feat: Add AWS ARN detection to gitleaks rules

[wz-gsa]

Summary

Add detection for AWS ARN (Amazon Resource Name) patterns to prevent accidental exposure of AWS resource identifiers in commits.

Background

This is a long-standing request from Issue #68 (opened April 2022). AWS ARNs can reveal:

• AWS account IDs (12-digit identifiers)
• Region information
• Resource naming patterns
• Service usage details

While ARNs don't directly expose credentials, they provide valuable reconnaissance information for attackers.

Impact Analysis

Scanned local cloud.gov repositories for existing ARN patterns:

Repository	ARN Matches	Notes
caulking	0	Clean
pre-commit-templates	0	Clean
style-management-service	0	Clean
cg-scripts	2	Both use ${ACCOUNT_ID} variables, not hardcoded

Finding: Very low false positive risk. Existing ARNs use variable interpolation.

Proposed Implementation

Detection Pattern

arn:aws(-us-gov|-cn)?:[^:]+:[^:]*:[0-9]{12}:[^:\s]+

Key constraint: Only flag ARNs with literal 12-digit account IDs.

Allowlist Patterns

ARNs using variable interpolation should be allowed:

• arn:aws:iam::${ACCOUNT_ID}:role/ServiceRole
• arn:aws-us-gov:es:${REGION}:${ACCOUNT_ID}:domain/${TAG}

Configuration

Add to ~/.config/gitleaks/config.toml:

[[rules]]
id = "aws-arn-with-account-id"
description = "AWS ARN with hardcoded account ID"
regex = '''arn:aws(-us-gov|-cn)?:[^:]+:[^:]*:[0-9]{12}:[^:\s]+'''
keywords = ["arn:aws"]

[rules.allowlist]
regexes = [
  '''\$\{.*ACCOUNT.*\}''',  # Variable interpolation
  '''arn:aws[^:]*:[^:]+:[^:]*:\*:''',  # Wildcard account
]

Implementation Phases

1. Phase 1: Add rule as warning level (non-blocking)
2. Phase 2: Monitor false positive rate across cloud.gov repos
3. Phase 3: Promote to blocking if FP rate acceptable

Acceptance Criteria

• Add ARN detection rule to gitleaks configuration
• Include GovCloud partition (aws-us-gov)
• Allow variable interpolation patterns
• Add test case for ARN detection
• Document in docs/blocked-files.md
• Test against cg-scripts to verify no false positives

Security Considerations

• ARN exposure risk: Medium (reconnaissance value)
• False positive risk: Low (impact analysis shows minimal existing usage)
• Recommended level: warning initially

References

• Original issue: caulking should alert on ARNs (AWS Resources)  #68 (April 2022)
• AWS ARN format: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html
• Impact analysis: Scanned 4 repos, found 2 matches (both safe)

Labels

• enhancement
• security

Co-authored-by: OpenCode Agent agent@gsa.gov

[wz-gsa]

Additional Context from #68

Per @bengerman13's comment on the original issue, the ARN regex pattern should account for:

arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resource-type/resource-id
arn:partition:service:region:account-id:resource-type:resource-id

Proposed regex from #68:

arn:aws(-us-gov|-cn)?:[^:]+:[^:]*:\d{12}:[^:\s]+

This aligns with the pattern proposed above. AWS account IDs are confirmed to always be 12 numeric digits.

Closing #68 as superseded by this more detailed issue.