def scan_resource_conf(self, conf): if 'user_data' in conf.keys(): user_data = conf['user_data'][0] if isinstance(user_data, str): if string_has_secrets(user_data, AWS): return CheckResult.FAILED return CheckResult.PASSED
def scan_resource_conf(self, conf): if len(conf.get('environment', [])) > 0 and isinstance(conf['environment'][0], dict) \ and 'variables' in conf['environment'][0] \ and isinstance(force_list(conf['environment'][0]['variables'])[0], dict): # variables can be a string, which in this case it points to a variable for values in list(force_list(conf['environment'][0]['variables'])[0].values()): for value in list(filter(lambda value: isinstance(value, str), force_list(values))): if string_has_secrets(value, AWS, GENERAL): return CheckResult.FAILED return CheckResult.PASSED
def scan_resource_conf(self, conf): if 'Properties' in conf.keys(): if 'UserData' in conf['Properties'].keys(): user_data = conf['Properties']['UserData'] # Cast to string as user data object can look slightly different depending # on Yaml or JSON CF Templates and how the B64 conversion is done. user_data_str = str(user_data) if isinstance(user_data_str, str): if string_has_secrets(user_data_str, AWS): return CheckResult.FAILED return CheckResult.PASSED
def scan_resource_conf(self, conf): os_profile = conf.get('os_profile') if os_profile: os_profile = os_profile[0] custom_data = os_profile.get('custom_data') if custom_data: custom_data = custom_data[0] if isinstance(custom_data, str): if string_has_secrets(custom_data): return CheckResult.FAILED return CheckResult.PASSED
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: os_profile = conf.get("os_profile") if os_profile: os_profile = os_profile[0] if isinstance(os_profile, dict): custom_data = os_profile.get("custom_data") if custom_data: custom_data = custom_data[0] if isinstance(custom_data, str): if string_has_secrets(custom_data): return CheckResult.FAILED return CheckResult.PASSED
def scan_resource_conf(self, conf): if 'Properties' in conf.keys(): properties = conf['Properties'] if 'Environment' in properties.keys(): environment = properties['Environment'] if 'Variables' in environment.keys(): variables = environment['Variables'] for value in variables.values(): if string_has_secrets(str(value)): return CheckResult.FAILED return CheckResult.PASSED
def test_secrets(self): test_strings = [ 'AKIAIOSFODNN7EXAMPLE', 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', '-----BEGIN RSA PRIVATE KEY-----\n', 'Hello from Bridgecrew' ] # check that no category checks all self.assertEqual(3, sum(1 for s in test_strings if string_has_secrets(s))) # check one category self.assertEqual(2, sum(1 for s in test_strings if string_has_secrets(s, AWS))) # check two categories self.assertEqual(3, sum(1 for s in test_strings if string_has_secrets(s, AWS, GENERAL))) # check explicit all self.assertEqual(3, sum(1 for s in test_strings if string_has_secrets(s, ALL))) # check explicit all plus another category self.assertEqual(3, sum(1 for s in test_strings if string_has_secrets(s, ALL, AWS)))
def scan_resource_conf(self, conf): self.evaluated_keys = ['Properties/Environment/Variables'] if 'Properties' in conf.keys(): properties = conf['Properties'] if 'Environment' in properties.keys(): environment = properties['Environment'] if 'Variables' in environment.keys(): variables = environment['Variables'] for var_name, value in variables.items(): if string_has_secrets(str(value), AWS, GENERAL): self.evaluated_keys = [ f'Properties/Environment/Variables/{var_name}' ] return CheckResult.FAILED return CheckResult.PASSED
def scan_resource_conf(self, conf): self.evaluated_keys = 'environment/[0]/variables' if 'environment' in conf.keys(): if isinstance(conf['environment'][0], dict): if 'variables' in conf['environment'][0]: if isinstance( force_list(conf['environment'][0]['variables'])[0], dict): # variables can be a string, which in this case it points to a variable for values in list( force_list(conf['environment'][0]['variables']) [0].values()): for value in list( filter( lambda value: isinstance(value, str), force_list(values))): if string_has_secrets(value, AWS): return CheckResult.FAILED return CheckResult.PASSED
def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: environment = conf.get("environment", []) if environment and isinstance(environment[0], dict): self.evaluated_keys = ["environment"] variables = force_list(environment[0].get("variables", [])) if variables and isinstance(variables[0], dict): self.evaluated_keys = ["environment/[0]/variables"] violated_envs = set() for key, values in variables[0].items(): # variables can be a string, which in this case it points to a variable for value in [v for v in force_list(values) if isinstance(v, str)]: if string_has_secrets(value, AWS, GENERAL): violated_envs.add(key) if violated_envs: self.evaluated_keys = [f"environment/[0]/variables/[0]/{env_key}" for env_key in violated_envs] return CheckResult.FAILED return CheckResult.PASSED
def test_does_not_consider_single_hash_as_a_secret(self): # SHA1 self.assertFalse(string_has_secrets("b5a5b36b6be8d98c6f1bea655536d67abef23be8")) # MD5 self.assertFalse(string_has_secrets("d9de48cf0676e9edb99bd8ee1ed44a21"))