Skip to content

Aws Secret Key Scanner is too sensative, a lot of false positives. #2

New issue
New issue
Open
Open
Aws Secret Key Scanner is too sensative, a lot of false positives.#2
@slowcoder360

Description

@slowcoder360
slowcoder360
opened on May 16, 2025

During a security scan of our Next.js application, we encountered several false positives that could lead to confusion and unnecessary concern. We'd like to report these to help improve the accuracy of the scanning tool.

False Positives Found

1. AWS Secret Access Key Detection

  • Location: app/(root)/page.tsx
  • Reported Issue: High severity AWS Secret Access Key detected
  • Actual Code: The file contains only React components and imports, with no AWS credentials
  • Impact: Could cause unnecessary alarm for developers

2. File Upload Vulnerability

  • Location: app/(root)/(admin)/admin/SearchUsers.tsx
  • Reported Issue: Potential file upload handling vulnerability
  • Actual Code: The file uses FormData for text search functionality, not file uploads
  • Impact: Misleads developers into thinking there's a file upload security issue

3. High Entropy String Warnings

  • Locations: Multiple files including:
    • Font files (.otf files)
    • Image files (.webp files)
    • UI component files
  • Reported Issue: High entropy strings detected
  • Actual Code: These are binary files and UI components with no sensitive data
  • Impact: Creates noise in the scan results, making it harder to identify real issues

Environment

  • Next.js application
  • TypeScript
  • Various binary assets (fonts, images)

Expected Behavior

The security scanner should:

  1. Not flag binary files (fonts, images) as containing high entropy strings
  2. Better distinguish between FormData usage for file uploads vs. form submissions
  3. Have more accurate detection of actual AWS credentials

Additional Context

The scan did correctly identify some valid security concerns (rate limiting, error logging), but the false positives made it more difficult to focus on the real issues.

Impact

These false positives:

  1. Create unnecessary concern for developers
  2. Make it harder to identify real security issues
  3. Could lead to wasted time investigating non-existent problems

Possible Solutions

  1. Add file type filtering for binary files
  2. Improve context analysis for FormData usage
  3. Implement better heuristics for AWS credential detection

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions