ggshield icon indicating copy to clipboard operation
ggshield copied to clipboard

Published 20 hours ago verified publisher icon GitGuardian

Detection sensitivity is very low when no indicators are present

Open Gby56 opened this issue 2 years ago • 2 comments

GitGuardian Shield Version 2.72.0

  • [X] I can reproduce this bug in the latest version

Command executed Simply add a txt file with a fake AWS key (found on Google) with

AKIAJIPU77TQL5LB6OIB
8Mw77pe6Ua9wr56f6lr069rDPTDWeUvV0q6ZS+6N

Then ggshield scan -v --all-policies path lol.txt

This won't find anything...

Try the same, with a few pointers:

key=AKIAJIPU77TQL5LB6OIB
secret=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

And this will work.

Describe the bug

There really seems to be a problem in the sensitivity system, ggshield definitely isn't built with a "clues" system that adds weight depending on the findings it has. An AWS key should always get caught no matter the prefix, especially if the pair key+secret is in the same file imo.

Expected behavior

ggshield should flag secrets without needing pointers for "password" or "key", especially for such common use cases like AWS keys.

Screenshots

If applicable, add screenshots to help explain your problem.

Traceback (if available)

Add any other context about the problem here.

Gby56 avatar Aug 02 '22 13:08 Gby56

Hi @Gby56, We had a look at the example you submitted, thanks for opening this issue.

The engine does not raise an alert indeed. Yet, your explanation is not exactly right. The case you described happens because we apply a validation on the context of the secret to verify the secret is not made of some random text that happens to match AWS Keys pattern. The content you sent very much looks like random text. If you were to include any characters, as long as it includes non text characters, in the close context of the secret then an alert would be raised. For instance :

a = b
AKIAJIPU77TQL5LB6OIB
8Mw77pe6Ua9wr56f6lr069rDPTDWeUvV0q6ZS+6N

We are looking into improving this. I'll keep you updated as soon as we have results on this topic.

pierrelalanne avatar Aug 02 '22 14:08 pierrelalanne

Got it ! I understand yes, we had a few people playing with it internally and were surprised to see it not triggered. I would expect that a random string that fits exactly an AWS key, exact length, on a single line, that would trigger an alert 🤔 Maybe the tool could flag things and suggest a way to ignore the finding in the cli output, so even if it's a false positive it's not too noisy ?

Gby56 avatar Aug 02 '22 15:08 Gby56