Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(secrets): handle non iac secrets FP #5478

Merged
merged 3 commits into from
Aug 23, 2023
Merged

feat(secrets): handle non iac secrets FP #5478

merged 3 commits into from
Aug 23, 2023

Conversation

maxamel
Copy link
Contributor

@maxamel maxamel commented Aug 23, 2023

This PR adds ability to filter out FPs in non-iac files for cases where secrets are not compatible with Base64 Entropy case

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@maxamel maxamel temporarily deployed to scan-security August 23, 2023 09:31 — with GitHub Actions Inactive
@maxamel maxamel marked this pull request as ready for review August 23, 2023 09:36
YaaraVerner
YaaraVerner approved these changes Aug 23, 2023
View reviewed changes
checkov/secrets/plugins/detector_utils.py Outdated
Comment on lines 181 to 192
if detected_secret.secret_value:
# Found keyword prefix as potential secret
if formatted_line.startswith(detected_secret.secret_value):
secrets_to_remove.add(detected_secret)
# found a function name at the end of the line
if formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
secrets_to_remove.add(detected_secret)
# secret value is substring of keywork
if is_code_file and FOLLOWED_BY_EQUAL_VALUE_KEYWORD_REGEX.search(formatted_line):
key, value = line.split("=", 1)
if detected_secret.secret_value in key and detected_secret.secret_value in value:
secrets_to_remove.add(detected_secret)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if detected_secret.secret_value:
# Found keyword prefix as potential secret
if formatted_line.startswith(detected_secret.secret_value):
secrets_to_remove.add(detected_secret)
# found a function name at the end of the line
if formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
secrets_to_remove.add(detected_secret)
# secret value is substring of keywork
if is_code_file and FOLLOWED_BY_EQUAL_VALUE_KEYWORD_REGEX.search(formatted_line):
key, value = line.split("=", 1)
if detected_secret.secret_value in key and detected_secret.secret_value in value:
secrets_to_remove.add(detected_secret)
if not detected_secret.secret_value:
continue
# Found keyword prefix as potential secret
if formatted_line.startswith(detected_secret.secret_value):
secrets_to_remove.add(detected_secret)
# found a function name at the end of the line
if formatted_line and FUNCTION_CALL_AFTER_KEYWORD_REGEX.search(formatted_line):
secrets_to_remove.add(detected_secret)
# secret value is substring of keywork
if is_code_file and FOLLOWED_BY_EQUAL_VALUE_KEYWORD_REGEX.search(formatted_line):
key, value = line.split("=", 1)
if detected_secret.secret_value in key and detected_secret.secret_value in value:
secrets_to_remove.add(detected_secret)

@maxamel maxamel temporarily deployed to scan-security August 23, 2023 11:21 — with GitHub Actions Inactive
@maxamel maxamel merged commit 3dc6f47 into main Aug 23, 2023
@maxamel maxamel deleted the handle_non_iac_secret_fp branch August 23, 2023 11:50
SKisContent pushed a commit to SKisContent/checkov that referenced this pull request Aug 23, 2023
@maxamel @actions-user
feat(secrets): handle non iac secrets FP (bridgecrewio#5478)
65e20f2 
* handle non iac secrets FP

* fix mypy issue

* fix according to comments

---------

Co-authored-by: Max Amelchenko <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YaaraVerner YaaraVerner YaaraVerner approved these changes

@bo156 bo156 bo156 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maxamel @bo156 @YaaraVerner