ruby.rails.security.brakeman.check-secrets.check-secrets
semgrepAuthor
unknown
Download Count*
License
Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.
Run Locally
Run in CI
Defintion
rules:
- id: check-secrets
patterns:
- pattern: $VAR = "$VALUE"
- metavariable-regex:
metavariable: $VAR
regex: (?i)password|secret|(rest_auth_site|api)_key$
- metavariable-regex:
metavariable: $VALUE
regex: .+
message: Found a Brakeman-style secret - a variable with the name
password/secret/api_key/rest_auth_site_key and a non-empty string literal
value.
languages:
- ruby
severity: WARNING
metadata:
technology:
- ruby
- rails
category: security
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
owasp:
- A01:2021 - Broken Access Control
source-rule-url: https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_secrets.rb
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
- https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
Examples
check-secrets.rb
# ruleid: check-secrets
PASSWORD = "superdupersecret"
http_basic_authenticate_with :name => "superduperadmin", :password => PASSWORD, :only => :create
# ok: check-secrets
secret = get_from_store('somepass')
# ok: check-secrets
rest_auth_site_key = ""
Short Link: https://sg.run/5ZKl