feat(secrets): used 10 characters in secret violation (#5835)

* used randomly generated number of characters in secret violation

* disregard security check as irrelevant in this area

* Used only 10 characters instead of random number and fixed tests accordingly

checkov/common/util/secrets.py

@@ -22,6 +22,9 @@
 GENERAL = 'general'
 ALL = 'all'
 
+GENERIC_OBFUSCATION_LENGTH = 10
+
+
 # Taken from various git-secrets forks that add Azure and GCP support to base AWS.
 # The groups here are the result of running git secrets --register-[aws|azure|gcp]
 # https://github.com/awslabs/git-secrets
@@ -133,7 +136,7 @@ def omit_secret_value_from_line(secret: str | None, line_text: str) -> str:
             return line_text
 
     censored_line = f'{line_text[:secret_index + secret_len_to_expose]}' \
-                    f'{"*" * (secret_length - secret_len_to_expose)}' \
+                    f'{"*" * GENERIC_OBFUSCATION_LENGTH}' \
                     f'{line_text[secret_index + secret_length:]}'
     return censored_line
 

tests/common/utils/conftest.py

@@ -87,8 +87,8 @@ def aws_provider_lines_without_secrets():
     return [(7, 'provider "aws" {\n'),
             (8, '  alias      = "plain_text_access_keys_provider"\n'),
             (9, '  region     = "us-west-1"\n'),
-            (10, '  access_key = "AKIAI***************"\n'),
-            (11, '  secret_key = "wJalrX**********************************"\n'),
+            (10, '  access_key = "AKIAI**********"\n'),
+            (11, '  secret_key = "wJalrX**********"\n'),
             (12, '}\n')]
 
 
@@ -148,7 +148,7 @@ def tfplan_resource_lines_without_secrets():
             (44, '                                "tags":\n'),
             (45, '                                {},\n'),
             (46, '                                "timeouts": null,\n'),
-            (47, '                                "value": "IClnje**************************************",\n'),
+            (47, '                                "value": "IClnje**********",\n'),
             (48, '                                "version": "123d0b12ab123c123456ab123e120bc1",\n'),
             (49,
              '                                "versionless_id": "https://test-123-abcdse-02.vault.azure.net/secrets/test-123-abcdse-02"\n')]

tests/common/utils/test_secrets_utils.py

@@ -78,7 +78,7 @@ def test_omit_secret_value_from_checks_by_secret_2():
         (98, '            "not_before_date": null,\n'),
         (99, '            "tags": null,\n'),
         (100, '            "timeouts": null,\n'),
-        (101, '            "value": "-----********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--\\n"\n')
+        (101, '            "value": "-----**********--\\n"\n')
     ]
     resource_attributes_to_omit = {'azurerm_key_vault_secret': {'value'}}
 

tests/unit/test_secrets.py

@@ -43,7 +43,7 @@ def test_omit_secret_value_from_line(self):
 
         censored_line = omit_secret_value_from_line(secret, line)
 
-        self.assertEqual(censored_line, 'access_key: "AKIAI***************"')
+        self.assertEqual(censored_line, 'access_key: "AKIAI**********"')
 
     def test_omit_none_secret_from_line(self):
         line = 'text'
@@ -61,7 +61,7 @@ def test_omit_long_secret_value_from_line(self):
 
         censored_line = omit_secret_value_from_line(secret, line)
 
-        self.assertEqual(censored_line, 'access_key: "123456*********************************************************"')
+        self.assertEqual(censored_line, 'access_key: "123456**********"')
 
     def test_get_secrets_from_secrets(self):
         s = 'access_key: "AKIAIOSFODNN7EXAMPLE"'