add aws credential checking ONLY FOR YOUR OWN credentials if they're set in a configurable credentials file (AWS CLI tools' native format)

README.md

@@ -37,6 +37,7 @@ Add this to your `.pre-commit-config.yaml`
 - `check-xml` - Attempts to load all xml files to verify syntax.
 - `check-yaml` - Attempts to load all yaml files to verify syntax.
 - `debug-statements` - Check for pdb / ipdb / pudb statements in code.
+- `detect-aws-credentials` - Checks for the existence of aws access keys and secrets that you have set up with the AWS cli.
 - `detect-private-key` - Checks for the existence of private keys.
 - `double-quote-string-fixer` - This hook replaces double quoted strings
   with single quoted strings.

hooks.yaml

@@ -56,6 +56,12 @@
     entry: debug-statement-hook
     language: python
     files: \.py$
+-   id: detect-aws-credentials
+    name: Detect AWS Credentials
+    description: Detects *your* aws credentials from the aws cli credentials file
+    entry: detect-aws-credentials
+    language: python
+    files: ''
 -   id: detect-private-key
     name: Detect Private Key
     description: Detects the presence of private keys

pre_commit_hooks/detect_aws_credentials.py

@@ -0,0 +1,65 @@
+from __future__ import print_function
+from __future__ import unicode_literals
+
+import argparse
+import ConfigParser
+import os
+
+
+def get_your_keys(credentials_file, ignore_access_key=False):
+    """ reads the keys in your credentials file in order to be able to look
+    for them in the submitted code.
+    """
+    aws_credentials_file_path = os.path.expanduser(credentials_file)
+    if not os.path.exists(aws_credentials_file_path):
+        exit(2)
+
+    parser = ConfigParser.ConfigParser()
+    parser.read(aws_credentials_file_path)
+
+    keys = set()
+    for section in parser.sections():
+        if not ignore_access_key:
+            keys.add(parser.get(section, 'aws_access_key_id'))
+        keys.add(parser.get(section, 'aws_secret_access_key'))
+    return keys
+
+
+def check_file_for_aws_keys(filename, keys):
+    with open(filename, 'r') as content:
+        # naively match the entire file, chances be so slim
+        # of random characters matching your flipping key.
+        for line in content:
+            if any(key in line for key in keys):
+                return 1
+    return 0
+
+
+def main(argv=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument('filenames', nargs='*', help='Filenames to run')
+    parser.add_argument(
+        "--credentials-file", 
+        default='~/.aws/credentials',
+        help="location of aws credentials file from which to get the keys "
+              "we're looking for",
+    )
+    parser.add_argument(
+        "--ignore-access-key", 
+        action='store_true',
+        help="if you would like to ignore access keys, as there is "
+        "occasionally legitimate use for these.",
+    )
+    args = parser.parse_args(argv)
+    ignore_access_key = args.ignore_access_key
+    keys = get_your_keys(args.credentials_file,
+                         ignore_access_key=ignore_access_key)
+
+    retv = 0
+    for filename in args.filenames:
+        retv |= check_file_for_aws_keys(filename, keys)
+    return retv
+
+
+if __name__ == '__main__':
+    exit(main())

setup.py

@@ -44,6 +44,7 @@ setup(
             'check-xml = pre_commit_hooks.check_xml:check_xml',
             'check-yaml = pre_commit_hooks.check_yaml:check_yaml',
             'debug-statement-hook = pre_commit_hooks.debug_statement_hook:debug_statement_hook',
+            'detect-aws-credentials = pre_commit_hooks.detect_aws_credentials:main',
             'detect-private-key = pre_commit_hooks.detect_private_key:detect_private_key',
             'end-of-file-fixer = pre_commit_hooks.end_of_file_fixer:end_of_file_fixer',
             'name-tests-test = pre_commit_hooks.tests_should_end_in_test:validate_files',