Improvement Proposal
Skill: secrets-management
Path: skills/devsecops/secrets-management/SKILL.md
Problem
The current AWS detection guidance only matches long-term AKIA access key IDs and a secret access key independently:
(?:AKIA)[0-9A-Z]{16}
(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*[A-Za-z0-9/+=]{40}This misses a common AWS credential family: temporary STS credentials. AWS documents that temporary access key IDs use the ASIA prefix and that temporary credentials also include a session token.
Reviewers following the current skill can therefore:
- Miss complete temporary STS credential exposures because
ASIA and aws_session_token are not covered.
- Over-report a standalone access key ID as a complete credential even when the secret/session token is absent.
- Fail to distinguish long-term two-part credentials from temporary three-part credentials.
Proposed Scope
Add explicit AWS STS guidance:
(?:AKIA|ASIA)[0-9A-Z]{16}
(?:aws_session_token|AWS_SESSION_TOKEN)\s*[=:]\s*[A-Za-z0-9/+=]{20,}Add credential-set validation:
- Long-term AWS credential:
AKIA access key ID plus matching secret access key.
- Temporary AWS STS credential:
ASIA access key ID plus secret access key plus session token.
- A standalone identifier is sensitive metadata, but should not be reported as a complete usable credential without the required companion values.
Add test fixtures for:
- Complete synthetic
ASIA + secret + session token triplet: vulnerable.
- Standalone/synthetic identifier without companion values: not a confirmed complete credential.
- Existing long-term
AKIA + secret pair: still covered.
Relationship To Existing Issue
Issue #2388 reviews broader secrets-management scope conflicts, modern provider token prefixes, CI log leakage, and OIDC trust-policy checks. This proposal is intentionally narrower and focuses on AWS STS serialization semantics and pair/triplet validation, which #2388 does not specify.
Prepared Implementation
A working implementation and fixtures were prepared in PR #2759. That PR was automatically closed because the repository is now issue-first.
If this proposal is marked approved, I will:
- Update the PR body with
Closes #<this issue>.
- Narrow or adjust the PR scope if maintainers prefer STS-only changes.
- Rebase on current
main.
- Reopen the PR for review.
Primary References
Bounty
This is intended as a Skill Improvement contribution under the $50-150 per merged PR rubric. Preferred payout method after acceptance: PayPal; payout email can be provided privately.
Improvement Proposal
Skill:
secrets-managementPath:
skills/devsecops/secrets-management/SKILL.mdProblem
The current AWS detection guidance only matches long-term
AKIAaccess key IDs and a secret access key independently:This misses a common AWS credential family: temporary STS credentials. AWS documents that temporary access key IDs use the
ASIAprefix and that temporary credentials also include a session token.Reviewers following the current skill can therefore:
ASIAandaws_session_tokenare not covered.Proposed Scope
Add explicit AWS STS guidance:
Add credential-set validation:
AKIAaccess key ID plus matching secret access key.ASIAaccess key ID plus secret access key plus session token.Add test fixtures for:
ASIA + secret + session tokentriplet: vulnerable.AKIA + secretpair: still covered.Relationship To Existing Issue
Issue #2388 reviews broader secrets-management scope conflicts, modern provider token prefixes, CI log leakage, and OIDC trust-policy checks. This proposal is intentionally narrower and focuses on AWS STS serialization semantics and pair/triplet validation, which #2388 does not specify.
Prepared Implementation
A working implementation and fixtures were prepared in PR #2759. That PR was automatically closed because the repository is now issue-first.
If this proposal is marked
approved, I will:Closes #<this issue>.main.Primary References
Bounty
This is intended as a Skill Improvement contribution under the
$50-150 per merged PRrubric. Preferred payout method after acceptance: PayPal; payout email can be provided privately.