Add --exclude-values arg to detect-aws-credentials

Adds an argument to pass a regex which will exclude any values that match it to
not count as a failure.

The rationale behind this are test variables, such as those used with
LocalStack (in some cases literally `TEST`) are counted as a failure. Adding
this parameter will allow bypassing the check for those values only instead of
excluding the files from the hook running where _real_ credentials could
potentially leak.

pre_commit_hooks/detect_aws_credentials.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import argparse
 import configparser
 import os
+import re
 from typing import NamedTuple
 from typing import Sequence
 
@@ -89,6 +90,11 @@ def check_file_for_aws_keys(
     return bad_files
 
 
+def filter_keys(keys: set[str], exclude: str) -> set[str]:
+    pattern = re.compile(exclude)
+    return {key for key in keys if not pattern.match(key)}
+
+
 def main(argv: Sequence[str] | None = None) -> int:
     parser = argparse.ArgumentParser()
     parser.add_argument('filenames', nargs='+', help='Filenames to run')
@@ -110,6 +116,12 @@ def main(argv: Sequence[str] | None = None) -> int:
         action='store_true',
         help='Allow hook to pass when no credentials are detected.',
     )
+    parser.add_argument(
+        '--exclude-values',
+        dest='exclude_values',
+        default='^$',
+        help='Regular expression for secret values that should be excluded.',
+    )
     args = parser.parse_args(argv)
 
     credential_files = set(args.credentials_file)
@@ -137,7 +149,7 @@ def main(argv: Sequence[str] | None = None) -> int:
         )
         return 2
 
-    keys_b = {key.encode() for key in keys}
+    keys_b = {key.encode() for key in filter_keys(keys, args.exclude_values)}
     bad_filenames = check_file_for_aws_keys(args.filenames, keys_b)
     if bad_filenames:
         for bad_file in bad_filenames: