Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(query): passwords and secrets - generic secrets with fp results #7087

Merged
merged 6 commits into from
Jun 6, 2024
Merged

fix(query): passwords and secrets - generic secrets with fp results #7087

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4186346
fix(query): passwords and secrets - generic secrets with fp results
ArturRibeiro-CX May 28, 2024
35f6a15
Merge branch 'master' into AST-43696
ArturRibeiro-CX May 28, 2024
6305124
Merge branch 'master' into AST-43696
ArturRibeiro-CX May 28, 2024
a9378e7
Merge branch 'master' into AST-43696
ArturRibeiro-CX May 29, 2024
4d1215b
Merge branch 'master' into AST-43696
ArturRibeiro-CX Jun 5, 2024
1e91401
Merge branch 'master' into AST-43696
gabriel-cx Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions assets/queries/common/passwords_and_secrets/regex_rules.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@
{
"description": "Avoiding CloudFormation Parameters Descriptions",
"regex": "['\"]?Description['\"]?\\s*[:=]\\s*['\"]?([A-Za-z0-9/~^_!@&%()=?*${}+-.'\"]+)['\"]?"
},
{
"description": "Avoiding Secrets from Azure Key Vault",
"regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?[${]+[A-Za-z0-9/~^_!@&%()=?*+-]+}?"
}
],
"specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
Expand Down
74 changes: 74 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative58.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Deploy
on:
workflow_call:
inputs:
environment:
description: Github environment
required: false
type: string
githubRunner:
description: github runner lables
type: string
required: false
helmInstall:
description: install the helm release
type: string
required: false
default: true
jobs:
push_deploy:
environment: ${{ inputs.environment }}
runs-on: ${{ fromJSON(inputs.githubRunner) }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-tags: true
fetch-depth: 0
- name: Get secrets from Azure Key Vault
run: |
set -e
vault_name="${{ vars.AZURE_KV }}"
auth0_client_id=$(az keyvault secret show --vault-name $vault_name --name cel-auth0-client-id --query "value" -o tsv)
auth0_client_secret=$(az keyvault secret show --vault-name $vault_name --name cel-auth0-client-secret --query "value" -o tsv)
restapi_mgt_appid=$(az keyvault secret show --vault-name $vault_name --name cel-restapi-mgt-appid --query "value" -o tsv)
restapi_mgt_appsec=$(az keyvault secret show --vault-name $vault_name --name cel-restapi-mgt-appsec --query "value" -o tsv)
cel_projectmgr_db_user=$(az keyvault secret show --vault-name $vault_name --name cel-projectmgr-db-user --query "value" -o tsv)
cel_projectmgr_db_password=$(az keyvault secret show --vault-name $vault_name --name cel-projectmgr-db-password --query "value" -o tsv)
cel_project_export_key=$(az keyvault secret show --vault-name $vault_name --name cel-project-export-key --query "value" -o tsv)
# This escapes the commas in the vars.AUTH0_CNX_LIST env. variable by adding a backslash in front of it
auth0_cnx_list=$(echo ${{ vars.AUTH0_CNX_LIST }} | sed 's/,/\\,/')
# Mask secrets
echo "::add-mask::$auth0_client_id"
echo "::add-mask::$auth0_client_secret"
echo "::add-mask::$restapi_mgt_appid"
echo "::add-mask::$restapi_mgt_appsec"
echo "::add-mask::$cel_projectmgr_db_user"
echo "::add-mask::$cel_projectmgr_db_password"
echo "::add-mask::$cel_project_export_key"
echo "AUTH0_CLIENT_ID=$auth0_client_id" >> $GITHUB_ENV
echo "AUTH0_CLIENT_SECRET=$auth0_client_secret" >> $GITHUB_ENV
echo "RESTAPI_MGT_APPID=$restapi_mgt_appid" >> $GITHUB_ENV
echo "RESTAPI_MGT_APPSEC=$restapi_mgt_appsec" >> $GITHUB_ENV
echo "CEL_PROJECTMGR_DB_USER=$cel_projectmgr_db_user" >> $GITHUB_ENV
echo "CEL_PROJECTMGR_DB_PASSWORD=$cel_projectmgr_db_password" >> $GITHUB_ENV
echo "CEL_PROJECT_EXPORT_KEY=$cel_project_export_key" >> $GITHUB_ENV
echo "AUTH0_CNX_LIST=$auth0_cnx_list" >> $GITHUB_ENV
- name: Get EA secrets from Azure Key Vault
if: ${{ inputs.environment == 'ea' }}
run: |
set -e
vault_name="${{ vars.AZURE_KV }}"
auth0_client_id=$(az keyvault secret show --vault-name $vault_name --name cel-auth0-client-id-${{ inputs.environment }} --query value -o tsv)
auth0_client_secret=$(az keyvault secret show --vault-name $vault_name --name cel-auth0-client-secret-${{ inputs.environment }} --query value -o tsv)
restapi_mgt_appid=$(az keyvault secret show --vault-name $vault_name --name cel-restapi-mgt-appid-${{ inputs.environment }} --query value -o tsv)
restapi_mgt_appsec=$(az keyvault secret show --vault-name $vault_name --name cel-restapi-mgt-appsec-${{ inputs.environment }} --query value -o tsv)
# Mask secrets
echo "::add-mask::$auth0_client_id"
echo "::add-mask::$auth0_client_secret"
echo "::add-mask::$restapi_mgt_appid"
echo "::add-mask::$restapi_mgt_appsec"
echo "AUTH0_CLIENT_ID=${auth0_client_id}" >> $GITHUB_ENV
echo "AUTH0_CLIENT_SECRET=${auth0_client_secret}" >> $GITHUB_ENV
echo "RESTAPI_MGT_APPID=${restapi_mgt_appid}" >> $GITHUB_ENV
echo "RESTAPI_MGT_APPSEC=${restapi_mgt_appsec}" >> $GITHUB_ENV
Loading