feat: Amazon Bedrock plugin

README.md

@@ -91,6 +91,7 @@ $ git ls-files -z | xargs -0 detect-secrets-hook --baseline .secrets.baseline
 
 ```bash
 $ detect-secrets scan --list-all-plugins
+AmazonBedrockApiKeyDetector
 ArtifactoryDetector
 AWSKeyDetector
 AzureStorageKeyDetector

detect_secrets/plugins/amazon_bedrock.py

@@ -0,0 +1,18 @@
+"""
+This plugin searches for Amazon Bedrock API keys
+"""
+import re
+
+from detect_secrets.plugins.base import RegexBasedDetector
+
+class AmazonBedrockApiKeyDetector(RegexBasedDetector):
+    """Scans for Amazon Bedrock API keys."""
+    secret_type = 'Amazon Bedrock API key'
+
+    denylist = [
+        # refs https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html
+        # Long-lived keys begin with ABSK
+        re.compile(r'(?<![A-Za-z0-9+/=])ABSK[A-Za-z0-9+/]{109,269}={0,2}(?![A-Za-z0-9+/=])'),
+        # Short-lived keys begin with bedrock-api-key-
+        re.compile(r'bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t')
+    ]

tests/plugins/amazon_bedrock_test.py

@@ -0,0 +1,21 @@
+import pytest
+
+from detect_secrets.plugins.amazon_bedrock import AmazonBedrockApiKeyDetector
+
+
+class TestAmazonBedrockDetector:
+
+    @pytest.mark.parametrize(
+        'payload, should_flag',
+        [
+            ('ABSKQmVkcm9ja0FQSUtleS1EXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXAMPLEEXM=', True),
+            ('ABSKQmVkcm9ja0FQSUtleS1', False),
+            ('bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29tEXAMPLE', True),
+            ('bedrock-api-key', False),
+        ],
+    )
+    def test_analyze(self, payload, should_flag):
+        logic = AmazonBedrockApiKeyDetector()
+        output = logic.analyze_line(filename='mock_filename', line=payload)
+
+        assert len(output) == int(should_flag)