Aws Secret Key Scanner is too sensative, a lot of false positives.

[slowcoder360]

During a security scan of our Next.js application, we encountered several false positives that could lead to confusion and unnecessary concern. We'd like to report these to help improve the accuracy of the scanning tool.

False Positives Found

1. AWS Secret Access Key Detection

• Location: app/(root)/page.tsx
• Reported Issue: High severity AWS Secret Access Key detected
• Actual Code: The file contains only React components and imports, with no AWS credentials
• Impact: Could cause unnecessary alarm for developers

2. File Upload Vulnerability

• Location: app/(root)/(admin)/admin/SearchUsers.tsx
• Reported Issue: Potential file upload handling vulnerability
• Actual Code: The file uses FormData for text search functionality, not file uploads
• Impact: Misleads developers into thinking there's a file upload security issue

3. High Entropy String Warnings

• Locations: Multiple files including:
  • Font files (.otf files)
  • Image files (.webp files)
  • UI component files
• Reported Issue: High entropy strings detected
• Actual Code: These are binary files and UI components with no sensitive data
• Impact: Creates noise in the scan results, making it harder to identify real issues

Environment

• Next.js application
• TypeScript
• Various binary assets (fonts, images)

Expected Behavior

The security scanner should:

1. Not flag binary files (fonts, images) as containing high entropy strings
2. Better distinguish between FormData usage for file uploads vs. form submissions
3. Have more accurate detection of actual AWS credentials

Additional Context

The scan did correctly identify some valid security concerns (rate limiting, error logging), but the false positives made it more difficult to focus on the real issues.

Impact

These false positives:

1. Create unnecessary concern for developers
2. Make it harder to identify real security issues
3. Could lead to wasted time investigating non-existent problems

Possible Solutions

1. Add file type filtering for binary files
2. Improve context analysis for FormData usage
3. Implement better heuristics for AWS credential detection

[ccozad]

Potential resource for flagging AWS keys

https://awsteele.com/blog/2020/09/26/aws-access-key-format.html

We can also look for the default environment variable name and explicit key parameters in client setup code.

[cimiie]

I got his one before

• [High] (AWS Secret Access Key) Issue detected in forgot-password.html:154

  No message available

• [High] (AWS Secret Access Key) Issue detected in login.html:147

  No message available

• [High] (AWS Secret Access Key) Issue detected in reset-password.html:146

  No message available

It was actually detecting an image file in all files.

https://a3c8d11969.imgdist.com/pub/bfra/hai7mxzv/n08/k82/cqe/image.png

[slowcoder360]

@cimiie thank you, I have updated the scanner to filter out files that have common file endings like jpg, png, mp4 etc. Im going to run another test now to make sure it is working as hoped.

[slowcoder360]

@ccozad I went ahead and added some more specific filtering for aws keys where they start with that specific prefix(s) from that article.