Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation / contributing guide: Where are the Secret Scanning signatures/regex stored? #6209

Open
rybal06 opened this issue Apr 24, 2024 · 0 comments
Open

Documentation / contributing guide: Where are the Secret Scanning signatures/regex stored? #6209

rybal06 opened this issue Apr 24, 2024 · 0 comments
Labels
checks Check additions or changes

Comments

@rybal06
Copy link

rybal06 commented Apr 24, 2024

Describe the issue

In testing secret scanning within Terraform files, I am left wanting more checks.

I went through the repo and documentation and didn't find an easy way to extend the logic. I did find a related issue here: #6089 where the reporter was directed to Prisma Cloud or to contribute signatures.

Where are the regex/signatures for the secret scanner stored and how can I contribute?

Here is what I have found:

  1. These two lists have different rules in them, and I cannot find many of the rules from either list as having regex in this repo:
    https://www.checkov.io/5.Policy%20Index/secrets.html
    https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/secrets-policy-index

  2. I found a list of some Regex in this file; but I am not seeing many of the rules which are working today - for example "Azure Storage Account access key" does not have any regex in this repo, yet it is working in checkov? https://github.com/bridgecrewio/checkov/blob/main/checkov/common/util/secrets.py

  3. I looked through past pull requests in this repo to see where others have made modifications to the credential scanning. I found secrets scanning - Azure Storage Account Keys missing use cases #5598 - this links to a PR in a different repo named detect-secrets, which is a fork of a yelp-hosted repo? Are some of the regex rules coming from an upstream repo? If so, where/how are these imported into Checkov?

Examples

In testing, it does not detect the following (which can be relatively accurately predicted using regex):

  • EntraID client secrets
  • MongoDB Atlas connection string with plaintext password
  • MS SQL Server connection string with plaintext password
  • SendGrid API Key

My goal is to have reliable scanning with minimal false positives for both .tfvars and .tf files.

Flag this:

  connection_string {
    name  = "my connection string"
    type  = "Custom"
    value = "mongodb+srv://request:myplaintextpassword!@servicerequestcluster.vesade.mongodb.net"
  }

But not this (password is stored in a variable and not in plain text)

  connection_string {
    name  = "my connection string"
    type  = "Custom"
    value = "mongodb+srv://request:${data.mongo_atlas.myuser.secret}@servicerequestcluster.vesade.mongodb.net"
  }

Version (please complete the following information):
3.2.744

Additional context

  1. How "Terraform Aware" is the credential scanner? Can it differentiate between a Terraform variable and plaintext string when parsing? It's relatively easy to find a string by looking for = "", and to look for a variable which replaces a password within a string by looking for <${myvar.name}>

  2. How can I add regex/signatures for these cases to Checkov?
@rybal06 rybal06 added the checks Check additions or changes label Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rybal06