yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file

semgrep

Author

unknown

Download Count*

License

Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: secrets-in-config-file
    patterns:
      - pattern: |
          $KEY: $VALUE
      - pattern-inside: |
          data: ...
      - pattern-inside: |
          kind: Secret
          ...
      - metavariable-regex:
          metavariable: $VALUE
          regex: (?i)^[aA-zZ0-9+/]+={0,2}$
      - metavariable-analysis:
          analyzer: entropy
          metavariable: $VALUE
    message: "Secrets ($VALUE) should not be stored in infrastructure as code files.
      Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt
      Kubernetes Secrets. "
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      category: security
      technology:
        - kubernetes
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      references:
        - https://kubernetes.io/docs/concepts/configuration/secret/
        - https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF
        - https://docs.gitlab.com/ee/user/clusters/agent/gitops/secrets_management.html
        - https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets/
        - https://github.com/bitnami-labs/sealed-secrets
        - https://www.cncf.io/blog/2022/01/25/secrets-management-essential-when-using-kubernetes/
        - https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      vulnerability_class:
        - Hard-coded Secrets
    languages:
      - yaml
    severity: WARNING

Examples

secrets-in-config-file.test.yaml

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  # ruleid: secrets-in-config-file
  USER NAME: Y2FsZWJraW5uZXk=
  # ok: secrets-in-config-file
  UUID: {UUID}
  # ruleid: secrets-in-config-file
  PASSWORD: UzNjcmV0UGEkJHcwcmQ=
  # ok: secrets-in-config-file
  SERVER: cHJvZA==

Short Link: https://sg.run/KyL6