feat(secrets): handle non iac secrets FP

checkov/secrets/plugins/detector_utils.py

@@ -174,16 +174,22 @@
 }
 
 
-def remove_fp_secrets_in_keys(detected_secrets: set[PotentialSecret], line: str) -> None:
+def remove_fp_secrets_in_keys(detected_secrets: set[PotentialSecret], line: str, is_code_file: bool = False) -> None:
     formatted_line = line.replace('"', '').replace("'", '')
     secrets_to_remove = set()
     for detected_secret in detected_secrets:
-        # Found keyword prefix as potential secret
-        if detected_secret.secret_value and formatted_line.startswith(detected_secret.secret_value):
-            secrets_to_remove.add(detected_secret)
-        # found a function name at the end of the line
-        if detected_secret.secret_value and formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
-            secrets_to_remove.add(detected_secret)
+        if detected_secret.secret_value:
+            # Found keyword prefix as potential secret
+            if formatted_line.startswith(detected_secret.secret_value):
+                secrets_to_remove.add(detected_secret)
+            # found a function name at the end of the line
+            if formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
+                secrets_to_remove.add(detected_secret)
+            # secret value is substring of keywork
+            if is_code_file and FOLLOWED_BY_EQUAL_VALUE_KEYWORD_REGEX.search(formatted_line):
+                key, value = line.split("=", 1)
+                if detected_secret.secret_value in key and detected_secret.secret_value in value:
+                    secrets_to_remove.add(detected_secret)
     detected_secrets -= secrets_to_remove
 
 

checkov/secrets/plugins/entropy_keyword_combinator.py

@@ -209,14 +209,17 @@ def analyze_line(
                         # return a possible secret, otherwise check with next parser
                         return potential_secrets
         else:
-            return detect_secret(
+            detected_secrets = detect_secret(
                 # If we found a keyword (i.e. db_pass = ), lower the threshold to the iac threshold
                 scanners=self.high_entropy_scanners if not keyword_on_key else self.entropy_scanners_non_iac_with_keyword,
                 filename=filename,
                 line=line,
                 line_number=line_number,
                 kwargs=kwargs
             )
+            if detected_secrets:
+                remove_fp_secrets_in_keys(detected_secrets, line, True)
+            return detected_secrets
 
         return set()
 

tests/secrets/sanity/iac_fp/a.py → tests/secrets/sanity/non_iac_fp/a.py

@@ -3,6 +3,9 @@ def a():
 
     mock_url = mock_bc_integration.bc_api_url + "/api/v1/vulnerabilities/scan-results/2e97f5afea42664309f492a1e2083b43479c2936"
 
+    PASSWORD = "PASSWORD"
+    STATUS_ERROR_PASSWORD_FETCH = "ERROR_PASSWORD_FETCH"
+
     return "Properties/LogPublishingOptions/AUDIT_LOGS/Enabled"
 
     metadata_options['HttpTokens'] == "required"