fix a bug where multiple regex are being supplied seperated by | sign…

… (in multiline policy) captured, so matching group will be the match & empty matching as only one pattern caught the secret
bridgecrewio · Jan 24, 2025 · a4d8b57 · a4d8b57
1 parent a083a43
commit a4d8b57
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/checkov/secrets/plugins/custom_regex_detector.py b/checkov/secrets/plugins/custom_regex_detector.py
@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 import logging
-from typing import Set, Any, Generator, Pattern, Optional, Dict, Tuple, TYPE_CHECKING, cast
+from typing import Set, Any, Generator, Pattern, Optional, Dict, Tuple, TYPE_CHECKING, cast, Union
 from collections import defaultdict
 
 from detect_secrets.constants import VerifiedResult
@@ -170,6 +170,7 @@ def _find_potential_secret(
                     continue
                 multiline_matches = multiline_regex.findall(file_content)
                 for mm in multiline_matches:
+                    mm = self._extract_real_regex_match(mm)
                     line_num = find_line_number(file_content, mm, line_number)
                     quoted_mm = f"'{mm}'"
                     ps = PotentialSecret(
@@ -218,6 +219,14 @@ def analyze_string(self, string: str, **kwargs: Optional[Dict[str, Any]]) -> Gen
                 else:
                     yield match, regex
 
+    def _extract_real_regex_match(self, regex_matches: Union[str, Tuple[str]]) -> Union[str, Tuple[str]]:
+        if isinstance(regex_matches, tuple):
+            for match in regex_matches:
+                if match:
+                    return match
+
+        return regex_matches
+
 
 def find_line_number(file_string: str, substring: str, default_line_number: int) -> int:
     try:
@@ -229,3 +238,4 @@ def find_line_number(file_string: str, substring: str, default_line_number: int)
         return default_line_number
     except Exception:
         return default_line_number
+