10 @@ import (
 )
 
 var patterns = []*regexp.Regexp{
-	// AWS Access Key ID
+	// AWS Access Key ID (permanent)
 	regexp.MustCompile(`AKIA[0-9A-Z]{16}`),
+	// AWS Access Key ID (temporary, STS/SSO)
+	regexp.MustCompile(`ASIA[0-9A-Z]{16}`),
 	// GitHub Tokens (ghp_, gho_, ghs_, ghr_)
 	regexp.MustCompile(`gh[pousr]_[a-zA-Z0-9]{36,}`),
 	// GitLab Personal Access Token
@@ -24,6 +26,8 @@ var patterns = []*regexp.Regexp{
 	regexp.MustCompile(`eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*`),
 	// Private Key Headers
 	regexp.MustCompile(`-----BEGIN\s+(RSA|DSA|EC|OPENSSH|PGP)\s+PRIVATE\s+KEY-----`),
+	// AWS Secret Access Key (must be last due to generic pattern that could match other secrets)
+	regexp.MustCompile(`[a-zA-Z0-9+/]{40}`),
 }
 
 // Mask replaces sensitive patterns in content with asterisks of the same length

internal/masker/masker_test.go

@@ -18,6 +18,16 @@ func TestMask(t *testing.T) {
 			input: "aws_access_key_id = AKIAIOSFODNN7EXAMPLE",
 			want:  "aws_access_key_id = " + strings.Repeat("*", 20),
 		},
+		{
+			name:  "AWS Access Key (temporary/SSO)",
+			input: "aws_access_key_id = ASIAISEXAMPLEKEY1234",
+			want:  "aws_access_key_id = " + strings.Repeat("*", 20),
+		},
+		{
+			name:  "AWS Secret Access Key",
+			input: "aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
+			want:  "aws_secret_access_key = " + strings.Repeat("*", 40),
+		},
 		{
 			name:  "GitHub Personal Access Token",
 			input: "token: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",