Describe the issue
CKV_AWS_45 is incorrectly flagging Lambda functions that have no hardcoded secrets in their environment variables. The check appears to be using regex pattern matching based on string length and is flagging any environment variable value that is exactly 40 or 48 characters long, which matches the pattern of an AWS secret access key. The values being flagged are legitimate resource names, URLs, and bucket names that just happen to be that length, not actual secrets.
Examples
CloudFormation template that triggers the false positive
"Environment": {
"Variables": {
"METRIC_NAMESPACE": "mdp/feature-logging/FdaCompositePipeline",
"FDA_DOWNLOAD_URL": "https://www.fda.gov/media/76860/download",
"S3_BUCKET": "mdp-test-new-destroy-147997161038-uploads-bucket"
}
}
Expected outcome: check passes since none of these are secrets
Actual outcome: check fails with CKV_AWS_45
What makes this particularly painful is that the failure is inconsistent across branches because our resource names are dynamically built using the branch name. So depending on how long the branch name is the resulting string length changes and sometimes lands on 40 or 48 characters which triggers the false positive. This makes it very hard to predict and fix at the source.
Version (please complete the following information):
Additional context
This false positive is causing our CI/CD pipelines to fail and is delaying our deployments. For now we are skipping the check entirely to unblock our pipelines but we would really like a proper fix or at minimum an official workaround other than skipping the check altogether. Is there a way to make the check smarter about distinguishing between actual secrets and resource names that happen to match the length pattern?
Describe the issue
CKV_AWS_45 is incorrectly flagging Lambda functions that have no hardcoded secrets in their environment variables. The check appears to be using regex pattern matching based on string length and is flagging any environment variable value that is exactly 40 or 48 characters long, which matches the pattern of an AWS secret access key. The values being flagged are legitimate resource names, URLs, and bucket names that just happen to be that length, not actual secrets.
Examples
CloudFormation template that triggers the false positive
"Environment": {
"Variables": {
"METRIC_NAMESPACE": "mdp/feature-logging/FdaCompositePipeline",
"FDA_DOWNLOAD_URL": "https://www.fda.gov/media/76860/download",
"S3_BUCKET": "mdp-test-new-destroy-147997161038-uploads-bucket"
}
}
Expected outcome: check passes since none of these are secrets
Actual outcome: check fails with CKV_AWS_45
What makes this particularly painful is that the failure is inconsistent across branches because our resource names are dynamically built using the branch name. So depending on how long the branch name is the resulting string length changes and sometimes lands on 40 or 48 characters which triggers the false positive. This makes it very hard to predict and fix at the source.
Version (please complete the following information):
Additional context
This false positive is causing our CI/CD pipelines to fail and is delaying our deployments. For now we are skipping the check entirely to unblock our pipelines but we would really like a proper fix or at minimum an official workaround other than skipping the check altogether. Is there a way to make the check smarter about distinguishing between actual secrets and resource names that happen to match the length pattern?