You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In testing secret scanning within Terraform files, I am left wanting more checks.
I went through the repo and documentation and didn't find an easy way to extend the logic. I did find a related issue here: #6089 where the reporter was directed to Prisma Cloud or to contribute signatures.
Where are the regex/signatures for the secret scanner stored and how can I contribute?
I looked through past pull requests in this repo to see where others have made modifications to the credential scanning. I found secrets scanning - Azure Storage Account Keys missing use cases #5598 - this links to a PR in a different repo named detect-secrets, which is a fork of a yelp-hosted repo? Are some of the regex rules coming from an upstream repo? If so, where/how are these imported into Checkov?
Examples
In testing, it does not detect the following (which can be relatively accurately predicted using regex):
EntraID client secrets
MongoDB Atlas connection string with plaintext password
MS SQL Server connection string with plaintext password
SendGrid API Key
My goal is to have reliable scanning with minimal false positives for both .tfvars and .tf files.
Flag this:
connection_string {
name ="my connection string"
type ="Custom"
value ="mongodb+srv://request:myplaintextpassword!@servicerequestcluster.vesade.mongodb.net"
}
But not this (password is stored in a variable and not in plain text)
connection_string {
name ="my connection string"
type ="Custom"
value ="mongodb+srv://request:${data.mongo_atlas.myuser.secret}@servicerequestcluster.vesade.mongodb.net"
}
Version (please complete the following information):
3.2.744
Additional context
How "Terraform Aware" is the credential scanner? Can it differentiate between a Terraform variable and plaintext string when parsing? It's relatively easy to find a string by looking for = "", and to look for a variable which replaces a password within a string by looking for <${myvar.name}>
How can I add regex/signatures for these cases to Checkov?
The text was updated successfully, but these errors were encountered:
Describe the issue
In testing secret scanning within Terraform files, I am left wanting more checks.
I went through the repo and documentation and didn't find an easy way to extend the logic. I did find a related issue here: #6089 where the reporter was directed to Prisma Cloud or to contribute signatures.
Where are the regex/signatures for the secret scanner stored and how can I contribute?
Here is what I have found:
These two lists have different rules in them, and I cannot find many of the rules from either list as having regex in this repo:
https://www.checkov.io/5.Policy%20Index/secrets.html
https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/secrets-policy-index
I found a list of some Regex in this file; but I am not seeing many of the rules which are working today - for example "Azure Storage Account access key" does not have any regex in this repo, yet it is working in checkov? https://github.com/bridgecrewio/checkov/blob/main/checkov/common/util/secrets.py
I looked through past pull requests in this repo to see where others have made modifications to the credential scanning. I found secrets scanning - Azure Storage Account Keys missing use cases #5598 - this links to a PR in a different repo named detect-secrets, which is a fork of a yelp-hosted repo? Are some of the regex rules coming from an upstream repo? If so, where/how are these imported into Checkov?
Examples
In testing, it does not detect the following (which can be relatively accurately predicted using regex):
My goal is to have reliable scanning with minimal false positives for both .tfvars and .tf files.
Flag this:
But not this (password is stored in a variable and not in plain text)
Version (please complete the following information):
3.2.744
Additional context
How "Terraform Aware" is the credential scanner? Can it differentiate between a Terraform variable and plaintext string when parsing? It's relatively easy to find a string by looking for = "", and to look for a variable which replaces a password within a string by looking for <${myvar.name}>
How can I add regex/signatures for these cases to Checkov?
The text was updated successfully, but these errors were encountered: