diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 4620f0285cd..c6b32e5f000 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -3,11 +3,11 @@
{
"id": "487f4be7-3fd9-4506-a07a-eae252180c08",
"name": "Generic Password",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?",
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,}['\"]?",
"allowRules": [
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\[\\.\\)\\]\\}\\$]|(:\\s*null))|null)"
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
},
{
"description": "Avoiding description field",
@@ -15,19 +15,15 @@
},
{
"description": "Avoiding Terraform 'optional' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)$"
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*optional\\((string|number|sensitive\\(string\\)|map\\(string\\)|set\\(string\\)|any)\\)"
},
{
"description": "Avoiding Terraform 'try' statement",
- "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)$"
- },
- {
- "description": "Avoiding CF AllowUsersToChangePassword",
- "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ "regex": "(?i)['\"]?password['\"]?\\s*=\\s*try\\([^\"']+,[^\"']+\\)"
},
{
"description": "Avoiding Ansible playbook update_password",
- "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+ "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}['\"]?"
},
{
"description": "Allow placeholders",
@@ -39,7 +35,11 @@
},
{
"description": "Allow password retrieved from ARM parameters",
- "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"]([a-zA-Z][a-zA-Z0-9_-]*)['\"]['\"]?\\)"
+ "regex": "(?i)['\"]?password['\"]?\\s*[:=]\\s*['\"]?\\s*,\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_\\-]*['\"]['\"]?\\)"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)password\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
"specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
@@ -47,10 +47,10 @@
{
"id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
"name": "Generic Secret",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]{10,})['\"]?",
+ "regex": "(?i)['\"]?secret_?(key|value)?['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@#&%(){};=?*+\\-.<>,:;\\[\\]%$]{10,})['\"]?",
"entropies": [
{
- "group": 3,
+ "group": 2,
"min": 2.8,
"max": 8
}
@@ -58,34 +58,38 @@
"allowRules": [
{
"description": "Avoiding Square OAuth Secret",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?sq0csp-[0-9A-Za-z\\-_]{43}['\"]?"
},
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*(([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?)\\s*([\\.\\)\\]\\$]|(:\\s*null))|null)"
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
},
{
"description": "Avoiding Secrets Manager arn",
- "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": ":secretsmanager:[a-z0-9-*?]+:[0-9*?]+:(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding CloudFormation Parameters Descriptions",
- "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?"
+ "regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?.*['\"]?"
},
{
- "description": "Avoiding Secrets from Azure Key Vault",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
+ "description": "Avoiding Secrets from Variable Interpolation",
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+\\-]+}?"
},
{
"description": "Allow secret retrieved from ARM parameters",
- "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
+ "regex": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_\\-]*['\"]\\s*\\)\\s*\\]"
},
{
"description": "Allow secrets retrieved from Bicep getSecret built in function",
- "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]+)[\"']\\)"
+ "regex": "(?i)['\"]?secret_?(key|value)?['\"]?\\s*[:=]\\s*[a-zA-Z]*\\.getSecret\\(\\s*['\"][A-Za-z0-9/~^_!@#&%(){};=?*+\\-<>,:;\\[\\]%$]+['\"]\\)"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)secret_?(key|value)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
- "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
+ "specialMask": "(?i)['\"]?secret_?(key)?['\"]?\\s*[:=]\\s*"
},
{
"id": "51b5b840-cd0c-4556-98a7-fe5f4def80cf",
@@ -135,7 +139,7 @@
{
"id": "83ab47ff-381d-48cd-bac5-fb32222f54af",
"name": "AWS Secret Key",
- "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})[\"']?",
+ "regex": "(?i)AWS_SECRET(_ACCESS)?(_KEY)?\\s*[:=]\\s*['\"]?([a-zA-Z0-9/]{40})['\"]?",
"entropies": [
{
"group": 3,
@@ -148,11 +152,11 @@
{
"id": "4b2b5fd3-364d-4093-bac2-17391b2a5297",
"name": "K8s Environment Variable Password",
- "regex": "apiVersion((.*)\\s*)*env:((.*)\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*(value):\\s*([\"|'].*[\"|'])",
+ "regex": "apiVersion(.*\\s*)*env:(.*\\s*)*name:\\s*\\w+(?i)pass((?i)word)?\\w*\\s*value:\\s*(['\"].*['\"])",
"multiline": {
- "detectLineGroup": 7
+ "detectLineGroup": 4
},
- "specialMask": "\\s*(value):\\s*"
+ "specialMask": "\\s*value:\\s*"
},
{
"id": "d651cca2-2156-4d17-8e76-423e68de5c8b",
@@ -172,7 +176,7 @@
{
"id": "7908a9e3-5cac-41b1-b514-5f6d82ce02d5",
"name": "Slack Token",
- "regex": "['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ "regex": "['\"]?xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}['\"]?"
},
{
"id": "6abcae17-b175-4698-a9a5-b07661974749",
@@ -197,9 +201,9 @@
{
"id": "9a3650af-5b88-48cd-ab89-cd77fd0b633f",
"name": "Heroku API Key",
- "regex": "['\"]?(?i)heroku((.|\\n)*)\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
+ "regex": "['\"]?(?i)heroku(.|\\n)*\\b([0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12})\\b['\"]?",
"multiline": {
- "detectLineGroup": 3
+ "detectLineGroup": 2
},
"specialMask": "['\"]?(?i)api_key[^\\w\"']+"
},
@@ -236,14 +240,14 @@
{
"id": "74736dd1-dd11-4139-beb6-41cd43a50317",
"name": "Generic API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?([0-9a-zA-Z]{32,45})['\"]?",
+ "regex": "(?i)['\"]?api_?key['\"]?\\s*[:=]\\s*['\"]?[0-9a-zA-Z]{32,45}['\"]?",
"allowRules": [
{
"description": "Avoiding Twilio API Key",
- "regex": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*['\"]?(SK[0-9a-fA-F]{32})['\"]?"
+ "regex": "(?i)['\"]?api_?key['\"]?\\s*[:=]\\s*['\"]?SK[0-9a-fA-F]{32}['\"]?"
}
],
- "specialMask": "(?i)['\"]?api[_]?key['\"]?\\s*[:=]\\s*"
+ "specialMask": "(?i)['\"]?api_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "62d0025d-9575-4eff-b60b-d3b4fcec0d04",
@@ -263,14 +267,13 @@
{
"id": "7f370dd5-eea3-4e5f-8354-3cb2506f9f13",
"name": "Generic Access Key",
- "regex": "(?i)^\\s*['\"]?(access)[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9\/~^_!@&%()=?*+-]+)['\"]?",
- "specialMask": "(?i)['\"]?access[_]?key['\"]?\\s*[:=]\\s*"
+ "regex": "(?i)^\\s*['\"]?access_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
+ "specialMask": "(?i)['\"]?access_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "2f665079-c383-4b33-896e-88268c1fa258",
"name": "Generic Private Key",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
- "specialMask": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*",
+ "regex": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"allowRules": [
{
"description": "Avoiding bash variables",
@@ -278,54 +281,59 @@
},
{
"description": "Avoid Docker Compose secrets paths",
- "regex": "(?i)['\"]?private[_]?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
+ "regex": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*['\"]?/run/secrets/\\w+['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)private_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
- ]
+ ],
+ "specialMask": "(?i)['\"]?private_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "baee238e-1921-4801-9c3f-79ae1d7b2cbc",
"name": "Generic Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"allowRules": [
{
"description": "Avoiding Amazon MWS Auth Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]?"
},
{
"description": "Avoiding Slack Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?xox[pboa]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32}['\"]?"
},
{
"description": "Avoiding Square Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(sq0atp-[0-9A-Za-z\\-_]{22})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?sq0atp-[0-9A-Za-z\\-_]{22}['\"]?"
},
{
"description": "Avoiding Google OAuth Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(ya29\\.[0-9A-Za-z\\-_]+)['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?ya29\\.[0-9A-Za-z\\-_]+['\"]?"
},
{
"description": "Avoiding PayPal Braintree Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32})['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}['\"]?"
},
{
"description": "Avoiding Facebook Access Token",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[=:]\\s*['\"]?(EAACEdEose0cBA[0-9A-Za-z]+)['\"]?"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*['\"]?EAACEdEose0cBA[0-9A-Za-z]+['\"]?"
},
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?token(_)?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ "regex": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
},
{
"description": "Avoiding TF creation token",
- "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?creation_token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
- "description": "Avoiding CLoudformation ServiceToken",
- "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ "description": "Avoiding CloudFormation ServiceToken",
+ "regex": "['\"]?ServiceToken['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]+['\"]?"
},
{
"description": "Avoiding LifecycleActionToken Var",
- "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?LifecycleActionToken['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding Github id-token Default Values",
@@ -333,49 +341,53 @@
},
{
"description": "Avoiding result_token Var",
- "regex": "(?i)['\"]?result(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?result_?token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
- },
- {
- "description": "Avoiding next_token Var",
- "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"]?next_?token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
},
{
"description": "Avoiding references to module outputs in Bicep",
- "regex": "(?i)token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
+ "regex": "(?i)token_?(key)?\\s*[:=]\\s*[a-zA-Z][a-zA-Z0-9_]*\\.outputs\\.[a-zA-Z][a-zA-Z0-9_]*"
},
{
"description": "Avoiding Run After Triggers (if written in conformity with best practices)",
- "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+ "regex": "(?i)['\"](HTTP|Parse_JSON|Try|Catch)_-_(Get_)?OAuth_Token['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?"
+ },
+ {
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)token_?(key)?\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
- "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
+ "specialMask": "(?i)['\"]?token_?(key)?['\"]?\\s*[:=]\\s*"
},
{
- "id": "e0f01838-b1c2-4669-b84b-981949ebe5ed",
+ "id": "0ec60fb3-5b78-4da0-bea0-b854fd9bf8b9",
"name": "CloudFormation Secret Template",
- "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{([\\\":A-Za-z0-9/~^_!@&%()=?*+-]{10,})}",
+ "regex": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*['\"]?{[\\\":A-Za-z0-9/~^_!@&%()=?*+\\-]{10,}}",
"specialMask": "(?i)['\"]?SecretStringTemplate['\"]?\\s*:\\s*"
},
{
"id": "9fb1cd65-7a07-4531-9bcf-47589d0f82d6",
"name": "Encryption Key",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?",
+ "regex": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*['\"]?[\\[A-Za-z0-9/~^_!@&%()=?*+\\-]+['\"]?",
"allowRules": [
{
"description": "Avoiding TF resource access",
- "regex": "(?i)['\"]?encryption[_]?key['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
+ "regex": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*([a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\.[a-zA-Z_]+(\\[([a-zA-Z_]+\\.[a-zA-Z_]+.*|\\d+)\\])?\\s*([\\[\\.\\)\\]\\}\\$]|:\\s*null)|null)"
+ },
+ {
+ "description": "Avoiding CloudFormation KeyName",
+ "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]+['\"]?"
},
{
- "description": "Avoiding CLoudformation KeyName",
- "regex": "['\"]?EncryptionKey['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]+)['\"]?"
+ "description": "Avoiding Proto File fields",
+ "regex": "(?i)encryption_?key\\s*=\\s*(0|[1-9][0-9]{0,8})\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,\\s*$|\\[\\s*$|;)"
}
],
- "specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"
+ "specialMask": "(?i)['\"]?encryption_?key['\"]?\\s*[:=]\\s*"
},
{
"id": "8a879bc7-6f82-40fd-bb48-74d25d557fe8",
@@ -385,58 +397,54 @@
{
"id": "be0ed753-d304-4363-844a-144050d4006d",
"name": "Generic Password on YAML files when value in tuple",
- "regex": ".*password\\s*:[\\n|\\r]\\s*value:([^\\n|\\r]*)",
+ "regex": ".*password\\s*:[\\n\\r]\\s*value:([^\\n\\r]*)",
"multiline": {
"detectLineGroup": 1
},
- "specialMask": ".*password\\s*:[\\n|\\r]\\s*value:"
+ "specialMask": ".*password\\s*:[\\n\\r]\\s*value:"
},
{
"id": "f05f238a-2ef0-4c39-9a36-951de1ba6dc9",
"name": "Dockerfile ENV hardcoded password with omitted equals",
- "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+-.]*password[A-Za-z0-9/~^_!@&%()=?*+-.]*\\s+['\"]?([A-Za-z0-9/~^_!@&%()=?*+-. ]{4,})['\"]?"
+ "regex": "(?i)ENV\\s+[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*password[A-Za-z0-9/~^_!@&%()=?*+\\-,.]*\\s+['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,. ]{4,}['\"]?"
}
],
"allowRules": [
{
"description": "Avoiding TF variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?"
- },
- {
- "description": "!Ref is a cloudFormation reference",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?var\\.['\"]?"
},
{
- "description": "Avoiding cloudFormation intrinsic functions",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform(:)?)\\s+\\.*"
+ "description": "Avoiding CloudFormation intrinsic functions",
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+(!Ref|!GetAtt|!Sub|!FindInMap|!If|!GetAZs|!ImportValue|!Join|!Select|!Split|!Not|Fn::Transform:?)\\s+.*"
},
{
"description": "Avoiding CF resolve",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?({{resolve:)['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?{{resolve:[^'\"]*['\"]?"
},
{
"description": "Avoiding Boolean's",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?(true|false)['\"]?"
},
{
"description": "Avoiding arn",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(arn:)['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?arn:['\"]?"
},
{
"description": "Avoiding array access",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,}\\[([0-9]|['\"][a-zA-Z0-9]+['\"])\\])['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?[A-Za-z0-9/~^_!@&%()=?*+\\-,.]{4,}\\[([0-9]+|['\"][a-zA-Z0-9]+['\"])]['\"]?"
},
{
"description": "Avoiding TF file function",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(file\\()['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?file\\(['\"]?"
},
{
"description": "Avoiding ansible-vault encrypted variables",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(!vault \\|)['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?!vault \\|['\"]?"
},
{
"description": "Avoiding sha-hashed mysql native passwords",
- "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(\\*[0-9A-F]{40})['\"]?"
+ "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[:=]\\s*['\"]?\\*[0-9A-F]{40}['\"]?"
}
]
}
diff --git a/assets/queries/common/passwords_and_secrets/temp_sample.yaml b/assets/queries/common/passwords_and_secrets/temp_sample.yaml
new file mode 100644
index 00000000000..9b356498020
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/temp_sample.yaml
@@ -0,0 +1,12 @@
+# Generic Negative Test - no secrets (k8s)
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx
+ labels:
+ env: test
+spec:
+ containers:
+ - name: nginx
+ image: nginx
+ # trigger validation
diff --git a/assets/queries/common/passwords_and_secrets/test/negative1.yaml b/assets/queries/common/passwords_and_secrets/test/negative1.yaml
index a61780e50aa..9b356498020 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative1.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative1.yaml
@@ -1,4 +1,4 @@
-#k8s test
+# Generic Negative Test - no secrets (k8s)
apiVersion: v1
kind: Pod
metadata:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative10.tf b/assets/queries/common/passwords_and_secrets/test/negative10.tf
index 4e829394c64..8ebc14538d1 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative10.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative10.tf
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
resource "aws_db_instance" "default" {
name = var.dbname
engine = "mysql"
@@ -10,7 +11,7 @@ resource "aws_db_instance" "default" {
instance_class = "db.t3.micro"
allocated_storage = "20"
username = "admin"
- password = var.password
+ password = var.password # negative1
apply_immediately = true
multi_az = false
backup_retention_period = 0
diff --git a/assets/queries/common/passwords_and_secrets/test/negative11.tf b/assets/queries/common/passwords_and_secrets/test/negative11.tf
index 91111c3c83d..191c744108b 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative11.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative11.tf
@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
resource "auth0_connection" "google_oauth2" {
name = "Google-OAuth2-Connection"
strategy = "google-oauth2"
options {
client_id = var.google_client_id
- client_secret = var.google_client_secret
+ client_secret = var.google_client_secret # negative1
allowed_audiences = [ "example.com", "api.example.com" ]
scopes = [ "email", "profile", "gmail", "youtube" ]
set_user_root_attributes = "on_each_login"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative12.tf b/assets/queries/common/passwords_and_secrets/test/negative12.tf
index 234d9f04a5e..e7754d742a6 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative12.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative12.tf
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
provider "slack" {
- token = var.slack_token
+ token = var.slack_token # negative1
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative13.tf b/assets/queries/common/passwords_and_secrets/test/negative13.tf
index 087185f62e0..0e5d10d861d 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative13.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative13.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (17 is not in {32,45}))
provider "stripe" {
api_key = var.strip_api_key
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative14.tf b/assets/queries/common/passwords_and_secrets/test/negative14.tf
index 4f13644463a..4303622ddc9 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative14.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative14.tf
@@ -1,3 +1,4 @@
+# Generic Negative Test - several keywords used in safe contexts ("password","api_key","secret_key")
resource "aws_ecs_task_definition" "webapp" {
family = "tomato-webapp"
task_role_arn = data.aws_iam_role.ecs_task_role.arn
diff --git a/assets/queries/common/passwords_and_secrets/test/negative15.tf b/assets/queries/common/passwords_and_secrets/test/negative15.tf
index bc0d6ecbf12..569e43cdc68 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative15.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative15.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (18 is not in {32,45}))
provider "heroku" {
email = "ops@company.com"
api_key = var.heroku_api_key
diff --git a/assets/queries/common/passwords_and_secrets/test/negative16.tf b/assets/queries/common/passwords_and_secrets/test/negative16.tf
index dc59720fe42..e66d5e32d84 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative16.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative16.tf
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
provider "github" {
- token = var.github_key
+ token = var.github_key # negative1
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative17.tf b/assets/queries/common/passwords_and_secrets/test/negative17.tf
index 8d76b026cd0..468fb4dc74f 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative17.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative17.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (11 is not in {32,45}))
provider "cloudflare" {
version = "~> 2.0"
email = "var.cloudflare_email"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative18.yaml b/assets/queries/common/passwords_and_secrets/test/negative18.yaml
index 6e0600259ea..0d42068cccf 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative18.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative18.yaml
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Parameters:
PrivateKey1:
Type: String
@@ -9,4 +10,4 @@ Resources:
PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
- PrivateKey: !GetAtt PrivateKey1
+ PrivateKey: !GetAtt PrivateKey1 # negative1
diff --git a/assets/queries/common/passwords_and_secrets/test/negative19.yaml b/assets/queries/common/passwords_and_secrets/test/negative19.yaml
index bf0684e33bc..2b3b2b20099 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative19.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative19.yaml
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Parameters:
PinpointAPNSVoipChannelTokenKey:
Type: String
@@ -5,7 +6,7 @@ Resources:
ElastiCacheReplicationGroup:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
- AuthToken: !Ref PinpointAPNSVoipChannelTokenKey
+ AuthToken: !Ref PinpointAPNSVoipChannelTokenKey # negative1
CacheNodeType: cache.m5.large
CacheSubnetGroupName: subnet-foobar
Engine: redis
@@ -22,5 +23,5 @@ Resources:
PinpointAPNSChannel:
Type: AWS::Pinpoint::APNSChannel
Properties:
- TokenKey: !Ref PinpointAPNSVoipChannelTokenKey
+ TokenKey: !Ref PinpointAPNSVoipChannelTokenKey # negative2
ApplicationId: !Ref PinpointApp
diff --git a/assets/queries/common/passwords_and_secrets/test/negative2.yaml b/assets/queries/common/passwords_and_secrets/test/negative2.yaml
index f7d63e9ec52..f3271d4a6fb 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative2.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative2.yaml
@@ -1,9 +1,9 @@
-#cloud formation test
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Resources:
RDSCluster:
Type: "AWS::RDS::DBCluster"
Properties:
- MasterUserPassword: !Ref PasswordMaster
+ MasterUserPassword: !Ref PasswordMaster # negative1
DBClusterIdentifier: my-serverless-cluster
Engine: aurora
EngineVersion: 5.6.10a
diff --git a/assets/queries/common/passwords_and_secrets/test/negative20.yaml b/assets/queries/common/passwords_and_secrets/test/negative20.yaml
index 38a22a90353..f7a987b0fc4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative20.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative20.yaml
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
- name: Start a workflow in the Itential Automation Platform
community.network.iap_start_workflow:
iap_port: 3000
diff --git a/assets/queries/common/passwords_and_secrets/test/negative21.tf b/assets/queries/common/passwords_and_secrets/test/negative21.tf
index ca6ffa5c299..4b588082f97 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative21.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative21.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (19 is not in {32,45}))
provider "mailgun" {
api_key = "var.mailgun_api_key"
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative22.tf b/assets/queries/common/passwords_and_secrets/test/negative22.tf
index 25083d09fd4..130843b7c90 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative22.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative22.tf
@@ -1,3 +1,4 @@
+# "Generic API Key" - 74736dd1-dd11-4139-beb6-41cd43a50317 negative-test ('.' char is illegal in key definition, incorrect key length (28 is not in {32,45}))
provider "stripe" {
api_key = var.strip_restricted_api_key
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative23.yaml b/assets/queries/common/passwords_and_secrets/test/negative23.yaml
index e31348aa535..c1b557cff10 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative23.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative23.yaml
@@ -1,3 +1,4 @@
+# "Twilio API Key" - e0f01838-b1c2-4669-b84b-981949ebe5ed negative-test (is not a hardcoded key)
- hosts: all
remote_user: root
vars:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative24.yaml b/assets/queries/common/passwords_and_secrets/test/negative24.yaml
index d9ddd4e3a1c..c048ca3cf62 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative24.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative24.yaml
@@ -1,3 +1,4 @@
+# "PayPal Braintree Access Token" - 4919b847-e3da-402a-acf8-6cea8e529993 negative-test (is not a hardcoded token)
- hosts: all
remote_user: root
vars:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative25.yaml b/assets/queries/common/passwords_and_secrets/test/negative25.yaml
index 00fd2e53a80..052fd677f84 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative25.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative25.yaml
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
apiVersion: v1
kind: Pod
metadata:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative26.yaml b/assets/queries/common/passwords_and_secrets/test/negative26.yaml
index 3cec573147d..353adbccd2e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative26.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative26.yaml
@@ -1,3 +1,4 @@
+# "Google OAuth Access Token" - 41a1ca8d-f466-4084-a8c9-50f8b22200d5 negative-test (is not a hardcoded token)
apiVersion: v1
kind: Config
users:
@@ -10,7 +11,7 @@ users:
user:
auth-provider:
config:
- access-token: '{.credential.oauth_access_token_}'
+ access-token: '{.credential.oauth_access_token_}' # negative1
cmd-args: config config-helper --format=json
cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud
expiry: 2021-10-28T15:12:03.000Z
diff --git a/assets/queries/common/passwords_and_secrets/test/negative27.tf b/assets/queries/common/passwords_and_secrets/test/negative27.tf
index 5f9a7d3c42f..e7fae8eaaa5 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative27.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative27.tf
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets
resource "aws_lambda_function" "analysis_lambda4" {
# lambda have plain text secrets in environment variables
filename = "resources/lambda_function_payload.zip"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative28.tf b/assets/queries/common/passwords_and_secrets/test/negative28.tf
index 7239fcb2612..dd578f8459a 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative28.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative28.tf
@@ -1,4 +1,87 @@
-provider rancher2 {
- api_url = data.terraform_remote_state.rancher.outputs.api_url
- token_key = data.terraform_remote_state.rancher.outputs.token_key
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding TF resource access" allow-rule-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test - #3
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
}
+
+provider "aws" {
+ region = "us-east-1"
+}
+
+variable "auth_token" {
+ description = "Authentication token"
+ type = string
+ sensitive = true
+}
+
+variable "enabled" {
+ description = "Whether to enable resources"
+ type = bool
+ default = true
+}
+
+resource "aws_secretsmanager_secret_version" "token_version" {
+ for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+ secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password.client_token[each.key].result }) #1
+}
+
+resource "aws_secretsmanager_secret_version" "token_version_2" {
+ for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+ secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password[each.key].client_token.result }) #1
+}
+
+resource "aws_secretsmanager_secret_version" "token_version_3" {
+ for_each = { for k, v in var.clients.oauth : k => v if var.enabled }
+
+ secret_id = aws_secretsmanager_secret.client_token_secret[each.key].id #3
+ secret_string = jsonencode({ "client" : each.key, "token" : random_password["index"].client_token.result })
+}
+
+resource "aws_lb_listener" "https_null" {
+ count = var.enabled ? 1 : 0
+ load_balancer_arn = aws_lb.main[0].arn
+ port = 443
+ protocol = "HTTPS"
+
+ default_action {
+ type = "fixed-response"
+ token_key = null #1
+ }
+}
+module "auth_service" {
+ source = "./modules/auth"
+
+ token = var.auth_token #2
+}
+module "api_gateway" {
+ source = "./modules/gateway"
+
+ token = module.auth_service.token_output.value #1
+}
+module "legacy_service" {
+ source = "./modules/legacy"
+
+ token = data.aws_secretsmanager_secret_version.existing_token.secret_string #1
+}
+
+locals {
+ token_config = {
+ value = aws_secretsmanager_secret.client_token_secret["primary"].arn
+ }
+}
+
+module "monitoring" {
+ source = "./modules/monitoring"
+
+ token = local.token_config.value #1
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative29.yaml b/assets/queries/common/passwords_and_secrets/test/negative29.yaml
index c51ed1df46d..a5236003152 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative29.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative29.yaml
@@ -1,3 +1,4 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Github id-token Default Values" allow-rule-test
name: Example Workflow
on: workflow_call
@@ -7,7 +8,7 @@ jobs:
permissions:
contents: read
pages: write
- id-token: write
+ id-token: write # negative1
runs-on: ubuntu
@@ -25,7 +26,7 @@ jobs:
permissions:
contents: read
pages: write
- id-token: read
+ id-token: read # negative2
runs-on: ubuntu
@@ -43,7 +44,7 @@ jobs:
permissions:
contents: read
pages: write
- id-token: none
+ id-token: none # negative3
runs-on: ubuntu
diff --git a/assets/queries/common/passwords_and_secrets/test/negative3.yaml b/assets/queries/common/passwords_and_secrets/test/negative3.yaml
index c30d868b0bf..6ad0a843c18 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative3.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative3.yaml
@@ -1,4 +1,4 @@
-#ansible test
+# Generic Negative Test - no secrets (ansible)
- name: create a cluster
google.cloud.gcp_container_cluster:
name: my-cluster
diff --git a/assets/queries/common/passwords_and_secrets/test/negative30.yaml b/assets/queries/common/passwords_and_secrets/test/negative30.yaml
index ed211b11eeb..d039c7d1bee 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative30.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative30.yaml
@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's" allow-rule-test
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
- automountServiceAccountToken: false
+ automountServiceAccountToken: false # negative1
securityContext:
runAsUser: 1000
runAsGroup: 3000
diff --git a/assets/queries/common/passwords_and_secrets/test/negative31.yaml b/assets/queries/common/passwords_and_secrets/test/negative31.yaml
index 9f4a78d1e74..11426285f38 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative31.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative31.yaml
@@ -1,3 +1,4 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding arn" allow-rule-test
- name: 'aws_codebuild integration tests'
collections:
- amazon.aws
@@ -22,7 +23,7 @@
packaging: NONE
type: CODEPIPELINE
name: test
- encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3'
+ encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3' # negative1
environment:
compute_type: BUILD_GENERAL1_SMALL
privileged_mode: true
diff --git a/assets/queries/common/passwords_and_secrets/test/negative32.yaml b/assets/queries/common/passwords_and_secrets/test/negative32.yaml
index 355c7ea91a8..0a89c460fa4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative32.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative32.yaml
@@ -1,5 +1,6 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding CloudFormation intrinsic functions" allow-rule-test
Conditions:
HasKmsKey: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
HasSecretName: !Not [!Equals [!Ref ParentKmsKeyStack, '']]
- HasPassword: !Not [!Equals [!Ref DBPassword, '']]
+ HasPassword: !Not [!Equals [!Ref DBPassword, '']] # negative1
Resources:
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative33.yaml b/assets/queries/common/passwords_and_secrets/test/negative33.yaml
index 3b62384bc30..05d13abcbba 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative33.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative33.yaml
@@ -1,46 +1,13 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test - #1 (line 10)
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's" allow-rule-test - #2 (line 11)
Resources:
LambdaFunctionV2:
Type: 'AWS::Lambda::Function'
Properties:
- Code:
+ Code: #1 & #2:
ZipFile: |
- 'use strict';
- const AWS = require('aws-sdk');
- const response = require('cfn-response');
- const iam = new AWS.IAM({apiVersion: '2010-05-08'});
- exports.handler = (event, context, cb) => {
- console.log(`Invoke: ${JSON.stringify(event)}`);
- function done(err) {
- if (err) {
- console.log(`Error: ${JSON.stringify(err)}`);
- response.send(event, context, response.FAILED, {});
- } else {
- response.send(event, context, response.SUCCESS, {});
- }
- }
- if (event.RequestType === 'Delete') {
- iam.deleteAccountPasswordPolicy({}, done);
- } else if (event.RequestType === 'Create' || event.RequestType === 'Update') {
- const params = {
- MinimumPasswordLength: parseInt(event.ResourceProperties.MinimumPasswordLength, 10),
- RequireSymbols: event.ResourceProperties.RequireSymbols === 'true',
- RequireNumbers: event.ResourceProperties.RequireNumbers === 'true',
- RequireUppercaseCharacters: event.ResourceProperties.RequireUppercaseCharacters === 'true',
- RequireLowercaseCharacters: event.ResourceProperties.RequireLowercaseCharacters === 'true',
AllowUsersToChangePassword: event.ResourceProperties.AllowUsersToChangePassword === 'true',
- HardExpiry: event.ResourceProperties.HardExpiry === 'true'
- };
- if (parseInt(event.ResourceProperties.MaxPasswordAge, 10) > 0) {
- params.MaxPasswordAge = parseInt(event.ResourceProperties.MaxPasswordAge, 10);
- }
- if (parseInt(event.ResourceProperties.PasswordReusePrevention, 10) > 0) {
- params.PasswordReusePrevention = parseInt(event.ResourceProperties.PasswordReusePrevention, 10);
- }
- iam.updateAccountPasswordPolicy(params, done);
- } else {
- cb(new Error(`unsupported RequestType: ${event.RequestType}`));
- }
- };
+ AllowUsersToChangePassword: false,
Handler: 'index.handler'
MemorySize: 128
Role: !GetAtt 'LambdaRole.Arn'
diff --git a/assets/queries/common/passwords_and_secrets/test/negative34.tf b/assets/queries/common/passwords_and_secrets/test/negative34.tf
index 06348a85bde..deb5e088234 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative34.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative34.tf
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding TF resource access" allow-rule-test
locals {
secrets = {
my_secret = random_password.my_password.result
diff --git a/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile
index 1c127d1c060..2a30a0f817d 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative35.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - arbitrary git "token" references (dockerfile)
FROM baseImage
RUN apk add --no-cache git \
diff --git a/assets/queries/common/passwords_and_secrets/test/negative36.tf b/assets/queries/common/passwords_and_secrets/test/negative36.tf
index 9711f6f6c29..e08a4255e49 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative36.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative36.tf
@@ -1,9 +1,10 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF file function" allow-rule-test
resource "aws_instance" "instance" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
connection {
user = "ubuntu"
- private_key = file(var.private_key_path)
+ private_key = file(var.private_key_path) # negative1
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative37.yaml b/assets/queries/common/passwords_and_secrets/test/negative37.yaml
index 2ea6fa3094e..8f9081a631b 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative37.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative37.yaml
@@ -1,10 +1,12 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test (line 10/11)
Resources:
MytFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub '${AWS::StackName}-CdnViewerRequest'
Code:
- ZipFile: !Sub |
+ ZipFile: !Sub | # negative1:
function msg(userPass) {
return {"username": userPass[1], "password": userPass[2]}
+ return {"Busername": userPass[1312], "Bpassword": userPass[2412]}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative38.yaml b/assets/queries/common/passwords_and_secrets/test/negative38.yaml
index fde8a4bb5f2..a33a464cf0d 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative38.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative38.yaml
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets Manager arn" allow-rule-test
Type: AWS::Glue::Connection
Resources:
Properties:
@@ -9,18 +10,18 @@ Resources:
- ""
- - "mongodb://{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # negative1
USERNAME:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}}
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}} # negative2
PASSWORD:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}}
+ - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}} # negative3
JDBC_ENFORCE_SSL: true
ConnectionType: MONGODB
diff --git a/assets/queries/common/passwords_and_secrets/test/negative39.yaml b/assets/queries/common/passwords_and_secrets/test/negative39.yaml
index e3d55dff65a..b206ac87ebe 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative39.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative39.yaml
@@ -1,3 +1,4 @@
+# "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding CloudFormation KeyName" allow-rule-test
AWSTemplateFormatVersion: "2010-09-09"
Resources:
somecode:
@@ -8,7 +9,7 @@ Resources:
TimeoutInMinutes: 10
QueuedTimeoutInMinutes: 10
ServiceRole: someservicerole
- EncryptionKey: somekey
+ EncryptionKey: somekey # negative1
Artifacts:
Type: someartifact
Cache:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative4.tf b/assets/queries/common/passwords_and_secrets/test/negative4.tf
index 93cd948d850..cac5afdb401 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative4.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative4.tf
@@ -1,4 +1,4 @@
-#this code is a correct code for which the query should not find any result
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test
resource "google_container_cluster" "primary" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -17,7 +17,7 @@ resource "google_container_cluster" "primary" {
}
resource "google_secret_manager_secret_version" "secret-version-basic" {
- secret = var.my_google_secret
+ secret = var.my_google_secret # negative1
secret_data = "secret-data"
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative40.yaml b/assets/queries/common/passwords_and_secrets/test/negative40.yaml
index 2ac3c5a5e9a..715678a895e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative40.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative40.yaml
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets Manager arn" allow-rule-test
Type: AWS::Glue::Connection
Resources:
Properties:
@@ -9,13 +10,13 @@ Resources:
- ""
- - "mongodb://{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:*:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test
+ - :secretsmanager:*:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test # negative1
USERNAME:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- - :secretsmanager:eu-west-1:*:secret:/test/resources/docdb-test:SecretString:username::}}
+ - :secretsmanager:eu-west-1:*:secret:/test/resources/docdb-test:SecretString:username::}} # negative2
PASSWORD:
Fn::Join:
- ""
diff --git a/assets/queries/common/passwords_and_secrets/test/negative41.yaml b/assets/queries/common/passwords_and_secrets/test/negative41.yaml
index a4a81ed903b..5a71b8ae22b 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative41.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative41.yaml
@@ -1,3 +1,4 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding CloudFormation ServiceToken" allow-rule-test
---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
@@ -76,7 +77,7 @@ Resources:
GetSubnets:
Type: AWS::CloudFormation::CustomResource
Properties:
- ServiceToken: anArn
+ ServiceToken: anArn # negative1
LoadBalancer3:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative42.tf b/assets/queries/common/passwords_and_secrets/test/negative42.tf
index d0cea665b08..2a0f2a82707 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative42.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative42.tf
@@ -1,10 +1,11 @@
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF file function" allow-rule-test
data "terraform_remote_state" "intnet" {
backend = "azurerm"
config = {
storage_account_name = "asdsadas"
container_name = "dp-prasdasdase-001"
key = "infrastructure.tfstate"
- access_key = file(var.access_key_path)
+ access_key = file(var.access_key_path) # negative1
}
workspace = terraform.workspace
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative43.tf b/assets/queries/common/passwords_and_secrets/test/negative43.tf
index 0188abcc114..879e2ea31c4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative43.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative43.tf
@@ -1,4 +1,4 @@
-#this is a problematic code where the query should report a result(s)
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test
resource "google_container_cluster" "primary1" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -6,7 +6,7 @@ resource "google_container_cluster" "primary1" {
master_auth {
username = ""
- password = local.rds_postgres_is_primary ? var.rds_postgres_password : null
+ password = local.rds_postgres_is_primary ? var.rds_postgres_password : null # negative1
client_certificate_config {
issue_client_certificate = true
diff --git a/assets/queries/common/passwords_and_secrets/test/negative44.yml b/assets/queries/common/passwords_and_secrets/test/negative44.yml
index e441afac9df..6296c2f65d4 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative44.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative44.yml
@@ -1,3 +1,4 @@
+# "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoiding bash variables" allow-rule-test
on: workflow_call
stages:
@@ -9,7 +10,7 @@ variables:
jobs:
job_build:
stage: build
- script:
+ script: # negative1:
- if [[ -z "${GIT_PRIVATE_KEY:-}" ]]; then
echo "Missing GIT_PRIVATE_KEY variable!"
exit 1
diff --git a/assets/queries/common/passwords_and_secrets/test/negative45.yml b/assets/queries/common/passwords_and_secrets/test/negative45.yml
index 7bd9c906de5..aa2305611fc 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative45.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative45.yml
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Ansible playbook update_password" allow-rule-test
- name: "Configure the MySQL user "
community.mysql.mysql_user:
login_user: "root"
@@ -5,4 +6,4 @@
name: "{{ mysql_user }}"
password: "{{ mysql_user_password }}"
password_expire: "never"
- update_password: "on_create"
+ update_password: "on_create" # negative1
diff --git a/assets/queries/common/passwords_and_secrets/test/negative46.yaml b/assets/queries/common/passwords_and_secrets/test/negative46.yaml
index 23dcecea39d..771dd11a5d8 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative46.yaml
+++ b/assets/queries/common/passwords_and_secrets/test/negative46.yaml
@@ -1,3 +1,4 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets from Variable Interpolation" allow-rule-test - (lines 51/73)
name: Deploy
on:
workflow_call:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative47.tf b/assets/queries/common/passwords_and_secrets/test/negative47.tf
index 8647a01ff60..6809ca7a8be 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative47.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative47.tf
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test
provider "azurerm" {
features {}
}
@@ -19,7 +20,7 @@ resource "azurerm_linux_virtual_machine" "example_vm" {
location = "your-location"
size = "Standard_DS1_v2"
admin_username = "adminuser"
- admin_password = data.azurerm_key_vault_secret.LinuxVmPassword.value
+ admin_password = data.azurerm_key_vault_secret.LinuxVmPassword.value # negative1
network_interface_ids = [
# Your network interface ID
diff --git a/assets/queries/common/passwords_and_secrets/test/negative48.tf b/assets/queries/common/passwords_and_secrets/test/negative48.tf
index 85e9a2c0f38..b132cda2df9 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative48.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative48.tf
@@ -1,17 +1,18 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test
data "template_file" "sci_integration_app_properties_secret_template" {
template = file(join("", ["/secrets/sci-integration-app", var.resource_identifier_shorthand], ".json"))
- vars = {
- ayreshirerarran_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["ayreshirerarran_password"]
- lanark_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lanark_password"]
- tayside_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["tayside_password"]
- glasgow_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["glasgow_password"]
- grampian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["grampian_password"]
- highland_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["highland_password"]
- westernisles_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["westernisles_password"]
+ vars = { # negative1-11
+ ayreshirerarran_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["ayreshirerarran_password"]
+ lanark_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lanark_password"]
+ tayside_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["tayside_password"]
+ glasgow_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["glasgow_password"]
+ grampian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["grampian_password"]
+ highland_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["highland_password"]
+ westernisles_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["westernisles_password"]
dumfriesandgalloway_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["dumfriesandgalloway_password"]
- forthvalley_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["forthvalley_password"]
- borders_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["borders_password"]
- lothian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lothian_password"]
+ forthvalley_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["forthvalley_password"]
+ borders_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["borders_password"]
+ lothian_password = data.aws_kms_secrets.sci_app_kms_secrets.plaintext["lothian_password"]
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile
index c7dacace4bb..90ca5fb8054 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative49.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - arbitrary git "token" references, ARTEMIS_PASSWORD missing (dockerfile)
FROM baseImage
ENV ARTEMIS_USER artemis
diff --git a/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile
index 5c147649f3d..ad7b491f481 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative5.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - no secrets (dockerfile)
FROM baseImage
RUN command
diff --git a/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile b/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile
index 0ccae6885d9..a31ae5e8777 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/negative50.dockerfile
@@ -1,3 +1,4 @@
+# Generic Negative Test - arbitrary git "token" references, ARTEMIS_PASSWORD missing (dockerfile)
FROM baseImage
ENV ARTEMIS_USER=artemis
diff --git a/assets/queries/common/passwords_and_secrets/test/negative51.yml b/assets/queries/common/passwords_and_secrets/test/negative51.yml
index d0fe10329d2..77bc61d54a7 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative51.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative51.yml
@@ -1,43 +1,27 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Allow placeholders" allow-rule-test - #1
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Allow empty values" allow-rule-test - #2
stages:
- template: templates/main-stage.yml
parameters:
environment: 'foo'
isSm9ChangeRequired: true
-
+
isDedicatedSubscription: 'true'
setResourceLock: 'true'
nameResourceLock: 'PrdPreventAccidentalDeletion'
isDevelopment: 'false'
- # example 1 (placeholders)
- vmAdminPassword: '$(VM_ADMIN_PASSWORD)' # SET IN PIPELINE
- sqlAdminPassword: '$(SQL_ADMIN_PASSWORD)' # SET IN PIPELINE
- yetanotherAdminPassword: '${{SQL_ADMIN_PASSWORD}}' # SET IN PIPELINE
- andyetanotherAdminPassword: '${{ SQL_ADMIN_PASSWORD }}' # SET IN PIPELINE
+
+ vmAdminPassword: '$(VM_ADMIN_PASSWORD)' #1
+ sqlAdminPassword: '$(SQL_ADMIN_PASSWORD)' #1
+ yetanotherAdminPassword: '${{SQL_ADMIN_PASSWORD}}' #1
+ andyetanotherAdminPassword: '${{ SQL_ADMIN_PASSWORD }}' #1
# example 2 (empty string value)
- anotherAdminPassword: '' # SET IN PIPELINE
+ anotherAdminPassword: '' #2
- serviceConnectionName: 'foo'
+ serviceConnectionName: 'foo'
subscriptionId: 'foo'
- organisationalGroup: 'foo' # Replace this with your own Organisational Group name.
- devOrganisationalGroup: 'foo' # should be empty for none DEV env
- sm9ApplicationCi: 'foo' # Replace this with your own SM9 Application CI name.
- resourceGroupBaseName: 'foo' # This is used to construct a Resource Group name. Replace this with your desired resource group name.
- resourceGroupNameSuffix: 'foo' # This is suffixed to the Resource Group name in a Shared subscription (must be an integer). Can be left as-is.
- location: 'foo' # Replace this with your desired Azure region.
- linuxAgentPoolName: 'foo' # Agent pool name of Linux agents. Can be left as-is.
- windowsAgentPoolName: 'foo' # Agent pool name of Windows agents. Can be left as-is.
- System.Debug: 'foo' # Set to 'foo' to enable debug logging. Can be left as-is.
-
- skipAdditionalResources: 'foo' # if true skip creating additional resources
- skipSQL: 'foo'
+ organisationalGroup: 'foo'
- #####################################################################################
- # ADF #
- #####################################################################################
- adfName: 'foo'
- adfDeveloperGroup: 'foo' # Group has access to ADF
- irName: 'foo'
- irDescription: 'foo'
diff --git a/assets/queries/common/passwords_and_secrets/test/negative52.yml b/assets/queries/common/passwords_and_secrets/test/negative52.yml
index 2bff2375d79..a74962814d7 100755
--- a/assets/queries/common/passwords_and_secrets/test/negative52.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative52.yml
@@ -1,3 +1,4 @@
+# "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoid Docker Compose secrets paths" allow-rule-test
version: '3.7'
services:
@@ -8,8 +9,7 @@ services:
environment:
env: "dev"
- # this value is a Docker Compose secrets path, its contents are not exposed
- PrivateKey: /run/secrets/SOME_AUTHORIZATION_PRIVATE_KEY
+ PrivateKey: /run/secrets/SOME_AUTHORIZATION_PRIVATE_KEY # negative1
secrets:
SOME_AUTHORIZATION_PRIVATE_KEY:
diff --git a/assets/queries/common/passwords_and_secrets/test/negative53.json b/assets/queries/common/passwords_and_secrets/test/negative53.json
index 67f4c99199f..512f353dcdd 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative53.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative53.json
@@ -1,54 +1,7 @@
{
+ "metadata" : "# 'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 - 'Allow password retrieved from ARM parameters' allow rule test (line 12)",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
- "parameters": {
- "siteName": {
- "type": "string"
- },
- "administratorLogin": {
- "type": "string"
- },
- "administratorLoginPassword": {
- "type": "securestring"
- },
- "secretSuffix": {
- "type": "string",
- "defaultValue": "word"
- },
- "location": {
- "type": "string",
- "defaultValue": "[resourceGroup().location]"
- }
- },
- "variables": {
- "databaseName": "[concat(parameters('siteName'), 'db')]",
- "serverName": "[concat(parameters('siteName'), 'srv')]",
- "hostingPlanName": "[concat(parameters('siteName'), 'plan')]",
- "passKey": "[concat('Pass', parameters('secretSuffix'))]"
- },
- "resources": [
- {
- "apiVersion": "2020-06-01",
- "type": "Microsoft.Web/serverfarms",
- "name": "[variables('hostingPlanName')]",
- "location": "[parameters('location')]",
- "sku": {
- "Tier": "Standard",
- "Name": "S1"
- },
- "properties": {}
- },
- {
- "apiVersion": "2020-06-01",
- "type": "Microsoft.Web/sites",
- "name": "[parameters('siteName')]",
- "location": "[parameters('location')]",
- "dependsOn": [
- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"
- ],
- "properties": {
- "serverFarmId": "[variables('hostingPlanName')]"
- },
"resources": [
{
"apiVersion": "2020-06-01",
@@ -62,6 +15,4 @@
}
}
]
- }
- ]
-}
\ No newline at end of file
+ }
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative54.json b/assets/queries/common/passwords_and_secrets/test/negative54.json
index fc05799de54..67aa0f3aaef 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative54.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative54.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Secret' - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - 'Allow secret retrieved from ARM parameters' allow-rule-test (line 11)",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
diff --git a/assets/queries/common/passwords_and_secrets/test/negative55.yml b/assets/queries/common/passwords_and_secrets/test/negative55.yml
index cfa94d9def7..3e81e0d9609 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative55.yml
+++ b/assets/queries/common/passwords_and_secrets/test/negative55.yml
@@ -1,3 +1,4 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Github id-token Default Values" allow-rule-test
jobs:
release:
if: github.event.pull_request.merged == true || github.event_name == 'push' || github.event_name == 'workflow_dispatch'
@@ -9,10 +10,10 @@ jobs:
actions: write # for createWorkflowDispatch
issues: write # for comments on issues
pull-requests: write # for comments on pull requests
- #id-token: write # for oidc npm provenance
- #"id-token": read
- #'id-token': none
- #permissions: {id-token: write, contents: read, pull-requests: write}
+ #id-token: write # for oidc npm provenance # negative1
+ #"id-token": read # negative2
+ #'id-token': none # negative3
+ #permissions: {id-token: write, contents: read, pull-requests: write} # negative4
steps:
- name: debug
shell: bash
diff --git a/assets/queries/common/passwords_and_secrets/test/negative56.tf b/assets/queries/common/passwords_and_secrets/test/negative56.tf
index 36459daba4b..fc2b3199da6 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative56.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative56.tf
@@ -1,15 +1,18 @@
-
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding description field" allow-rule-test - #1
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Terraform 'optional' statement" allow-rule-test - #2
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Terraform 'try' statement" allow-rule-test - #3
variable "linux_vms" {
+ # 1:
description = "A list of the Linux VMs to create. \n [region:](#region:) The Azure location where the Windows Virtual Machine should exist. Changing this forces a new resource to be created. \n [size:](#size:) The SKU which should be used for this Virtual Machine, such as Standard_F2. \n [admin_username:](#admin_username:) The username of the local administrator used for the Virtual Machine. Changing this forces a new resource to be created. \n [admin_password:](#admin_password:) he Password which should be used for the local-administrator on this Virtual Machine. Changing this forces a new resource to be created."
type = map(object({
region = string
size = optional(string)
admin_username = optional(string)
- admin_password = optional(string)
+ admin_password = optional(string) #2
}))
default = {}
}
resource "azurerm_linux_virtual_machine" "vms" {
- admin_password = try(each.value.admin_password, null)
+ admin_password = try(each.value.admin_password, null) #3
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative57.bicep b/assets/queries/common/passwords_and_secrets/test/negative57.bicep
index 7857f63eda0..e014e95c632 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative57.bicep
+++ b/assets/queries/common/passwords_and_secrets/test/negative57.bicep
@@ -1,3 +1,4 @@
+// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - 'Allow secrets retrieved from Bicep getSecret built in function' allow-rule-test
import { common, tagsObject, deployName, removeSpace } from '../../../CommonValues.bicep'
@description('Nome do sistema')
@@ -20,6 +21,6 @@ module consumerModule '../SecretConsumer/Resource.bicep' = {
systemName: systemName
resourceName: resourceName
tags: tags
- apiClientSecret: kvTest.getSecret('secret-sample')
+ apiClientSecret: kvTest.getSecret('secret-sample') // negative1
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative57.json b/assets/queries/common/passwords_and_secrets/test/negative58.json
similarity index 89%
rename from assets/queries/common/passwords_and_secrets/test/negative57.json
rename to assets/queries/common/passwords_and_secrets/test/negative58.json
index fc9b4a8bc07..cb39e3334c0 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative57.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative58.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Token' - baee238e-1921-4801-9c3f-79ae1d7b2cbc - 'Avoiding Run After Triggers (if written in conformity with best practices)' allow-rule-test",
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
diff --git a/assets/queries/common/passwords_and_secrets/test/negative58.bicep b/assets/queries/common/passwords_and_secrets/test/negative59.bicep
similarity index 72%
rename from assets/queries/common/passwords_and_secrets/test/negative58.bicep
rename to assets/queries/common/passwords_and_secrets/test/negative59.bicep
index 1c5b9541a6e..e0f7ac7b1f3 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative58.bicep
+++ b/assets/queries/common/passwords_and_secrets/test/negative59.bicep
@@ -1,3 +1,4 @@
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding references to module outputs in Bicep" allow-rule-test (also avoided by TF resource access allow rule)
param systemName string
param resourceName string
param tags object
@@ -19,7 +20,8 @@ module clientModule '../ClientModule/Resource.bicep' = {
systemName: systemName
resourceName: resourceName
tags: tags
- validationToken: myModule.outputs.apiToken
+ // negative1:
+ validationToken: myModule.outputs.apiToken
}
}
diff --git a/assets/queries/common/passwords_and_secrets/test/negative6.json b/assets/queries/common/passwords_and_secrets/test/negative6.json
index ecd7db09e2e..fa275d2cf25 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative6.json
+++ b/assets/queries/common/passwords_and_secrets/test/negative6.json
@@ -1,4 +1,5 @@
{
+ "metadata": "Generic Negative Test - no secrets",
"openapi": "3.0.0",
"info": {
"title": "Simple API Overview",
diff --git a/assets/queries/common/passwords_and_secrets/test/negative59.tf b/assets/queries/common/passwords_and_secrets/test/negative60.tf
similarity index 78%
rename from assets/queries/common/passwords_and_secrets/test/negative59.tf
rename to assets/queries/common/passwords_and_secrets/test/negative60.tf
index b9419d704a2..d5052c3ba1e 100644
--- a/assets/queries/common/passwords_and_secrets/test/negative59.tf
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.tf
@@ -1,7 +1,13 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding TF resource access" allow-rule-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test - #2
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding TF resource access" allow-rule-test - #3
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Secrets from Variable Interpolation" allow-rule-test - #4
+
resource "aws_secretsmanager_secret_version" "secret_version" {
for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes
+ #1:
secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password.client_password[each.key].result })
}
@@ -9,6 +15,7 @@ resource "aws_secretsmanager_secret_version" "secret_version_2" {
for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes
+ #1:
secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password[each.key].client_password.result })
}
@@ -16,17 +23,18 @@ resource "aws_secretsmanager_secret_version" "secret_version_3" {
for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled }
secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes
+ #2:
secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password["index"].client_password.result })
}
resource "aws_msk_scram_secret_association" "msk_secret_association" {
count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
cluster_arn = aws_msk_cluster.kafka[0].arn
- secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : secret.arn] # short reference
+ secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : secret.arn] #3
}
resource "aws_msk_scram_secret_association" "msk_secret_association_2" {
count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0
cluster_arn = aws_msk_cluster.kafka[0].arn
- secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : null] # short reference
-}
+ secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : "${secret.arn}"] #4
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative61.proto b/assets/queries/common/passwords_and_secrets/test/negative61.proto
new file mode 100644
index 00000000000..eec951cfa45
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative61.proto
@@ -0,0 +1,141 @@
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #1
+// "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoiding Proto File fields" allow rule test - #2
+// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #3
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #4
+// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding Proto File fields" allow rule test - #5
+// Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding Boolean's" allow-rule-test - #6
+syntax = "proto3";
+package com.example.security_test.v1;
+import "google/protobuf/wrappers.proto";
+option go_package = "github.com/CheckmarxDev/router-audit/gen/presets/v1;presets";
+
+// Scenario 1 - Simple attribution
+message SampleMessageNegative {
+ google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token #1
+ google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token #1
+
+ google.protobuf.StringValue access_token= 111111111; // Generic Token #1
+ google.protobuf.StringValue api_token = 7 ; // Generic Token #1
+ google.protobuf.StringValue token = 8; // Generic Token #1
+ google.protobuf.StringValue aws_session_token = 9; // Generic Token #1
+ google.protobuf.StringValue twilio_auth_token = 21; // Generic Token #1
+ google.protobuf.StringValue test_token_ = 122 ; // Generic Token #1
+
+ google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key #2
+ google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key #2
+ google.protobuf.StringValue tls_private_key = 27; // Generic Private Key #2
+ google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key #2
+ google.protobuf.StringValue private_key = 5; // Generic Private Key #2
+
+ google.protobuf.StringValue encryption_key = 22; // Encryption Key #3
+ google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key #3
+ google.protobuf.StringValue key_encryption_key=24; // Encryption Key #3
+
+ google.protobuf.StringValue registry_password = 10421; // Generic Password #4
+ google.protobuf.StringValue artifactory_password = 10731 ; // Generic Password #4
+ google.protobuf.StringValue nexus_password = 10853; // Generic Password #4
+ string password = 64114; // Generic Password #4
+
+ string secret_key = 123456789; // Generic Secret #5
+ string secret_value = 123456790; // Generic Secret #5
+ string secret = 123456791; // Generic Secret #5
+}
+
+// Scenario 2 - Attribution with options
+message SampleMessageNegative2 {
+ google.protobuf.StringValue next_page_token = 5 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""}]; // Generic Token #1
+ google.protobuf.StringValue next_next_page_token = 6[(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""} ] ; // Generic Token #1
+ google.protobuf.StringValue api_token = 7 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"jira_api_token\""}]; // Generic Token #1
+
+ google.protobuf.StringValue next_page_private_key = 8 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""}]; // Generic Private Key #2
+ google.protobuf.StringValue next_next_page_private_key = 8[(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""} ] ; // Generic Private Key #2
+ google.protobuf.StringValue api_private_key = 10 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"jira_api_private_key\""}]; // Generic Private Key #2
+
+ google.protobuf.StringValue next_page_encryption_key = 11 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""}]; // Encryption Key #3
+ google.protobuf.StringValue next_next_page_encryption_key = 12[(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""} ] ; // Encryption Key #3
+ google.protobuf.StringValue api_encryption_key = 13 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"jira_api_encryption_key\""}]; // Encryption Key #3
+
+ google.protobuf.StringValue next_page_password = 14 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""}]; // Generic Password #4
+ google.protobuf.StringValue next_next_page_password = 15[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""} ] ; // Generic Password #4
+ google.protobuf.StringValue api_password = 16 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"jira_api_password\""}]; // Generic Password #4
+
+ google.protobuf.StringValue next_page_secret = 17[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""}]; // Generic Secret #5
+ google.protobuf.StringValue next_next_page_secret = 18[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""} ] ; // Generic Secret #5
+ google.protobuf.StringValue api_secret = 19[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"jira_api_secret\""}]; // Generic Secret #5
+}
+
+message MyOptions {
+ string file_only_option_token = 1 [targets = TARGET_TYPE_FILE]; // Generic Token #1
+ int message_and_enum_option_token = 2 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Token #1 (line above)
+
+ string file_only_option_private_key = 11 [targets = TARGET_TYPE_FILE]; // Generic Private Key #2
+ int message_and_enum_option_private_key = 21 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Private Key #2 (line above)
+
+ string file_only_option_encryption_key = 13 [targets = TARGET_TYPE_FILE]; // Encryption Key #3
+ int message_and_enum_option_encryption_key = 23 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Encryption Key #3 (line above)
+
+ string file_only_option_password = 14 [targets = TARGET_TYPE_FILE]; // Generic Password #4
+ int message_and_enum_option_password = 24 [targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Password #4 (line above)
+
+ string file_only_option_secret = 15[targets = TARGET_TYPE_FILE]; // Generic Secret #5
+ int message_and_enum_option_secret = 25[targets = TARGET_TYPE_MESSAGE,
+ targets = TARGET_TYPE_ENUM]; // Generic Secret #5 (line above)
+
+ int B_message_and_enum_option_token = 2 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Token #1
+
+ int B_message_and_enum_option_private_key = 211 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Private Key #2
+
+ int B_message_and_enum_option_encryption_key = 232 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Encryption Key #3
+
+ int B_message_and_enum_option_password = 243 [targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Password #4
+
+ int B_message_and_enum_option_secret = 254[targets = TARGET_TYPE_MESSAGE, targets = TARGET_TYPE_ENUM]; // Generic Secret #5
+}
+
+message Not_a_Token {
+ string token = 1 [json_name = "tk"]; // Generic Token #1
+ string private_key = 4 [json_name = "pk"]; // Generic Private Key #2
+ string encryption_key = 3 [json_name = "ek"]; // Encryption Key #3
+ string password = 2 [json_name = "ps"]; // Generic Password #4
+ string secret = 5[json_name = "se"]; // Generic Secret #5
+}
+
+// Scenario 3 - Enum attributions
+enum Corpus {
+ DATA_A_UNSPECIFIED_TOKEN = 0 [ deprecated = true ] ; // Generic Token #1
+ DATA_A_TOKEN = 11[deprecated=true] ; // Generic Token #1 & #6
+ DATA_A_PRIVATE_KEY = 2[deprecated = false]; // Generic Private Key #2 & #6
+ DATA_A_ENCRYPTION_KEY = 3[deprecated = true]; // Encryption Key #3 & #6
+ DATA_A_PASSWORD = 1234 [deprecated = false]; // Generic Password #4 & #6
+ DATA_A_SECRET = 5[deprecated=true]; // Generic Secret #5 & #6
+
+ // Generic Token #1 (line below)
+ DATA_B_TOKEN = 2[
+ (string_name) = "display_value"
+ ];
+ // Generic Private Key #2 (line below)
+ DATA_B_PRIVATE_KEY = 2 [
+ (string_name) = "display_value"
+ ];
+ // Encryption Key #3 (line below)
+ DATA_B_ENCRYPTION_KEY = 2 [
+ (string_name) = "display_value"
+ ];
+ // Generic Password #4 (line below)
+ DATA_B_PASSWORD = 28970[
+ (string_name) = "display_value"
+ ];
+ // Generic Secret #5 (line below)
+ DATA_B_SECRET = 123456789[
+ (string_name) = "display_value"
+ ];
+}
+
+// Scenario 4 - Generic keywords in "reserved"
+enum EnumAllowingAlias {
+ reserved "password", "api_token", "private_key", "encryption_key", "exposed_secret";
+ option end_of_sample = false;}enum InlineMessageFormat{option end_of_sample = true;}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative62.tf b/assets/queries/common/passwords_and_secrets/test/negative62.tf
new file mode 100644
index 00000000000..e4cfd62629e
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative62.tf
@@ -0,0 +1,110 @@
+# "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding TF resource access" allow-rule-test - #1
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding TF variables" allow-rule-test - #2
+# Global allow rule - a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 - "Avoiding array access" allow-rule-test - #3
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 5.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = "us-east-1"
+}
+
+variable "encryption_key" {
+ description = "Encryption key from external config"
+ type = string
+ sensitive = true
+}
+
+
+resource "aws_kms_key" "client_encryption_key" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+
+ description = "KMS key for ${each.key}"
+ deletion_window_in_days = 30
+ enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "client_encryption_alias" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+
+ name = "alias/${each.key}-encryption"
+ target_key_id = aws_kms_key.client_encryption_key[each.key].key_id
+}
+
+module "storage" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+ source = "./modules/storage"
+
+ encryption_key = aws_kms_key.client_encryption_key[each.key].arn #1
+}
+
+module "storage_2" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+ source = "./modules/storage"
+
+ encryption_key = aws_kms_key[each.key].client_encryption_key.arn #1
+}
+
+module "storage_3" {
+ for_each = { for k, v in var.clients.storage : k => v if var.enabled }
+ source = "./modules/storage"
+
+ encryption_key = aws_kms_key["index"].client_encryption_key.arn #3
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "bucket_enc" {
+ count = var.enabled ? 1 : 0
+ bucket = aws_s3_bucket.main[0].id
+
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "aws:kms"
+ kms_master_key_id = [for k in aws_kms_key.client_encryption_key : k.arn] #1
+ }
+ }
+}
+
+module "optional_encryption" {
+ source = "./modules/storage"
+
+ encryption_key = null #1
+}
+
+module "database" {
+ source = "./modules/database"
+
+ encryption_key = var.encryption_key #2
+}
+
+module "app" {
+ source = "./modules/app"
+
+ encryption_key = module.encryption.key_output.value #1
+}
+
+data "aws_kms_key" "existing" {
+ key_id = "alias/existing-encryption-key"
+}
+
+module "legacy" {
+ source = "./modules/legacy"
+
+ encryption_key = data.aws_kms_key.existing.arn #1
+}
+
+locals {
+ encryption_config = {
+ key_arn = aws_kms_key.client_encryption_key["primary"].arn
+ }
+}
+
+module "monitoring" {
+ source = "./modules/monitoring"
+
+ encryption_key = local.encryption_config.key_arn #1
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative63.yaml b/assets/queries/common/passwords_and_secrets/test/negative63.yaml
new file mode 100644
index 00000000000..22417cd1bef
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative63.yaml
@@ -0,0 +1,21 @@
+# "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - "Avoiding CloudFormation Parameters Descriptions" allow rule test
+Transform: 'AWS::Serverless-2016-10-31'
+Metadata:
+ 'AWS::ServerlessRepo::Application':
+ Name: AthenaJdbcConnector
+ Description: 'This connector enables Amazon Athena to communicate with your Database instance(s) using JDBC driver.'
+ Author: 'default author'
+ SpdxLicenseId: Apache-2.0
+ LicenseUrl: LICENSE.txt
+ ReadmeUrl: README.md
+ Labels:
+ - athena-federation
+ HomePageUrl: 'https://github.com/awslabs/aws-athena-query-federation'
+ SemanticVersion: 2021.41.1
+ SourceCodeUrl: 'https://github.com/awslabs/aws-athena-query-federation'
+Parameters:
+ SecretNamePrefix:
+ # negative1 :
+ Description: 'Used to create resource-based authorization policy for "secretsmanager:GetSecretValue" action. E.g. All Athena JDBC Federation secret names can be prefixed with "AthenaJdbcFederation" and authorization policy will allow "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:AthenaJdbcFederatione*". Parameter value in this case should be "AthenaJdbcFederation". If you do not have a prefix, you can manually update the IAM policy to add allow any secret names.'
+ Type: String
+Resources:
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative64.tf b/assets/queries/common/passwords_and_secrets/test/negative64.tf
new file mode 100644
index 00000000000..557963d0b35
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative64.tf
@@ -0,0 +1,12 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding TF creation token" allow-rule-test
+resource "aws_efs_file_system" "example" {
+ creation_token = "my-efs-filesystem" # negative1
+
+ tags = {
+ Name = "MyEFS"
+ }
+}
+
+resource "aws_efs_file_system" "quoted_key" {
+ creation_token = "my-efs-token-123" # negative2
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative65.tf b/assets/queries/common/passwords_and_secrets/test/negative65.tf
new file mode 100644
index 00000000000..bd7f4d82505
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative65.tf
@@ -0,0 +1,6 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding LifecycleActionToken Var" allow-rule-test
+variable "lifecycle_config" {
+ default = {
+ LifecycleActionToken = "placeholder-token-value"
+ }
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative66.json b/assets/queries/common/passwords_and_secrets/test/negative66.json
new file mode 100644
index 00000000000..dbc0a3f5375
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative66.json
@@ -0,0 +1,21 @@
+{
+ "metadata": "'Generic Token' - baee238e-1921-4801-9c3f-79ae1d7b2cbc - 'Avoiding LifecycleActionToken Var' allow-rule-test (line 13)",
+ "contentVersion": "1.0.0.0",
+ "resources": [
+ {
+ "type": "Microsoft.Compute/virtualMachineScaleSets",
+ "apiVersion": "2021-03-01",
+ "name": "[parameters('vmssName')]",
+ "location": "eastus",
+ "properties": {
+ "orchestrationMode": "Flexible",
+ "lifecycleHook": {
+ "LifecycleActionToken": "d290f1ee-6c54-4b01-90e6-d701748f0851",
+ "LifecycleHookName": "my-lifecycle-hook",
+ "AutoScalingGroupName": "my-asg-group",
+ "LifecycleTransition": "autoscaling:EC2_INSTANCE_LAUNCHING"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative67.yaml b/assets/queries/common/passwords_and_secrets/test/negative67.yaml
new file mode 100644
index 00000000000..75c9fc9d974
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative67.yaml
@@ -0,0 +1,12 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding LifecycleActionToken Var" allow-rule-test (line 10)
+Resources:
+ LifecycleHookAction:
+ Type: AWS::AutoScaling::LifecycleHook
+ Properties:
+ AutoScalingGroupName: my-asg-group
+ LifecycleTransition: "autoscaling:EC2_INSTANCE_LAUNCHING"
+ NotificationMetadata: |
+ {
+ "LifecycleActionToken": "d290f1ee-6c54-4b01-90e6-d701748f0851",
+ "LifecycleHookName": "my-lifecycle-hook"
+ }
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative68.yaml b/assets/queries/common/passwords_and_secrets/test/negative68.yaml
new file mode 100644
index 00000000000..a1f9e129049
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative68.yaml
@@ -0,0 +1,22 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding result_token Var" allow-rule-test (line 13)
+Resources:
+ ConfigEvaluatorFunction:
+ Type: AWS::Lambda::Function
+ Properties:
+ Runtime: python3.12
+ Handler: index.handler
+ Code:
+ ZipFile: |
+ import boto3
+ config = boto3.client('config')
+ def handler(event, context):
+ result_token = event['resultToken']
+ config.put_evaluations(
+ Evaluations=[{
+ 'ComplianceResourceType': event['configRuleArn'],
+ 'ComplianceResourceId': event['resourceId'],
+ 'ComplianceType': 'COMPLIANT',
+ 'OrderingTimestamp': event['notificationCreationTime']
+ }],
+ ResultToken=result_token
+ )
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/negative69.tf b/assets/queries/common/passwords_and_secrets/test/negative69.tf
new file mode 100644
index 00000000000..9a47f903e50
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative69.tf
@@ -0,0 +1,23 @@
+# "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding next_token Var" allow-rule-test (line 21)
+resource "aws_lambda_function" "list_resources" {
+ function_name = "list-all-resources"
+ runtime = "python3.12"
+ handler = "index.handler"
+ role = aws_iam_role.lambda_role.arn
+ filename = "lambda.zip"
+}
+
+resource "local_file" "lambda_code" {
+ filename = "index.py"
+ content = <code
- officiel géographique (COG))
- codeCedexEtablissement:
- type: string
- description: Numéro de Cedex
- libelleCedexEtablissement:
- type: string
- description: Libellé correspondant au numéro de Cedex (variable codeCedexEtablissement)
- codePaysEtrangerEtablissement:
- type: string
- description: Code pays pour les établissements situés à l’étranger
- libellePaysEtrangerEtablissement:
- type: string
- description: Libellé du pays pour les adresses à l’étranger
- description: Ensemble des variables d'adresse d'un établissement
- etatService:
- type: string
- description: État actuel du service
- enum:
- - UP
- - DOWN
tags: []
diff --git a/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile b/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile
index a923ba6c694..e67a52b60c4 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/positive51.dockerfile
@@ -1,3 +1,4 @@
+# "Dockerfile ENV hardcoded password with omitted equals" - f05f238a-2ef0-4c39-9a36-951de1ba6dc9 positive-test
FROM baseImage
ENV ARTEMIS_USER artemis
diff --git a/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile b/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
index c536dbe279e..5aee16fdf39 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/positive52.dockerfile
@@ -1,6 +1,8 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
FROM baseImage
ENV ARTEMIS_USER=artemis
+# positive1:
ENV ARTEMIS_PASSWORD=artemis
RUN apk add --no-cache git \
diff --git a/assets/queries/common/passwords_and_secrets/test/positive53.json b/assets/queries/common/passwords_and_secrets/test/positive53.json
index 2ed1353d025..f4dde0380aa 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive53.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive53.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test (line 55)",
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
diff --git a/assets/queries/common/passwords_and_secrets/test/positive54.tf b/assets/queries/common/passwords_and_secrets/test/positive54.tf
index e541addefc5..4761e4aeaf2 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive54.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive54.tf
@@ -1,15 +1,15 @@
-
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
variable "linux_vms" {
description = "positive54.tf"
type = map(object({
region = string
size = optional(string)
admin_username = optional(string)
- admin_password = "optional(sensitive(string))"
+ admin_password = "optional(sensitive(string))" # positive1
}))
default = {}
}
resource "azurerm_linux_virtual_machine" "vms" {
- admin_password = try(each.value.admin_password, "exposed_password", null)
+ admin_password = try(each.value.admin_password, "exposed_password", null) # positive2
}
\ No newline at end of file
diff --git a/assets/queries/common/passwords_and_secrets/test/positive55.json b/assets/queries/common/passwords_and_secrets/test/positive55.json
index 10f73052150..17c97f066c3 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive55.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive55.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Secret' - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c positive-test (line 5)",
"Resources": {
"service-3": {
"secretValue": "secretVaule1"
diff --git a/assets/queries/common/passwords_and_secrets/test/positive56.proto b/assets/queries/common/passwords_and_secrets/test/positive56.proto
new file mode 100644
index 00000000000..8904d103b5a
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/positive56.proto
@@ -0,0 +1,38 @@
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - positive-test - #1
+// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 - positive-test - #2
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - positive-test - #3
+// "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - positive-test - #4
+// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - positive-test - #5
+// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #6
+// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #7
+// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #8
+
+syntax = "proto3";
+
+// This sample should not flag the message defined only the exposed secrets in comments :
+// "password" = "test_sample" #1
+// "secret_key" : minimum_ten_characters #2
+// "unsafe_token" : "is_this_safe" #3
+
+package com.example.security_test.v1;
+
+import "google/protobuf/wrappers.proto";
+
+message InocentMessage {
+ google.protobuf.StringValue safe_value = 1;
+ double not_a_password = 22222; // #6
+ float not_a_token = 3; // #7
+ string not_an_encryption_key = 4; // #8
+}
+
+
+extend google.protobuf.FileOptions { // too generic for an allow rule
+ int32 source_retention_password = 12342134 //#1
+ [retention = RETENTION_SOURCE];
+ string source_retention_token = 12342135 //#3
+ [retention = RETENTION_SOURCE];
+ float source_retention_private_key = 12342137 //#4
+ [retention = RETENTION_SOURCE];
+ double source_retention_encryption_key = 12342136 //#5
+ [retention = RETENTION_SOURCE];
+}
diff --git a/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile b/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile
index b7215a3a104..523c26689fa 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile
+++ b/assets/queries/common/passwords_and_secrets/test/positive6.dockerfile
@@ -1,7 +1,10 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
FROM baseImage
+# positive1
ARG password=pass!1213Fs
-
FROM test2
+
+# positive2
ARG password=pass!1213Fs
diff --git a/assets/queries/common/passwords_and_secrets/test/positive7.tf b/assets/queries/common/passwords_and_secrets/test/positive7.tf
index 0cf0ff92627..570ea8d10f9 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive7.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive7.tf
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
resource "google_container_cluster" "primary2" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -5,7 +6,7 @@ resource "google_container_cluster" "primary2" {
master_auth {
username = ""
- password = "pwd_jsuwauJk212"
+ password = "pwd_jsuwauJk212" # positive1
client_certificate_config {
issue_client_certificate = true
diff --git a/assets/queries/common/passwords_and_secrets/test/positive8.json b/assets/queries/common/passwords_and_secrets/test/positive8.json
index 2fd45f3ca51..d1d351b7f93 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive8.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive8.json
@@ -1,4 +1,5 @@
{
+ "metadata": "'Generic Password' - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test (line 5/8)",
"Resources": {
"service-1": {
"password": "abcdefg"
diff --git a/assets/queries/common/passwords_and_secrets/test/positive9.tf b/assets/queries/common/passwords_and_secrets/test/positive9.tf
index ae7cdce4e49..749fe5ec111 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive9.tf
+++ b/assets/queries/common/passwords_and_secrets/test/positive9.tf
@@ -1,3 +1,4 @@
+# "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test
resource "google_container_cluster" "primary4" {
name = "marcellus-wallace"
location = "us-central1-a"
@@ -5,7 +6,7 @@ resource "google_container_cluster" "primary4" {
master_auth {
username = ""
- password = "abcd s"
+ password = "abcd s" # positive1
client_certificate_config {
issue_client_certificate = true
diff --git a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
index e29ad869f20..2271644b04c 100644
--- a/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
+++ b/assets/queries/common/passwords_and_secrets/test/positive_expected_result.json
@@ -26,181 +26,181 @@
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive5.tf"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 3,
+ "line": 5,
"fileName": "positive6.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 7,
+ "line": 10,
"fileName": "positive6.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 9,
"fileName": "positive7.tf"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive8.json"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line":7,
+ "line": 8,
"fileName": "positive8.json"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 9,
"fileName": "positive9.tf"
},
{
"queryName": "Passwords And Secrets - Password in URL",
"severity": "HIGH",
- "line": 7,
+ "line": 10,
"fileName": "positive10.json"
},
{
"queryName": "Passwords And Secrets - Slack Webhook",
"severity": "HIGH",
- "line": 17,
+ "line": 20,
"fileName": "positive10.json"
},
{
"queryName": "Passwords And Secrets - MSTeams Webhook",
"severity": "HIGH",
- "line": 27,
+ "line": 30,
"fileName": "positive10.json"
},
{
"queryName": "Passwords And Secrets - Password in URL",
"severity": "HIGH",
- "line": 7,
+ "line": 10,
"fileName": "positive11.yaml"
},
{
"queryName": "Passwords And Secrets - Slack Webhook",
"severity": "HIGH",
- "line": 9,
+ "line": 12,
"fileName": "positive11.yaml"
},
{
"queryName": "Passwords And Secrets - MSTeams Webhook",
"severity": "HIGH",
- "line": 11,
+ "line": 14,
"fileName": "positive11.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 12,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - Password in URL",
"severity": "HIGH",
- "line": 11,
+ "line": 15,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - Slack Webhook",
"severity": "HIGH",
- "line": 15,
+ "line": 19,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - MSTeams Webhook",
"severity": "HIGH",
- "line": 19,
+ "line": 23,
"fileName": "positive12.json"
},
{
"queryName": "Passwords And Secrets - Asymmetric private key",
"severity": "HIGH",
- "line": 6,
+ "line": 7,
"fileName": "positive13.tf"
},
{
"queryName": "Passwords And Secrets - AWS Access Key",
"severity": "HIGH",
- "line": 17,
+ "line": 18,
"fileName": "positive14.tf"
},
{
"queryName": "Passwords And Secrets - AWS Secret Key",
"severity": "HIGH",
- "line": 18,
+ "line": 19,
"fileName": "positive14.tf"
},
{
"queryName": "Passwords And Secrets - AWS Access Key",
"severity": "HIGH",
- "line": 14,
+ "line": 16,
"fileName": "positive15.tf"
},
{
"queryName": "Passwords And Secrets - AWS Secret Key",
"severity": "HIGH",
- "line": 15,
+ "line": 17,
"fileName": "positive15.tf"
},
{
"queryName": "Passwords And Secrets - K8s Environment Variable Password",
"severity": "HIGH",
- "line": 34,
+ "line": 35,
"fileName": "positive16.yaml"
},
{
"queryName": "Passwords And Secrets - K8s Environment Variable Password",
"severity": "HIGH",
- "line": 36,
+ "line": 37,
"fileName": "positive16.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 7,
+ "line": 8,
"fileName": "positive17.tf"
},
{
"queryName": "Passwords And Secrets - Google OAuth",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive18.tf"
},
{
"queryName": "Passwords And Secrets - Slack Token",
"severity": "HIGH",
- "line": 2,
+ "line": 4,
"fileName": "positive19.tf"
},
{
"queryName": "Passwords And Secrets - Stripe API Key",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive20.tf"
},
{
"queryName": "Passwords And Secrets - Google API Key",
"severity": "HIGH",
- "line": 50,
+ "line": 51,
"fileName": "positive21.tf"
},
{
"queryName": "Passwords And Secrets - Heroku API Key",
"severity": "HIGH",
- "line": 3,
+ "line": 4,
"fileName": "positive22.tf"
},
{
@@ -212,163 +212,187 @@
{
"queryName": "Passwords And Secrets - Generic API Key",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive24.tf"
},
{
"queryName": "Passwords And Secrets - Square Access Token",
"severity": "HIGH",
- "line": 3,
+ "line": 11,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - Picatic API Key",
"severity": "HIGH",
- "line": 5,
+ "line": 14,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - Amazon MWS Auth Token",
"severity": "HIGH",
- "line": 7,
+ "line": 17,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - MailChimp API Key",
"severity": "HIGH",
- "line": 9,
+ "line": 20,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - SendGrid API Key",
"severity": "HIGH",
- "line": 11,
+ "line": 23,
"fileName": "positive25.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Private Key",
"severity": "HIGH",
- "line": 9,
+ "line": 10,
"fileName": "positive26.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive27.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 22,
+ "line": 23,
"fileName": "positive27.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive28.yaml"
},
{
"queryName": "Passwords And Secrets - Mailgun API Key",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive29.tf"
},
{
"queryName": "Passwords And Secrets - Stripe Restricted API Key",
"severity": "HIGH",
- "line": 2,
+ "line": 3,
"fileName": "positive30.tf"
},
{
"queryName": "Passwords And Secrets - Twilio API Key",
"severity": "HIGH",
- "line": 4,
+ "line": 6,
"fileName": "positive31.yaml"
},
{
"queryName": "Passwords And Secrets - PayPal Braintree Access Token",
"severity": "HIGH",
- "line": 4,
+ "line": 6,
"fileName": "positive32.yaml"
},
{
"queryName": "Passwords And Secrets - Facebook Access Token",
"severity": "HIGH",
- "line": 13,
+ "line": 15,
+ "fileName": "positive33.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Facebook Access Token",
+ "severity": "HIGH",
+ "line": 17,
"fileName": "positive33.yaml"
},
{
"queryName": "Passwords And Secrets - Square OAuth Secret",
"severity": "HIGH",
- "line": 13,
+ "line": 15,
+ "fileName": "positive34.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Square OAuth Secret",
+ "severity": "HIGH",
+ "line": 16,
"fileName": "positive34.yaml"
},
{
"queryName": "Passwords And Secrets - Google OAuth Access Token",
"severity": "HIGH",
- "line": 13,
+ "line": 15,
"fileName": "positive35.yaml"
},
{
"queryName": "Passwords And Secrets - Putty User Key File Content",
"severity": "HIGH",
- "line": 5,
+ "line": 6,
"fileName": "positive36.tf"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 14,
+ "line": 15,
"fileName": "positive37.tf"
},
{
"queryName": "Passwords And Secrets - CloudFormation Secret Template",
"severity": "HIGH",
- "line": 16,
+ "line": 18,
"fileName": "positive38.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 3,
+ "line": 4,
"fileName": "positive39.tf"
},
{
"queryName": "Passwords And Secrets - AWS Context-specific credential",
"severity": "HIGH",
- "line": 14,
+ "line": 15,
"fileName": "positive40.tf"
},
{
"queryName": "Passwords And Secrets - AWS Certificate",
"severity": "HIGH",
- "line": 15,
+ "line": 16,
"fileName": "positive40.tf"
},
{
"queryName": "Passwords And Secrets - Asymmetric private key",
"severity": "HIGH",
- "line": 6,
+ "line": 7,
"fileName": "positive41.tf"
},
{
"queryName": "Passwords And Secrets - Generic Access Key",
"severity": "HIGH",
- "line": 7,
+ "line": 8,
"fileName": "positive42.tf"
},
{
"queryName": "Passwords And Secrets - Generic Token",
"severity": "HIGH",
- "line": 5,
+ "line": 7,
"fileName": "positive43.yaml"
},
{
- "queryName": "Passwords And Secrets - Generic Secret",
+ "queryName": "Passwords And Secrets - Encryption Key",
"severity": "HIGH",
- "line": 17,
+ "line": 5,
+ "fileName": "positive44.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 6,
+ "fileName": "positive44.yaml"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 7,
"fileName": "positive44.yaml"
},
{
@@ -380,67 +404,67 @@
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 20,
+ "line": 21,
"fileName": "positive46.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 21,
+ "line": 22,
"fileName": "positive46.yaml"
},
{
"queryName": "Passwords And Secrets - Google OAuth",
"severity": "HIGH",
- "line": 5,
+ "line": 7,
"fileName": "positive47.tf"
},
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 6,
+ "line": 8,
"fileName": "positive47.tf"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 8,
+ "line": 10,
"fileName": "positive48.tf"
},
{
"queryName": "Passwords And Secrets - Generic Private Key",
"severity": "HIGH",
- "line": 7,
+ "line": 9,
"fileName": "positive49.yml"
},
{
"queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
"severity": "HIGH",
- "line": 56,
+ "line": 22,
"fileName": "positive50.yaml"
},
{
"queryName": "Passwords And Secrets - Generic Password on YAML files when value in tuple",
"severity": "HIGH",
- "line": 68,
+ "line": 26,
"fileName": "positive50.yaml"
},
{
"queryName": "Passwords And Secrets - Dockerfile ENV hardcoded password with omitted equals",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive51.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 4,
+ "line": 6,
"fileName": "positive52.dockerfile"
},
{
"queryName": "Passwords And Secrets - Generic Password",
"severity": "HIGH",
- "line": 54,
+ "line": 55,
"fileName": "positive53.json"
},
{
@@ -458,7 +482,49 @@
{
"queryName": "Passwords And Secrets - Generic Secret",
"severity": "HIGH",
- "line": 4,
+ "line": 5,
"fileName": "positive55.json"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 13,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Secret",
+ "severity": "HIGH",
+ "line": 14,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 15,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Password",
+ "severity": "HIGH",
+ "line": 30,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Token",
+ "severity": "HIGH",
+ "line": 32,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Generic Private Key",
+ "severity": "HIGH",
+ "line": 34,
+ "fileName": "positive56.proto"
+ },
+ {
+ "queryName": "Passwords And Secrets - Encryption Key",
+ "severity": "HIGH",
+ "line": 36,
+ "fileName": "positive56.proto"
}
]
\ No newline at end of file
diff --git a/e2e/fixtures/E2E_CLI_032_RESULT.json b/e2e/fixtures/E2E_CLI_032_RESULT.json
index 7ac89974e07..99f443ac9a5 100644
--- a/e2e/fixtures/E2E_CLI_032_RESULT.json
+++ b/e2e/fixtures/E2E_CLI_032_RESULT.json
@@ -126,7 +126,7 @@
"files": [
{
"file_name": "/path/e2e/fixtures/samples/positive.yaml",
- "similarity_id": "5f948e5c0c97f3e7c43cd531de50c6c54a2cec221a45f113a34a571165d30553",
+ "similarity_id": "aa3fd914f960f2ee04950affedb46169e1feb602f3501370da9acdafe288c407",
"line": 273,
"issue_type": "RedundantAttribute",
"search_key": "",
diff --git a/pkg/engine/secrets/inspector_test.go b/pkg/engine/secrets/inspector_test.go
index 2b5bbf12b55..f642d0e1772 100644
--- a/pkg/engine/secrets/inspector_test.go
+++ b/pkg/engine/secrets/inspector_test.go
@@ -260,6 +260,34 @@ var OriginalData7 = `# kics-scan disable=baee238e-1921-4801-9c3f-79ae1d7b2cbc
register: result
`
+var OriginalData8 = `
+ syntax = "proto3";
+
+ package com.example.security_test.v1;
+
+ import "google/protobuf/wrappers.proto";
+
+ message ResultsThatFlag {
+ google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
+ google.protobuf.StringValue access_token= 1; // Generic Token
+ google.protobuf.StringValue id_token = 3; // Generic Token
+ google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token
+ google.protobuf.StringValue api_token = 7 ; // Generic Token
+ google.protobuf.StringValue token = 8; // Generic Token
+ google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token
+ google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key
+ google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key
+ google.protobuf.StringValue tls_private_key = 27; // Generic Private Key
+ google.protobuf.StringValue sp_private_key = 6; // Generic Private Key
+ google.protobuf.StringValue encryption_key = 22; // Encryption Key
+ google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key
+ google.protobuf.StringValue key_encryption_key=24; // Encryption Key
+ google.protobuf.StringValue registry_password = 104; // Generic Password
+ google.protobuf.StringValue artifactory_password = 107 ; // Generic Password
+ google.protobuf.StringValue nexus_password = 108; // Generic Password
+ string password = 64; // Generic Password
+`
+
var testInspectInput = []struct {
name string
files model.FileMetadatas
@@ -418,6 +446,21 @@ var testInspectInput = []struct {
wantVuln: []model.Vulnerability{},
wantErr: false,
},
+ {
+ name: "valid_no_results",
+ files: model.FileMetadatas{
+ {
+ ID: "a6fbadc6-da29-4340-8d56-aa26a8852526",
+ Document: model.Document{},
+ OriginalData: OriginalData8,
+ LinesOriginalData: utils.SplitLines(OriginalData8),
+ Kind: "PROTO",
+ FilePath: "assets/queries/common/passwords_and_secrets/test/negative60.proto",
+ },
+ },
+ wantVuln: []model.Vulnerability{},
+ wantErr: false,
+ },
}
var testNewInspectorInputs = []struct {