Merge pull request #6938 from Checkmarx/kics-issue-6936

fix(community): common/password_and_secrets new allow rule added to permit the ansible playbook update_password field
Checkmarx · Mar 8, 2024 · 77c8bc5 · 77c8bc5
2 parents ab4e7c4 + 7f5a9c5
commit 77c8bc5
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -12,6 +12,10 @@
         {
           "description": "Avoiding CF AllowUsersToChangePassword",
           "regex": "['\"]?AllowUsersToChangePassword['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
+        },
+        {
+          "description": "Avoiding Ansible playbook update_password",
+          "regex": "['\"]?update_password['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*+-.]{4,})['\"]?"
         }
       ],
       "specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"

diff --git a/assets/queries/common/passwords_and_secrets/test/negative57.yml b/assets/queries/common/passwords_and_secrets/test/negative57.yml
@@ -0,0 +1,8 @@
+- name: "Configure the MySQL user "
+  community.mysql.mysql_user:
+    login_user: "root"
+    login_password: "{{ mysql_root_password }}"
+    name: "{{ mysql_user }}"
+    password: "{{ mysql_user_password }}"
+    password_expire: "never"
+    update_password: "on_create"