We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive on CKV_OPENAPI_3: "Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files"
I process The following OAS3 securityScheme
components: securitySchemes: JWTBearer: type: http scheme: bearer bearerFormat: JWT
No issues, since there's no way to know whether it's sent over an unencrypted channel from within securitySchemes
See https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py#L29
The check should then be done at the servers: level (e.g., if the application is over http://).
servers:
I got
Check: CKV_OPENAPI_3: "Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files" FAILED for resource: components File: /app/openapi.yaml:298-301 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/api-policies/openapi-policies/ensure-that-security-schemes-dont-allow-cleartext-credentials-over-unencrypted-channel 298 | type: http 299 | scheme: bearer 300 | bearerFormat: JWT
Version (please complete the following information):
Additional context
According to OAS, the type: http does not reference the transport layer nor the HTTP version.
type: http
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Description
False positive on CKV_OPENAPI_3: "Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files"
When
I process The following OAS3 securityScheme
I expect
No issues, since there's no way to know whether
it's sent over an unencrypted channel from within securitySchemes
See https://github.com/bridgecrewio/checkov/blob/main/checkov/openapi/checks/resource/v3/CleartextOverUnencryptedChannel.py#L29
The check should then be done at the
servers:
level (e.g., if the application is over http://).Instead
I got
Notes
Version (please complete the following information):
Additional context
According to OAS, the
type: http
does not reference the transport layer nor the HTTP version.The text was updated successfully, but these errors were encountered: