I have three Lambda functions being picked up by Amazon Inspector for hard coded credentials. However after carefully reviewing the code there are no hard coded credentials. One of them has no mention of any API keys, but the other two that do mention API keys only ever fetch them from Secrets Manager via the SDK.
For some context:
- We are using Serverless Framework V3 to deploy the Lambda functions to AppSync
- Lambda runtime is NodeJS 16.x
The affected file paths do not even appear anywhere in our codebase and look as if they are backing out into the Lambda VM maybe? Regardless I have searched everywhere for the affected files, both in my codebase and in the AWS Console, and cannot find them.
I also wondered if it was because some of the variable names inside the functions were have certain words like Key, but as mentioned above one of the functions does not contain any reference like this and the ones that do are fetched from SSM, not hardcoded.
Has anyone else come across this issue and are there any steps I can take to remediate?
Thanks in advance!