Skip to content

Commit 236273c

Browse files
jdaltonjdalton
committed
fix: use word boundaries in AWS key detection to avoid base64 false positives
1 parent c07fa76 commit 236273c

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

.git-hooks/pre-push

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -168,10 +168,10 @@ while read local_ref local_sha remote_ref remote_sha; do
168168
ERRORS=$((ERRORS + 1))
169169
fi
170170

171-
# AWS keys.
172-
if echo "$file_text" | grep -iqE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})'; then
171+
# AWS keys (word-boundary match to avoid false positives in base64 data).
172+
if echo "$file_text" | grep -iqE '(aws_access_key|aws_secret|\bAKIA[0-9A-Z]{16}\b)'; then
173173
printf "${RED}✗ BLOCKED: Potential AWS credentials found in: %s${NC}\n" "$file"
174-
echo "$file_text" | grep -niE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' | head -3
174+
echo "$file_text" | grep -niE '(aws_access_key|aws_secret|\bAKIA[0-9A-Z]{16}\b)' | head -3
175175
ERRORS=$((ERRORS + 1))
176176
fi
177177

0 commit comments

Comments
 (0)