diff --git a/checkov/secrets/runner.py b/checkov/secrets/runner.py index d4818ca4f90..2d0fe8d61c7 100644 --- a/checkov/secrets/runner.py +++ b/checkov/secrets/runner.py @@ -77,6 +77,7 @@ CHECK_ID_TO_SECRET_TYPE = {v: k for k, v in SECRET_TYPE_TO_ID.items()} + MAX_FILE_SIZE = int(os.getenv('CHECKOV_MAX_FILE_SIZE', '5000000')) # 5 MB is default limit @@ -137,7 +138,7 @@ def run( customer_run_config = bc_integration.customer_run_config_response plugins_index = 0 work_dir_obj = None - secret_suppressions_ids: list[str] = [] + secret_suppressions_id: list[str] = [] work_path = str(os.getenv('WORKDIR')) if os.getenv('WORKDIR') else None if work_path is None: work_dir_obj = tempfile.TemporaryDirectory() @@ -147,10 +148,8 @@ def run( policies_list = customer_run_config.get('secretsPolicies', []) suppressions = customer_run_config.get('suppressions', []) if suppressions: - secret_suppressions_ids = [ - suppression['policyId'] for suppression in suppressions - if suppression['suppressionType'] == 'SecretsPolicy' or suppression['suppressionType'] == 'Policy' - ] + secret_suppressions_id = [suppression['policyId'] + for suppression in suppressions if suppression['suppressionType'] == 'SecretsPolicy'] if policies_list: runnable_plugins: dict[str, str] = get_runnable_plugins(policies_list) logging.info(f"Found {len(runnable_plugins)} runnable plugins") @@ -241,7 +240,7 @@ def run( # secret history added_commit_hash, removed_commit_hash, code_line, added_by, removed_date, added_date = '', '', '', '', '', '' if runner_filter.enable_git_history_secret_scan: - enriched_potential_secret = git_history_scanner. \ + enriched_potential_secret = git_history_scanner.\ history_store.get_added_and_removed_commit_hash(key, secret, root_folder) added_commit_hash = enriched_potential_secret.get('added_commit_hash') or '' removed_commit_hash = enriched_potential_secret.get('removed_commit_hash') or '' @@ -249,18 +248,21 @@ def run( added_by = enriched_potential_secret.get('added_by') or '' removed_date = enriched_potential_secret.get('removed_date') or '' added_date = enriched_potential_secret.get('added_date') or '' - # run over secret key - if isinstance(secret.secret_value, str) and secret.secret_value: - stripped = secret.secret_value.strip(',"') - if stripped != secret.secret_value: - secret_key = f'{key}_{secret.line_number}_{PotentialSecret.hash_secret(stripped)}' - if secret.secret_value and is_potential_uuid( - secret.secret_value) and secret.check_id not in secrets_in_uuid_form: + # run over secret key + if isinstance(secret.secret_value, str) and secret.secret_value: + stripped = secret.secret_value.strip(',"') + if stripped != secret.secret_value: + secret_key = f'{key}_{secret.line_number}_{PotentialSecret.hash_secret(stripped)}' + if secret.secret_value and is_potential_uuid(secret.secret_value) and secret.check_id not in secrets_in_uuid_form: logging.info( f"Removing secret due to UUID filtering: {PotentialSecret.hash_secret(secret.secret_value)}") continue + if secret_key in secret_records.keys(): + is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id) + if not is_prioritise: + continue bc_check_id = metadata_integration.get_bc_id(check_id) - if bc_check_id in secret_suppressions_ids: + if bc_check_id in secret_suppressions_id: logging.debug(f'Secret was filtered - check {check_id} was suppressed') continue severity = metadata_integration.get_severity(check_id) @@ -269,10 +271,6 @@ def run( logging.debug( f'Check was suppress - should_run_check. check_id {check_id}') continue - if secret_key in secret_records.keys(): - is_prioritise = self._prioritise_secrets(secret_records, secret_key, check_id) - if not is_prioritise: - continue result: _CheckResult = {'result': CheckResult.FAILED} try: if runner_filter.enable_git_history_secret_scan and code_line is not None: