yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file

rules:
  - id: secrets-in-config-file
    patterns:
      - pattern: |
          $KEY: $VALUE
      - pattern-inside: |
          data: ...
      - pattern-inside: |
          kind: Secret
          ...
      - metavariable-regex:
          metavariable: $VALUE
          regex: (?i)^[aA-zZ0-9+/]+={0,2}$
      - metavariable-analysis:
          analyzer: entropy
          metavariable: $VALUE
    message: "Secrets ($VALUE) should not be stored in infrastructure as code
      files.  Use an alternative such as Bitnami Sealed Secrets or KSOPS to
      encrypt Kubernetes Secrets. "
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      category: security
      technology:
        - kubernetes
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      references:
        - https://kubernetes.io/docs/concepts/configuration/secret/
        - https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF
        - https://docs.gitlab.com/ee/user/clusters/agent/gitops/secrets_management.html
        - https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets/
        - https://github.com/bitnami-labs/sealed-secrets
        - https://www.cncf.io/blog/2022/01/25/secrets-management-essential-when-using-kubernetes/
        - https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
    languages:
      - yaml
    severity: WARNING