B105 (hardcoded password) false positive for the string `NextToken`

[ajkerrigan]

Describe the bug

Disclaimer: I did notice that B105 (hardcoded_password_string) mentions that it can be noisy, so feel free to WONTFIX this 😅 .

Cloud Custodian CI jobs fail with bandit 1.9.3 because working with boto3 paginators (example) can involve parameter lists including the value NextToken:

>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'NextToken'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.9.3/plugins/b105_hardcoded_password_string.html
   Location: c7n/resources/awslambda.py:833:9
832	        client.list_layer_versions,
833	        {'input_token': 'NextToken',
834	         'output_token': 'NextToken',
835	         'result_key': 'LayerVersions'},
836	        client.meta.service_model.operation_model('ListLayerVersions'))

While we can certainly work around it with either some # nosec sprinkles or excluding the B105 check altogether, I wonder if some knobs for that rule might avoid some false positives.

Reproduction steps

1. Have a dict like this:


# test.py
params = {'input_token': 'NextToken', 'output_token': 'NextToken'}


2. Run `uvx bandit test.py`
3. See `B105` findings

Expected behavior

There is a way to flag known patterns that would otherwise trip up B105, at a level of granularity between line-level # nosec exclusions and excluding the entire B105 rule.

Bandit version

1.9.1 (Default)

Python version

3.14 (Default)

Additional context

Bandit version not available in dropdown, so:

❯ uvx bandit --version
bandit 1.9.3
  python version = 3.14.0 (main, Oct 28 2025, 12:13:17) [Clang 20.1.4 ]