Skip to content

Commit

Permalink
fix(secrets regex): added "Avoiding Secrets Manager arn" (Checkmarx#5048
Browse files Browse the repository at this point in the history 
)
  • Loading branch information
@rafaela-soares
rafaela-soares authored Mar 28, 2022
1 parent 042f2d7 commit daeae25
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 0 deletions.
4 changes: 4 additions & 0 deletions assets/queries/common/passwords_and_secrets/regex_rules.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@
{
"description": "Avoiding TF resource access",
"regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*=\\s*([a-zA-z_]+(.))?[a-zA-z_]+(.)[a-zA-z_]+(.)[a-zA-z_]+"
},
{
"description": "Avoiding Secrets Manager arn",
"regex": ":secretsmanager:[a-z0-9-]+:[0-9]+:(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-]{10,})['\"]?"
}
]
},
Expand Down
25 changes: 25 additions & 0 deletions assets/queries/common/passwords_and_secrets/test/negative48.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
Type: AWS::Glue::Connection
Properties:
CatalogId: "1111111111111"
ConnectionInput:
ConnectionProperties:
CONNECTION_URL:
Fn::Join:
- ""
- - "mongodb://{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test
USERNAME:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}}
PASSWORD:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:arn:"
- Ref: AWS::Partition
- :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}}
JDBC_ENFORCE_SSL: true
ConnectionType: MONGODB

0 comments on commit daeae25

Please sign in to comment.