Newsecrets #5
Newsecrets #5
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| provider "aws" { | ||
| # checkov:skip=CKV_SECRET_2:nah | ||
| access_key = "AKIAIOSFODNN7EXAMPLE" | ||
| secret_key = "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" | ||
| } No newline at end of file |
Check failure
Code scanning / checkov
AWS access keys and secrets are hard coded in infrastructure
| provider "aws" { | ||
| access_key = "AKIAIOSFODNN7EXAMPLE" | ||
| secret_key = "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" | ||
| } No newline at end of file |
Check failure
Code scanning / checkov
AWS access keys and secrets are hard coded in infrastructure
| secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY" | ||
| } No newline at end of file |
Check notice
Code scanning / checkov
Base64 High Entropy String
| access_key = "AKIAIOSFODNN7EXAMPLE" | ||
| secret_key = "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" |
Check failure
Code scanning / checkov
AWS Access Key
| secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY" | ||
| } No newline at end of file |
Check notice
Code scanning / checkov
Base64 High Entropy String
| access_key = "AKIAIOSFODNN7EXAMPLE" | ||
| secret_key = "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" |
Check failure
Code scanning / checkov
AWS Access Key
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| @@ -0,0 +1,4 @@ | |||
| provider "aws" { | |||
There was a problem hiding this comment.
AWS access keys and secrets are hard coded in infrastructure
Resource: aws.default | Bridgecrew ID: BC_AWS_SECRETS_5 | Checkov ID: CKV_AWS_41
How to Fix
provider "aws" {
region = var.region
- access_key = "NOTEXACTLYAKEY"
- secret_key = "NOTACTUALLYASECRET"
}Description
When accessing AWS programmatically users can select to use an access key to verify their identity, and the identity of their applications. An access key consists of an access key ID and a secret access key. Anyone with an access key has the same level of access to AWS resources.We recommend you protect access keys and keep them private. Specifically, do not store hard coded keys and secrets in infrastructure such as code, or other version-controlled configuration settings.
Benchmarks
- PCI-DSS V3.2 2
| const CIRCLE_CI = "2065ae463be5e534bb1d074a366d44e7a776d472" | ||
| const JIRA = "5FP0NmFYz81U32XdjNb42762" | ||
| SEC_1 = "ghp_3xyKmc3fgfuhireuhgdeag" | ||
| SEC_2 = "eyJrIjoiNUwyZU7TMmRxQXNVcnR7UXB0ME4zYkhRaTk2STVhR0MiLCJuIjoidGVtcCIsImlkIjoxfQ==" |
There was a problem hiding this comment.
Base64 High Entropy Strings
Resource: f9211d97d53b71f98c81ca5fe8aad09ad956e7c1 | Bridgecrew ID: BC_GIT_6 | Checkov ID: CKV_SECRET_6
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.| @@ -0,0 +1,2 @@ | |||
| const CIRCLE_CI = "2065ae463be5e534bb1d074a366d44e7a776d472" | |||
| const JIRA = "5FP0NmFYz81U32XdjNb42762" No newline at end of file | |||
There was a problem hiding this comment.
Atlassian Oauth2 Keys
Resource: ca5a7a58eecd8ca88771b5c8d82ea36e1560a968 | Bridgecrew ID: BC_GIT_25 | Checkov ID: CKV_SECRET_25
Description
OAuth is an authorization protocol that contains an authentication step. OAuth allows a user (resource owner) to grant a third-party application (consumer/client) access to their information on another site (resource). This process is commonly known as the OAuth dance. Jira uses 3-legged OAuth (3LO), which means that the user is involved by authorizing access to their data on the resource (as opposed to 2-legged OAuth, where the user is not involved).In Jira, a client is authenticated as the user involved in the OAuth dance and is authorized to have read and write access as that user. The data that can be retrieved and changed by the client is controlled by the user's permissions in Jira.
The authorization process works by getting the resource owner to grant access to their information on the resource by authorizing a request token. This request token is used by the consumer to obtain an access token from the resource. Once the client has an access token, it can use the access token to make authenticated requests to the resource until the token expires or is revoked.
| SEC_1 = "ghp_3xyKmc3fgfuhireuhgdeag" | ||
| SEC_2 = "eyJrIjoiNUwyZU7TMmRxQXNVcnR7UXB0ME4zYkhRaTk2STVhR0MiLCJuIjoidGVtcCIsImlkIjoxfQ==" | ||
| SEC_3 = "dsapi45202d12abdce73c004a9e0be24a21b2" | ||
| AWS_User=Admin |
There was a problem hiding this comment.
Databricks Authentication Token
Resource: bf211b2046d950ff1637fa386d24008a76b4a267 | Bridgecrew ID: BC_GIT_33 | Checkov ID: CKV_SECRET_33
Description
To authenticate to and access Databricks REST APIs, you can use Databricks personal access tokens or passwords. Databricks strongly recommends that you use tokens. Tokens replace passwords in an authentication flow and should be protected like passwords. To protect tokens, Databricks recommends that you store tokens in: * Secret management and retrieve tokens in notebooks using the Secrets utility (dbutils.secrets). * A local key store and use the Python keyring package to retrieve tokens at runtime.| @@ -0,0 +1,4 @@ | |||
| provider "aws" { | |||
| access_key = "AKIAIOSFODNN7EXAMPLE" | |||
| secret_key = "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" | |||
There was a problem hiding this comment.
Base64 High Entropy Strings
Resource: c00f1a6e4b20aa64691d50781b810756d6254b8e | Bridgecrew ID: BC_GIT_6 | Checkov ID: CKV_SECRET_6
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.| @@ -0,0 +1,2 @@ | |||
| const CIRCLE_CI = "2065ae463be5e534bb1d074a366d44e7a776d472" | |||
There was a problem hiding this comment.
CircleCI Personal Token (Invalid)
Resource: dc2d287afbb58f52653293de4a2d49cbf3d9c293 | Bridgecrew ID: BC_GIT_29 | Checkov ID: CKV_SECRET_29
Description
To use the CircleCI API or view details about your pipelines, you will need API tokens with the appropriate permissions. This document describes the types of API tokens available, as well as how to create and delete them.There are two types of API token you can create within CircleCI.
Personal: These tokens are used to interact with the CircleCI API and grant full read and write permissions.
Project: These tokens allow you to read/write information for specific projects. Project tokens have three scope options: Status, Read Only, and Admin. - Status tokens grant read access to the project’s build statuses. Useful for embedding status badges. - Read Only tokens grant read only access to the project’s API. - Admin tokens grant read and write access for the project’s API.
| @@ -0,0 +1,4 @@ | |||
| provider "aws" { | |||
| access_key = "AKIAIOSFODNN7EXAMPLE" | |||
There was a problem hiding this comment.
AWS Access Keys
Resource: 25910f981e85ca04baf359199dd0bd4a3ae738b6 | Bridgecrew ID: BC_GIT_2 | Checkov ID: CKV_SECRET_2
Description
AWS Access Keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
| provider "aws" { | ||
| # checkov:skip=CKV_SECRET_2:nah | ||
| access_key = "AKIAIOSFODNN7EXAMPLE" | ||
| secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY" |
There was a problem hiding this comment.
Base64 High Entropy Strings
Resource: c00f1a6e4b20aa64691d50781b810756d6254b8e | Bridgecrew ID: BC_GIT_6 | Checkov ID: CKV_SECRET_6
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.| SEC_3 = "dsapi45202d12abdce73c004a9e0be24a21b2" | ||
| AWS_User=Admin | ||
| AWSUser_Password="idsuhgpry9349ge485rgh5gn594g45" | ||
| CI = "2065ae463be5e534gnedribguirdegd44e7a776d472" |
There was a problem hiding this comment.
Base64 High Entropy Strings
Resource: e8d18673b2be9b3016068b9cc985d9b3c828b702 | Bridgecrew ID: BC_GIT_6 | Checkov ID: CKV_SECRET_6
Description
Entropy checks help detect unstructured secrets by measuring the entropy level of a single string. Entropy is a concept used to assign a numerical score to how unpredictable a password is or the likelihood of highly random data in a string of characters. Strings with a high entropy score are flagged as suspected secrets.| @@ -0,0 +1,5 @@ | |||
| provider "aws" { | |||
There was a problem hiding this comment.
AWS access keys and secrets are hard coded in infrastructure
Resource: aws.default | Bridgecrew ID: BC_AWS_SECRETS_5 | Checkov ID: CKV_AWS_41
How to Fix
provider "aws" {
region = var.region
- access_key = "NOTEXACTLYAKEY"
- secret_key = "NOTACTUALLYASECRET"
}Description
When accessing AWS programmatically users can select to use an access key to verify their identity, and the identity of their applications. An access key consists of an access key ID and a secret access key. Anyone with an access key has the same level of access to AWS resources.We recommend you protect access keys and keep them private. Specifically, do not store hard coded keys and secrets in infrastructure such as code, or other version-controlled configuration settings.
Benchmarks
- PCI-DSS V3.2 2
No description provided.